Maxime Coquelin
2023-Aug-29 13:34 UTC
[PATCH v3 0/3] vduse: add support for networking devices
On 8/11/23 00:00, Jakub Kicinski wrote:> On Thu, 10 Aug 2023 17:42:11 -0400 Michael S. Tsirkin wrote: >>> Directly into the stack? I thought VDUSE is vDPA in user space, >>> meaning to get to the kernel the packet has to first go thru >>> a virtio-net instance. >> >> yes. is that a sufficient filter in your opinion? > > Yes, the ability to create the device feels stronger than CAP_NET_RAW, > and a bit tangential to CAP_NET_ADMIN. But I don't have much practical > experience with virt so no strong opinion, perhaps it does make sense > for someone's deployment? Dunno.. >I'm not sure CAP_NET_ADMIN should be required for creating the VDUSE devices, as the device could be attached to vhost-vDPA and so not visible to the Kernel networking stack. However, CAP_NET_ADMIN should be required to attach the VDUSE device to virtio-vdpa/virtio-net. Does that make sense? Maxime
Michael S. Tsirkin
2023-Aug-29 17:05 UTC
[PATCH v3 0/3] vduse: add support for networking devices
On Tue, Aug 29, 2023 at 03:34:06PM +0200, Maxime Coquelin wrote:> > > On 8/11/23 00:00, Jakub Kicinski wrote: > > On Thu, 10 Aug 2023 17:42:11 -0400 Michael S. Tsirkin wrote: > > > > Directly into the stack? I thought VDUSE is vDPA in user space, > > > > meaning to get to the kernel the packet has to first go thru > > > > a virtio-net instance. > > > > > > yes. is that a sufficient filter in your opinion? > > > > Yes, the ability to create the device feels stronger than CAP_NET_RAW, > > and a bit tangential to CAP_NET_ADMIN. But I don't have much practical > > experience with virt so no strong opinion, perhaps it does make sense > > for someone's deployment? Dunno.. > > > > I'm not sure CAP_NET_ADMIN should be required for creating the VDUSE > devices, as the device could be attached to vhost-vDPA and so not > visible to the Kernel networking stack. > > However, CAP_NET_ADMIN should be required to attach the VDUSE device to > virtio-vdpa/virtio-net. > > Does that make sense? > > MaximeOK. How are we going to enforce it? Also, we need a way for selinux to enable/disable some of these things but not others. -- MST