aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/virtual
diff options
context:
space:
mode:
authorAlex Williamson <alex.williamson@redhat.com>2011-12-20 23:59:09 -0500
committerAvi Kivity <avi@redhat.com>2011-12-25 12:03:54 -0500
commit3d27e23b17010c668db311140b17bbbb70c78fb9 (patch)
treed3d87399212b2dda0bbf6616e4a580b35e7d7760 /Documentation/virtual
parent423873736b78f549fbfa2f715f2e4de7e6c5e1e9 (diff)
KVM: Device assignment permission checks
Only allow KVM device assignment to attach to devices which: - Are not bridges - Have BAR resources (assume others are special devices) - The user has permissions to use Assigning a bridge is a configuration error, it's not supported, and typically doesn't result in the behavior the user is expecting anyway. Devices without BAR resources are typically chipset components that also don't have host drivers. We don't want users to hold such devices captive or cause system problems by fencing them off into an iommu domain. We determine "permission to use" by testing whether the user has access to the PCI sysfs resource files. By default a normal user will not have access to these files, so it provides a good indication that an administration agent has granted the user access to the device. [Yang Bai: add missing #include] [avi: fix comment style] Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Yang Bai <hamo.by@gmail.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Diffstat (limited to 'Documentation/virtual')
-rw-r--r--Documentation/virtual/kvm/api.txt4
1 files changed, 4 insertions, 0 deletions
diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt
index ee2c96b3ba5a..4df9af4f6132 100644
--- a/Documentation/virtual/kvm/api.txt
+++ b/Documentation/virtual/kvm/api.txt
@@ -1154,6 +1154,10 @@ following flags are specified:
1154The KVM_DEV_ASSIGN_ENABLE_IOMMU flag is a mandatory option to ensure 1154The KVM_DEV_ASSIGN_ENABLE_IOMMU flag is a mandatory option to ensure
1155isolation of the device. Usages not specifying this flag are deprecated. 1155isolation of the device. Usages not specifying this flag are deprecated.
1156 1156
1157Only PCI header type 0 devices with PCI BAR resources are supported by
1158device assignment. The user requesting this ioctl must have read/write
1159access to the PCI sysfs resource files associated with the device.
1160
11574.49 KVM_DEASSIGN_PCI_DEVICE 11614.49 KVM_DEASSIGN_PCI_DEVICE
1158 1162
1159Capability: KVM_CAP_DEVICE_DEASSIGNMENT 1163Capability: KVM_CAP_DEVICE_DEASSIGNMENT