On Wed, Jan 30, 2019 at 09:06:30AM +0100, Erik Skultety wrote: > Thanks for ^this bit which helped me understand the bits below. When I read > the > man page yesterday the first question was, okay, how do I figure out whether > the file capabilities bit is set? Well, use xattrs...which didn't return > anything, so I was puzzled what exactly it should look like, but now that you > explained that most binaries actually lack the file capabilities, I see the > issue clearly :).
The commands you want to experiment with are "getcap" and "setcap" eg # getcap qemu-system-x86_64 # setcap cap_dac_override=+ep qemu-system-x86_64 # getcap qemu-system-x86_64 qemu-system-x86_64 = cap_dac_override+ep # setcap cap_dac_override= qemu-system-x86_64 # getcap qemu-system-x86_64 qemu-system-x86_64 = # setcap -r qemu-system-x86_64 # getcap qemu-system-x86_64 # > > + > > ret = 0; > > cleanup: > > return ret; > > > > > > though, we need a #ifdef check for existance of PR_CAP_AMBIENT > > > > > An alternative question I've been playing ever since we exchanged the > > > last few > > > emails is that can't we wait until the ioctls are compared against > > > permissions > > > in kernel so that upstream libvirt (and downstream too for that matter) > > > doesn't > > > have to work around it and stick with that workaround for eternity? > > > > IIUC, the SEV feature has already shipped with distros, so we'd effectively > > be saying that what we already shipped is unusable to libvirt. This doesn't > > feel like a desirable story to me. > > It was, but it never worked, it always has been broken in this way. When we > were merging this upstream, we had a terrible shortage of machines and we had > to share, so the first person to provision the machine had already taken care > of the permissions in order to test so that led to this issue having been > overlooked until now. If it ever worked as expected and then we broke it, then > any fix from our side would make sense but otherwise I believe we should fix > this bottom up. Well technically it would work if libvirt was configured to run as root:root, but yes, that is not a normal or recommended configuration. Personally I have a preference for userspace solutions, as those are pretty straightforward to roll out to people as patches in existing releases. Deploying kernel updates is a higher bar to cross for an existing release. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
