action: Make logic for unprivileged KVM access more robust

- Copy static-nodes-permissions.conf to /etc before modifying so our
modifications don't get overwritten if systemd is updated.
- Add udev rules to set the permissions correctly as well

diff --git a/action.yaml b/action.yaml
index aefe5220e2405435048c8a202b1e44d642496c67..b0315b7e1570214ee8b2d6e5ef63c24632bd8e78 100644 (file)
--- a/action.yaml
+++ b/action.yaml
@@ -8,11 +8,22 @@ runs:
   - name: Permit unprivileged access to kvm, vhost-vsock and vhost-net devices
     shell: bash
     run: |
-      sudo sed -i '/kvm/s/0660/0666/g'   /usr/lib/tmpfiles.d/static-nodes-permissions.conf
-      sudo sed -i '/vhost/s/0660/0666/g' /usr/lib/tmpfiles.d/static-nodes-permissions.conf
+      sudo mkdir -p /etc/tmpfiles.d
+      sudo cp /usr/lib/tmpfiles.d/static-nodes-permissions.conf /etc/tmpfiles.d/
+      sudo sed -i '/kvm/s/0660/0666/g'   /etc/tmpfiles.d/static-nodes-permissions.conf
+      sudo sed -i '/vhost/s/0660/0666/g' /etc/tmpfiles.d/static-nodes-permissions.conf
+      sudo tee /etc/udev/rules.d/99-kvm4all.rules <<- EOF
+      KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"
+      KERNEL=="vhost-vsock", GROUP="kvm", MODE="0666", OPTIONS+="static_node=vhost-vsock"
+      KERNEL=="vhost-net", GROUP="kvm", MODE="0666", OPTIONS+="static_node=vhost-net"
+      EOF
+      sudo udevadm control --reload-rules
       sudo modprobe kvm
       sudo modprobe vhost_vsock
       sudo modprobe vhost_net
+      [[ -e /dev/kvm ]] && sudo udevadm trigger --name-match=kvm
+      sudo udevadm trigger --name-match=vhost-vsock
+      sudo udevadm trigger --name-match=vhost-net
       [[ -e /dev/kvm ]] && sudo chmod 666 /dev/kvm
       sudo chmod 666 /dev/vhost-vsock
       sudo chmod 666 /dev/vhost-net