Bug#981943: systemd: Consider building with flag -Ddev-kvm-mode=0666

Michael Biebl biebl at debian.org
Fri Feb 5 10:52:14 GMT 2021


Control: tags -1 + moreinfo

Am 05.02.21 um 10:44 schrieb Christopher Obbard:
> Currently systemd is built with -Ddev-kvm-mode=0660 which sets the udev
> rule up to tag /dev/kvm as uaccess.
> 
> In systemd v236 the uaccess tag was dropped from /dev/kvm (as well as
> /dev/dri/renderD*) and changing the default permissions to 0666. 


Not quite correct, see for v247:

70-uaccess.rules:SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"

and we also have

50-udev-default.rules:KERNEL=="kvm", GROUP="kvm", MODE="0660", 
OPTIONS+="static_node=kvm"


> In debos (Debian Image Builder) we create a virtual machine (usually KVM
> by default) and suggest users use docker containers containing the KVM
> runtime for reproducibility. Since the permissions on /dev/kvm are
> tagged as uaccess, this doesn't get picked up by the container. So, it
> would be really helpful if we could put 0666 permissions on /dev/kvm by
> default.


A logged in users should get access via the uaccess tag.
If you need some unprivileged background service without an active 
logind session, you can grant that particular access via a static group 
membership.

This should cover all relevant use cases, no?


Michael




-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20210205/3106eb9c/attachment.sig>


More information about the Pkg-systemd-maintainers mailing list