Bug#981943: systemd: Consider building with flag -Ddev-kvm-mode=0666
Michael Biebl
biebl at debian.org
Fri Feb 5 10:52:14 GMT 2021
Control: tags -1 + moreinfo
Am 05.02.21 um 10:44 schrieb Christopher Obbard:
> Currently systemd is built with -Ddev-kvm-mode=0660 which sets the udev
> rule up to tag /dev/kvm as uaccess.
>
> In systemd v236 the uaccess tag was dropped from /dev/kvm (as well as
> /dev/dri/renderD*) and changing the default permissions to 0666.
Not quite correct, see for v247:
70-uaccess.rules:SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"
and we also have
50-udev-default.rules:KERNEL=="kvm", GROUP="kvm", MODE="0660",
OPTIONS+="static_node=kvm"
> In debos (Debian Image Builder) we create a virtual machine (usually KVM
> by default) and suggest users use docker containers containing the KVM
> runtime for reproducibility. Since the permissions on /dev/kvm are
> tagged as uaccess, this doesn't get picked up by the container. So, it
> would be really helpful if we could put 0666 permissions on /dev/kvm by
> default.
A logged in users should get access via the uaccess tag.
If you need some unprivileged background service without an active
logind session, you can grant that particular access via a static group
membership.
This should cover all relevant use cases, no?
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20210205/3106eb9c/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list