rules: add a rule to set /dev/kvm access mode and ownership (#5597)

Kernel default mode is 0600, but distributions change it to group kvm, mode
either 0660 (e.g. Debian) or 0666 (e.g. Fedora). Both approaches have valid
reasons (a stricter mode limits exposure to bugs in the kvm subsystem, a looser
mode makes libvirt and other virtualization mechanisms work out of the box for
unprivileged users over ssh).

In Fedora the qemu package carries the relevant rule, but it's nicer to have it
in systemd, so that the permissions are not dependent on the qemu package being
installed. Use of packaged qemu binaries is not required to make use of
/dev/kvm, e.g. it's possible to use a self-compiled qemu or some alternative.

https://bugzilla.redhat.com/show_bug.cgi?id=1431876

To accomodate both approaches, add a rule to set the mode in 50-udev-default.rules,
but allow the mode to be overridden with a --with-dev-kvm-mode configure rule.
The default is 0660, as the (slightly) more secure option.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2017-03-27 06:34:24 -04:00 committed by Martin Pitt
parent d7e228d9fe
commit 5a664ca10f
5 changed files with 18 additions and 1 deletions

View File

@ -3825,7 +3825,6 @@ dist_network_DATA = \
network/80-container-vz.network
dist_udevrules_DATA += \
rules/50-udev-default.rules \
rules/60-block.rules \
rules/60-drm.rules \
rules/60-evdev.rules \
@ -3843,6 +3842,7 @@ dist_udevrules_DATA += \
rules/80-net-setup-link.rules
nodist_udevrules_DATA += \
rules/50-udev-default.rules \
rules/99-systemd.rules
udevconfdir = $(sysconfdir)/udev
@ -3853,6 +3853,7 @@ pkgconfigdata_DATA += \
src/udev/udev.pc
EXTRA_DIST += \
rules/50-udev-default.rules.in \
rules/99-systemd.rules.in \
src/udev/udev.pc.in
@ -6301,6 +6302,7 @@ substitutions = \
'|KILL_USER_PROCESSES=$(KILL_USER_PROCESSES)|' \
'|systemuidmax=$(SYSTEM_UID_MAX)|' \
'|systemgidmax=$(SYSTEM_GID_MAX)|' \
'|DEV_KVM_MODE=$(DEV_KVM_MODE)|' \
'|TTY_GID=$(TTY_GID)|' \
'|systemsleepdir=$(systemsleepdir)|' \
'|systemshutdowndir=$(systemshutdowndir)|' \

View File

@ -1205,6 +1205,16 @@ AC_ARG_WITH(system-gid-max,
AC_DEFINE_UNQUOTED(SYSTEM_GID_MAX, [$SYSTEM_GID_MAX], [Maximum System GID])
AC_SUBST(SYSTEM_GID_MAX)
# ------------------------------------------------------------------------------
AC_ARG_WITH(dev-kvm-mode,
AS_HELP_STRING([--with-dev-kvm-mode=MODE],
[/dev/kvm access mode, defaults to "0660"]),
[DEV_KVM_MODE="$withval"],
[DEV_KVM_MODE="0660"])
AC_SUBST(DEV_KVM_MODE, [$DEV_KVM_MODE], [/dev/kvm access mode])
# ------------------------------------------------------------------------------
have_localed=no
AC_ARG_ENABLE(localed, AS_HELP_STRING([--disable-localed], [disable locale daemon]))
@ -1767,6 +1777,7 @@ AC_MSG_RESULT([
TTY GID: ${TTY_GID}
maximum system UID: ${SYSTEM_UID_MAX}
maximum system GID: ${SYSTEM_GID_MAX}
/dev/kvm access mode: ${DEV_KVM_MODE}
certificate root: ${CERTIFICATEROOT}
support URL: ${SUPPORT_URL}
nobody user name: ${NOBODY_USER_NAME}

1
rules/.gitignore vendored
View File

@ -1 +1,2 @@
/50-udev-default.rules
/99-systemd.rules

View File

@ -74,6 +74,8 @@ KERNEL=="tun", MODE="0666", OPTIONS+="static_node=net/tun"
KERNEL=="fuse", MODE="0666", OPTIONS+="static_node=fuse"
KERNEL=="kvm", GROUP="kvm", MODE="@DEV_KVM_MODE@"
SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK += "ptp_kvm"
LABEL="default_end"

View File

@ -29,6 +29,7 @@ g dialout - - -
g disk - - -
g input - - -
g lp - - -
g kvm - - -
g tape - - -
g video - - -