On Thu, Feb 25, 2016 at 07:48:41AM +0100, Dietmar Maurer wrote:
> I just found package liblinux-prctl-perl, which can do
>
> Linux::Prctl::capbset_drop(CAP_SYS_RAWIO);
>
> That way we could do it inside perl before the SCSI INQUIRY syscall.
> Would that solve the problem?
>
> But we would need to fork before calling capbset_drop ...
If LVM is special there, wouldn't it make more sense to check for LVM
directly rather than dropping this capability? While apparently most
devices only need read-access for the SG_IO ioctl, capabilities(7)
states that you need CAP_SYS_RAWIO for "various scsi commands" and "a
range of device-specific operations on other devices":
capabilities(7):
CAP_SYS_RAWIO
* Perform I/O port operations (iopl(2) and ioperm(2));
(...)
* perform various SCSI device commands;
(...)
* perform a range of device-specific operations on other devices.
> > On February 25, 2016 at 6:54 AM Dietmar Maurer <diet...@proxmox.com> wrote:
> >
> >
> > > #capsh --drop=cap_sys_rawio -- -c 'sg_inq /dev/pve/vm-115-disk-2'
> > > Both SCSI INQUIRY and fetching ATA information failed on
> > > /dev/pve/vm-115-disk-2
> >
> > Why --drop=cap_sys_rawio ? Does kvm drop this when starting?
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
