From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 26 Oct 2023 14:04:36 +0000 (+0200)
Subject: action: Make logic for unprivileged KVM access more robust
X-Git-Tag: v19~50^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2012%2Fhead;p=thirdparty%2Fmkosi.git

action: Make logic for unprivileged KVM access more robust

- Copy static-nodes-permissions.conf to /etc before modifying so our
modifications don't get overwritten if systemd is updated.
- Add udev rules to set the permissions correctly as well
---

diff --git a/action.yaml b/action.yaml
index aefe5220e..b0315b7e1 100644
--- a/action.yaml
+++ b/action.yaml
@@ -8,11 +8,22 @@ runs:
   - name: Permit unprivileged access to kvm, vhost-vsock and vhost-net devices
     shell: bash
     run: |
-      sudo sed -i '/kvm/s/0660/0666/g'   /usr/lib/tmpfiles.d/static-nodes-permissions.conf
-      sudo sed -i '/vhost/s/0660/0666/g' /usr/lib/tmpfiles.d/static-nodes-permissions.conf
+      sudo mkdir -p /etc/tmpfiles.d
+      sudo cp /usr/lib/tmpfiles.d/static-nodes-permissions.conf /etc/tmpfiles.d/
+      sudo sed -i '/kvm/s/0660/0666/g'   /etc/tmpfiles.d/static-nodes-permissions.conf
+      sudo sed -i '/vhost/s/0660/0666/g' /etc/tmpfiles.d/static-nodes-permissions.conf
+      sudo tee /etc/udev/rules.d/99-kvm4all.rules <<- EOF
+      KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"
+      KERNEL=="vhost-vsock", GROUP="kvm", MODE="0666", OPTIONS+="static_node=vhost-vsock"
+      KERNEL=="vhost-net", GROUP="kvm", MODE="0666", OPTIONS+="static_node=vhost-net"
+      EOF
+      sudo udevadm control --reload-rules
       sudo modprobe kvm
       sudo modprobe vhost_vsock
       sudo modprobe vhost_net
+      [[ -e /dev/kvm ]] && sudo udevadm trigger --name-match=kvm
+      sudo udevadm trigger --name-match=vhost-vsock
+      sudo udevadm trigger --name-match=vhost-net
       [[ -e /dev/kvm ]] && sudo chmod 666 /dev/kvm
       sudo chmod 666 /dev/vhost-vsock
       sudo chmod 666 /dev/vhost-net