app-emulation/qemu: add rule to fix permissions on /dev/vfio/vfio
The device node /dev/vfio/vfio gets created on modprobing the vfio*
modules. This happens in particular on demand when a qemu vm with PCI
passthrough is started up. The default permissios for the freshly
created device node is
crw-rw-rw- 1 root root 10, 196 Mar 27 08:44 /dev/vfio/vfio
This is terrible.
This patch adds an udev rules and makes sure that the device node has rw
permissions for user root, and group kvm (and no permissions for all).
This fixes
- startup when a qemu-kvm is started as non-root (provided the user is
in group kvm, which is our current policy for accessing /dev/kvm, etc.,
anyway).
- work around this security vulnerability, where /dev/vfio/vfio is
created with world writable permissions upon modprobe. [1]
Thanks to username234, Kash Pande, Ted Rodgers for discovery and patch!
[1] Steps to reproduce:
% ls -la /dev/vfio/vfio
crw------- 1 root root 10, 196 Mar 27 15:40 /dev/vfio/vfio
% modprobe vfio
% ls -la /dev/vfio/vfio
crw-rw-rw- 1 root root 10, 196 Mar 27 15:41 /dev/vfio/vfio
[2] I cannot find an udev rule installed by libvirt/qemu/... that
triggers these permissions.
Bug: https://bugs.gentoo.org/651668
Package-Manager: Portage-2.3.24, Repoman-2.3.6
RepoMan-Options: --force
projects / gentoo.git / commit