• Alex Williamson's avatar
    KVM: Device assignment permission checks · 3d27e23b
    Alex Williamson authored
    Only allow KVM device assignment to attach to devices which:
    
     - Are not bridges
     - Have BAR resources (assume others are special devices)
     - The user has permissions to use
    
    Assigning a bridge is a configuration error, it's not supported, and
    typically doesn't result in the behavior the user is expecting anyway.
    Devices without BAR resources are typically chipset components that
    also don't have host drivers.  We don't want users to hold such devices
    captive or cause system problems by fencing them off into an iommu
    domain.  We determine "permission to use" by testing whether the user
    has access to the PCI sysfs resource files.  By default a normal user
    will not have access to these files, so it provides a good indication
    that an administration agent has granted the user access to the device.
    
    [Yang Bai: add missing #include]
    [avi: fix comment style]
    Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
    Signed-off-by: default avatarYang Bai <hamo.by@gmail.com>
    Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
    3d27e23b
assigned-dev.c 20.9 KB