Mailing List Archive

2014.Szeptember 16.(K) 11:05 időpontban Marcin Mirosław ezt írta:
> A few days ago I boot KVM host with hardened kernel. After some time I
> noticed that usb passthrough from host to kvm guest doesn't work. Simply
> sayoing guest didn't seen any usb device. After switching kernel on host
> to gentoo-sources-{3.14.14,3.16.2} usb-passthrough works as I expect. I
> didn't any related information in logs.
> Does libvirt or grsec need special configuration to have such feature
> working?

I don't use KVM or libvirt, but I would suggest to check out your grsec
logs for denials.
Also there is a new capability introduced not so long ago:
CAP_BLOCK_SUSPEND
Some daemons and executables may complain - but in my case were
functioning properly anyways. May be not related to your problem.

BR: Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057


--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

W dniu 16.09.2014 o 14:34, "Tóth Attila" pisze:
> 2014.Szeptember 16.(K) 11:05 időpontban Marcin Mirosław ezt írta:
>> A few days ago I boot KVM host with hardened kernel. After some time I
>> noticed that usb passthrough from host to kvm guest doesn't work. Simply
>> sayoing guest didn't seen any usb device. After switching kernel on host
>> to gentoo-sources-{3.14.14,3.16.2} usb-passthrough works as I expect. I
>> didn't any related information in logs.
>> Does libvirt or grsec need special configuration to have such feature
>> working?
>
> I don't use KVM or libvirt, but I would suggest to check out your grsec
> logs for denials.
> Also there is a new capability introduced not so long ago:
> CAP_BLOCK_SUSPEND
> Some daemons and executables may complain - but in my case were
> functioning properly anyways. May be not related to your problem.

Hi!
I don't use RBAC nor in kernel.log nor in dmesg nor in libvirt log I
didn't see any suspicious entries.
Regards,
Marcin

On 09/17/14 08:04, Marcin Mirosław wrote:
> W dniu 16.09.2014 o 14:34, "Tóth Attila" pisze:
>> 2014.Szeptember 16.(K) 11:05 időpontban Marcin Mirosław ezt írta:
>>> A few days ago I boot KVM host with hardened kernel. After some time I
>>> noticed that usb passthrough from host to kvm guest doesn't work. Simply
>>> sayoing guest didn't seen any usb device. After switching kernel on host
>>> to gentoo-sources-{3.14.14,3.16.2} usb-passthrough works as I expect. I
>>> didn't any related information in logs.
>>> Does libvirt or grsec need special configuration to have such feature
>>> working?
>>
>> I don't use KVM or libvirt, but I would suggest to check out your grsec
>> logs for denials.
>> Also there is a new capability introduced not so long ago:
>> CAP_BLOCK_SUSPEND
>> Some daemons and executables may complain - but in my case were
>> functioning properly anyways. May be not related to your problem.
>
> Hi!
> I don't use RBAC nor in kernel.log nor in dmesg nor in libvirt log I
> didn't see any suspicious entries.
> Regards,
> Marcin
>

Was there an earlier version of hardened-sources which *did* work?

Also, trust the menu options under grsecurity in Kconfig where it says
virtualization etc etc. Some options are too strict for a virt
environment. Having said that, though, if usb is the only thing not
working, I suspect that maybe its some misconfiguration in the
host/client Kconfigs for kvm not related to hardened.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

W dniu 2014-09-18 o 00:34, Anthony G. Basile pisze:
> On 09/17/14 08:04, Marcin Miros³aw wrote:
>> W dniu 16.09.2014 o 14:34, "Tóth Attila" pisze:
>>> 2014.Szeptember 16.(K) 11:05 idõpontban Marcin Miros³aw ezt írta:
>>>> A few days ago I boot KVM host with hardened kernel. After some time I
>>>> noticed that usb passthrough from host to kvm guest doesn't work.
>>>> Simply
>>>> sayoing guest didn't seen any usb device. After switching kernel on
>>>> host
>>>> to gentoo-sources-{3.14.14,3.16.2} usb-passthrough works as I expect. I
>>>> didn't any related information in logs.
>>>> Does libvirt or grsec need special configuration to have such feature
>>>> working?
>>>
>>> I don't use KVM or libvirt, but I would suggest to check out your grsec
>>> logs for denials.
>>> Also there is a new capability introduced not so long ago:
>>> CAP_BLOCK_SUSPEND
>>> Some daemons and executables may complain - but in my case were
>>> functioning properly anyways. May be not related to your problem.
>>
>> Hi!
>> I don't use RBAC nor in kernel.log nor in dmesg nor in libvirt log I
>> didn't see any suspicious entries.
>> Regards,
>> Marcin
>>

Hi all!

> Was there an earlier version of hardened-sources which *did* work?

I don't know. When some time ago I was using hardened-sources on host I
didn't use usb passthrough in that time. Later I stopped to use
hardened-sources (kernel was unstable in such enviroment but I didn't
report it) and started to use gentoo-sources. Some time later I started
to use usb passtrough.

> Also, trust the menu options under grsecurity in Kconfig where it says
> virtualization etc etc. Some options are too strict for a virt
> environment. Having said that, though, if usb is the only thing not
> working, I suspect that maybe its some misconfiguration in the
> host/client Kconfigs for kvm not related to hardened.

I used .config from gentoo-sources->make oldconfig->changed options in
grsec menu. Meseems I didn't change anything in kvm related options in
kernel.

Marcin