X Tutup
Skip to content

Commit 5a664ca

Browse files
keszybzmartinpitt
keszybz
authored and
martinpitt
committed
rules: add a rule to set /dev/kvm access mode and ownership (systemd#5597)
Kernel default mode is 0600, but distributions change it to group kvm, mode either 0660 (e.g. Debian) or 0666 (e.g. Fedora). Both approaches have valid reasons (a stricter mode limits exposure to bugs in the kvm subsystem, a looser mode makes libvirt and other virtualization mechanisms work out of the box for unprivileged users over ssh). In Fedora the qemu package carries the relevant rule, but it's nicer to have it in systemd, so that the permissions are not dependent on the qemu package being installed. Use of packaged qemu binaries is not required to make use of /dev/kvm, e.g. it's possible to use a self-compiled qemu or some alternative. https://bugzilla.redhat.com/show_bug.cgi?id=1431876 To accomodate both approaches, add a rule to set the mode in 50-udev-default.rules, but allow the mode to be overridden with a --with-dev-kvm-mode configure rule. The default is 0660, as the (slightly) more secure option.
1 parent d7e228d commit 5a664ca

File tree

5 files changed

+18
-1
lines changed

5 files changed

+18
-1
lines changed

Makefile.am

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3825,7 +3825,6 @@ dist_network_DATA = \
38253825
network/80-container-vz.network
38263826

38273827
dist_udevrules_DATA += \
3828-
rules/50-udev-default.rules \
38293828
rules/60-block.rules \
38303829
rules/60-drm.rules \
38313830
rules/60-evdev.rules \
@@ -3843,6 +3842,7 @@ dist_udevrules_DATA += \
38433842
rules/80-net-setup-link.rules
38443843

38453844
nodist_udevrules_DATA += \
3845+
rules/50-udev-default.rules \
38463846
rules/99-systemd.rules
38473847

38483848
udevconfdir = $(sysconfdir)/udev
@@ -3853,6 +3853,7 @@ pkgconfigdata_DATA += \
38533853
src/udev/udev.pc
38543854

38553855
EXTRA_DIST += \
3856+
rules/50-udev-default.rules.in \
38563857
rules/99-systemd.rules.in \
38573858
src/udev/udev.pc.in
38583859

@@ -6301,6 +6302,7 @@ substitutions = \
63016302
'|KILL_USER_PROCESSES=$(KILL_USER_PROCESSES)|' \
63026303
'|systemuidmax=$(SYSTEM_UID_MAX)|' \
63036304
'|systemgidmax=$(SYSTEM_GID_MAX)|' \
6305+
'|DEV_KVM_MODE=$(DEV_KVM_MODE)|' \
63046306
'|TTY_GID=$(TTY_GID)|' \
63056307
'|systemsleepdir=$(systemsleepdir)|' \
63066308
'|systemshutdowndir=$(systemshutdowndir)|' \

configure.ac

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1205,6 +1205,16 @@ AC_ARG_WITH(system-gid-max,
12051205
AC_DEFINE_UNQUOTED(SYSTEM_GID_MAX, [$SYSTEM_GID_MAX], [Maximum System GID])
12061206
AC_SUBST(SYSTEM_GID_MAX)
12071207

1208+
# ------------------------------------------------------------------------------
1209+
1210+
AC_ARG_WITH(dev-kvm-mode,
1211+
AS_HELP_STRING([--with-dev-kvm-mode=MODE],
1212+
[/dev/kvm access mode, defaults to "0660"]),
1213+
[DEV_KVM_MODE="$withval"],
1214+
[DEV_KVM_MODE="0660"])
1215+
1216+
AC_SUBST(DEV_KVM_MODE, [$DEV_KVM_MODE], [/dev/kvm access mode])
1217+
12081218
# ------------------------------------------------------------------------------
12091219
have_localed=no
12101220
AC_ARG_ENABLE(localed, AS_HELP_STRING([--disable-localed], [disable locale daemon]))
@@ -1767,6 +1777,7 @@ AC_MSG_RESULT([
17671777
TTY GID: ${TTY_GID}
17681778
maximum system UID: ${SYSTEM_UID_MAX}
17691779
maximum system GID: ${SYSTEM_GID_MAX}
1780+
/dev/kvm access mode: ${DEV_KVM_MODE}
17701781
certificate root: ${CERTIFICATEROOT}
17711782
support URL: ${SUPPORT_URL}
17721783
nobody user name: ${NOBODY_USER_NAME}

rules/.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,2 @@
1+
/50-udev-default.rules
12
/99-systemd.rules

rules/50-udev-default.rules renamed to rules/50-udev-default.rules.in

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,8 @@ KERNEL=="tun", MODE="0666", OPTIONS+="static_node=net/tun"
7474

7575
KERNEL=="fuse", MODE="0666", OPTIONS+="static_node=fuse"
7676

77+
KERNEL=="kvm", GROUP="kvm", MODE="@DEV_KVM_MODE@"
78+
7779
SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK += "ptp_kvm"
7880

7981
LABEL="default_end"

sysusers.d/basic.conf.in

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ g dialout - - -
2929
g disk - - -
3030
g input - - -
3131
g lp - - -
32+
g kvm - - -
3233
g tape - - -
3334
g video - - -
3435

0 commit comments

Comments
 (0)
X Tutup