Comment 8 for bug 103010

> I'm sorry, this is not something that we can solve in the qemu-kvm package that is in Ubuntu Main.

Why not? The standard Ubuntu kernel supports capabilities (CONFIG_SECURITY_FILE_CAPABILITIES). It is obviously not desirable to have qemu networking broken by default, or to tell users that they must run qemu as root if they want networking to work. I'd imagine that most people installing qemu would prefer that the qemu process be able to create a TUN/TAP device instead of returning some odd error message.

> You could, I suppose, submit a patch that adds another binary package under the qemu-kvm source package that we put in Universe.

It seems odd to create a new package just to fix networking for non-root users.

> I've subscribed the Ubuntu Security Team. I'm curious for their opinion on this.

From a security perspective, it is obviously better to give the qemu process a single relatively harmless capability than to require all users run qemu as root or suid root.