diff options
author | Alex Williamson <alex.williamson@redhat.com> | 2011-12-20 23:59:09 -0500 |
---|---|---|
committer | Avi Kivity <avi@redhat.com> | 2011-12-25 12:03:54 -0500 |
commit | 3d27e23b17010c668db311140b17bbbb70c78fb9 (patch) | |
tree | d3d87399212b2dda0bbf6616e4a580b35e7d7760 /Documentation/virtual | |
parent | 423873736b78f549fbfa2f715f2e4de7e6c5e1e9 (diff) |
KVM: Device assignment permission checks
Only allow KVM device assignment to attach to devices which:
- Are not bridges
- Have BAR resources (assume others are special devices)
- The user has permissions to use
Assigning a bridge is a configuration error, it's not supported, and
typically doesn't result in the behavior the user is expecting anyway.
Devices without BAR resources are typically chipset components that
also don't have host drivers. We don't want users to hold such devices
captive or cause system problems by fencing them off into an iommu
domain. We determine "permission to use" by testing whether the user
has access to the PCI sysfs resource files. By default a normal user
will not have access to these files, so it provides a good indication
that an administration agent has granted the user access to the device.
[Yang Bai: add missing #include]
[avi: fix comment style]
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Yang Bai <hamo.by@gmail.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Diffstat (limited to 'Documentation/virtual')
-rw-r--r-- | Documentation/virtual/kvm/api.txt | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt index ee2c96b3ba5a..4df9af4f6132 100644 --- a/Documentation/virtual/kvm/api.txt +++ b/Documentation/virtual/kvm/api.txt | |||
@@ -1154,6 +1154,10 @@ following flags are specified: | |||
1154 | The KVM_DEV_ASSIGN_ENABLE_IOMMU flag is a mandatory option to ensure | 1154 | The KVM_DEV_ASSIGN_ENABLE_IOMMU flag is a mandatory option to ensure |
1155 | isolation of the device. Usages not specifying this flag are deprecated. | 1155 | isolation of the device. Usages not specifying this flag are deprecated. |
1156 | 1156 | ||
1157 | Only PCI header type 0 devices with PCI BAR resources are supported by | ||
1158 | device assignment. The user requesting this ioctl must have read/write | ||
1159 | access to the PCI sysfs resource files associated with the device. | ||
1160 | |||
1157 | 4.49 KVM_DEASSIGN_PCI_DEVICE | 1161 | 4.49 KVM_DEASSIGN_PCI_DEVICE |
1158 | 1162 | ||
1159 | Capability: KVM_CAP_DEVICE_DEASSIGNMENT | 1163 | Capability: KVM_CAP_DEVICE_DEASSIGNMENT |