rules: add a rule to set /dev/kvm access mode and ownership (#5597)

Kernel default mode is 0600, but distributions change it to group kvm, mode
either 0660 (e.g. Debian) or 0666 (e.g. Fedora). Both approaches have valid
reasons (a stricter mode limits exposure to bugs in the kvm subsystem, a looser
mode makes libvirt and other virtualization mechanisms work out of the box for
unprivileged users over ssh).

In Fedora the qemu package carries the relevant rule, but it's nicer to have it
in systemd, so that the permissions are not dependent on the qemu package being
installed. Use of packaged qemu binaries is not required to make use of
/dev/kvm, e.g. it's possible to use a self-compiled qemu or some alternative.

https://bugzilla.redhat.com/show_bug.cgi?id=1431876

To accomodate both approaches, add a rule to set the mode in 50-udev-default.rules,
but allow the mode to be overridden with a --with-dev-kvm-mode configure rule.
The default is 0660, as the (slightly) more secure option.

diff --git a/Makefile.am b/Makefile.am
index acda826621958f2d85558721e229c43fbf9647a3..9a78488f8a8d9b853a1387fdd28b4963e47dc481 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -3825,7 +3825,6 @@ dist_network_DATA = \
        network/80-container-vz.network
 
 dist_udevrules_DATA += \
-       rules/50-udev-default.rules \
        rules/60-block.rules \
        rules/60-drm.rules \
        rules/60-evdev.rules \
@@ -3843,6 +3842,7 @@ dist_udevrules_DATA += \
        rules/80-net-setup-link.rules
 
 nodist_udevrules_DATA += \
+       rules/50-udev-default.rules \
        rules/99-systemd.rules
 
 udevconfdir = $(sysconfdir)/udev
@@ -3853,6 +3853,7 @@ pkgconfigdata_DATA += \
        src/udev/udev.pc
 
 EXTRA_DIST += \
+       rules/50-udev-default.rules.in \
        rules/99-systemd.rules.in \
        src/udev/udev.pc.in
 
@@ -6301,6 +6302,7 @@ substitutions = \
        '|KILL_USER_PROCESSES=$(KILL_USER_PROCESSES)|' \
        '|systemuidmax=$(SYSTEM_UID_MAX)|' \
        '|systemgidmax=$(SYSTEM_GID_MAX)|' \
+       '|DEV_KVM_MODE=$(DEV_KVM_MODE)|' \
        '|TTY_GID=$(TTY_GID)|' \
        '|systemsleepdir=$(systemsleepdir)|' \
        '|systemshutdowndir=$(systemshutdowndir)|' \

diff --git a/configure.ac b/configure.ac
index c0e5ec4fae7c91927916e8a2d763a3b2a0fb84f3..06fa908d43386db61f5cec8c34262e7cbaac0e68 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1205,6 +1205,16 @@ AC_ARG_WITH(system-gid-max,
 AC_DEFINE_UNQUOTED(SYSTEM_GID_MAX, [$SYSTEM_GID_MAX], [Maximum System GID])
 AC_SUBST(SYSTEM_GID_MAX)
 
+# ------------------------------------------------------------------------------
+
+AC_ARG_WITH(dev-kvm-mode,
+        AS_HELP_STRING([--with-dev-kvm-mode=MODE],
+                [/dev/kvm access mode, defaults to "0660"]),
+        [DEV_KVM_MODE="$withval"],
+        [DEV_KVM_MODE="0660"])
+
+AC_SUBST(DEV_KVM_MODE, [$DEV_KVM_MODE], [/dev/kvm access mode])
+
 # ------------------------------------------------------------------------------
 have_localed=no
 AC_ARG_ENABLE(localed, AS_HELP_STRING([--disable-localed], [disable locale daemon]))
@@ -1767,6 +1777,7 @@ AC_MSG_RESULT([
         TTY GID:                           ${TTY_GID}
         maximum system UID:                ${SYSTEM_UID_MAX}
         maximum system GID:                ${SYSTEM_GID_MAX}
+        /dev/kvm access mode:              ${DEV_KVM_MODE}
         certificate root:                  ${CERTIFICATEROOT}
         support URL:                       ${SUPPORT_URL}
         nobody user name:                  ${NOBODY_USER_NAME}

diff --git a/rules/.gitignore b/rules/.gitignore
index 93a50ddd804218fc41aaa7ca21156daa5f6bc3ec..ea6e216bad2d7f4ce966fab460ced4b8da160a31 100644 (file)
--- a/rules/.gitignore
+++ b/rules/.gitignore
@@ -1 +1,2 @@
+/50-udev-default.rules
 /99-systemd.rules

diff --git a/rules/50-udev-default.rules b/rules/50-udev-default.rules.in
similarity index 98%
rename from rules/50-udev-default.rules
rename to rules/50-udev-default.rules.in
index 3347c8cd89e98e14c60667d3102a42ead69b03b6..064f66a9769a7c2527d17bb9fa3236f0b2a7980d 100644 (file)
--- a/rules/50-udev-default.rules
+++ b/rules/50-udev-default.rules.in
@@ -74,6 +74,8 @@ KERNEL=="tun", MODE="0666", OPTIONS+="static_node=net/tun"
 
 KERNEL=="fuse", MODE="0666", OPTIONS+="static_node=fuse"
 
+KERNEL=="kvm", GROUP="kvm", MODE="@DEV_KVM_MODE@"
+
 SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK += "ptp_kvm"
 
 LABEL="default_end"

diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in
index b2dc5ebd4ffd43304792fcd0943a3aa7b1df7c53..7d6021e855a6e26f15e0b179cb9979c67e0ac059 100644 (file)
--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@@ -29,6 +29,7 @@ g dialout -     -            -
 g disk    -     -            -
 g input   -     -            -
 g lp      -     -            -
+g kvm     -     -            -
 g tape    -     -            -
 g video   -     -            -