From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Mon, 27 Mar 2017 10:34:24 +0000 (-0400)
Subject: rules: add a rule to set /dev/kvm access mode and ownership (#5597)
X-Git-Tag: v234~354
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5a664ca10f38dbf66c07961707dafed66382caec;p=thirdparty%2Fsystemd.git

rules: add a rule to set /dev/kvm access mode and ownership (#5597)

Kernel default mode is 0600, but distributions change it to group kvm, mode
either 0660 (e.g. Debian) or 0666 (e.g. Fedora). Both approaches have valid
reasons (a stricter mode limits exposure to bugs in the kvm subsystem, a looser
mode makes libvirt and other virtualization mechanisms work out of the box for
unprivileged users over ssh).

In Fedora the qemu package carries the relevant rule, but it's nicer to have it
in systemd, so that the permissions are not dependent on the qemu package being
installed. Use of packaged qemu binaries is not required to make use of
/dev/kvm, e.g. it's possible to use a self-compiled qemu or some alternative.

https://bugzilla.redhat.com/show_bug.cgi?id=1431876

To accomodate both approaches, add a rule to set the mode in 50-udev-default.rules,
but allow the mode to be overridden with a --with-dev-kvm-mode configure rule.
The default is 0660, as the (slightly) more secure option.
---

diff --git a/Makefile.am b/Makefile.am
index acda8266219..9a78488f8a8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3825,7 +3825,6 @@ dist_network_DATA = \
 	network/80-container-vz.network
 
 dist_udevrules_DATA += \
-	rules/50-udev-default.rules \
 	rules/60-block.rules \
 	rules/60-drm.rules \
 	rules/60-evdev.rules \
@@ -3843,6 +3842,7 @@ dist_udevrules_DATA += \
 	rules/80-net-setup-link.rules
 
 nodist_udevrules_DATA += \
+	rules/50-udev-default.rules \
 	rules/99-systemd.rules
 
 udevconfdir = $(sysconfdir)/udev
@@ -3853,6 +3853,7 @@ pkgconfigdata_DATA += \
 	src/udev/udev.pc
 
 EXTRA_DIST += \
+	rules/50-udev-default.rules.in \
 	rules/99-systemd.rules.in \
 	src/udev/udev.pc.in
 
@@ -6301,6 +6302,7 @@ substitutions = \
        '|KILL_USER_PROCESSES=$(KILL_USER_PROCESSES)|' \
        '|systemuidmax=$(SYSTEM_UID_MAX)|' \
        '|systemgidmax=$(SYSTEM_GID_MAX)|' \
+       '|DEV_KVM_MODE=$(DEV_KVM_MODE)|' \
        '|TTY_GID=$(TTY_GID)|' \
        '|systemsleepdir=$(systemsleepdir)|' \
        '|systemshutdowndir=$(systemshutdowndir)|' \
diff --git a/configure.ac b/configure.ac
index c0e5ec4fae7..06fa908d433 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1205,6 +1205,16 @@ AC_ARG_WITH(system-gid-max,
 AC_DEFINE_UNQUOTED(SYSTEM_GID_MAX, [$SYSTEM_GID_MAX], [Maximum System GID])
 AC_SUBST(SYSTEM_GID_MAX)
 
+# ------------------------------------------------------------------------------
+
+AC_ARG_WITH(dev-kvm-mode,
+        AS_HELP_STRING([--with-dev-kvm-mode=MODE],
+                [/dev/kvm access mode, defaults to "0660"]),
+        [DEV_KVM_MODE="$withval"],
+        [DEV_KVM_MODE="0660"])
+
+AC_SUBST(DEV_KVM_MODE, [$DEV_KVM_MODE], [/dev/kvm access mode])
+
 # ------------------------------------------------------------------------------
 have_localed=no
 AC_ARG_ENABLE(localed, AS_HELP_STRING([--disable-localed], [disable locale daemon]))
@@ -1767,6 +1777,7 @@ AC_MSG_RESULT([
         TTY GID:                           ${TTY_GID}
         maximum system UID:                ${SYSTEM_UID_MAX}
         maximum system GID:                ${SYSTEM_GID_MAX}
+        /dev/kvm access mode:              ${DEV_KVM_MODE}
         certificate root:                  ${CERTIFICATEROOT}
         support URL:                       ${SUPPORT_URL}
         nobody user name:                  ${NOBODY_USER_NAME}
diff --git a/rules/.gitignore b/rules/.gitignore
index 93a50ddd804..ea6e216bad2 100644
--- a/rules/.gitignore
+++ b/rules/.gitignore
@@ -1 +1,2 @@
+/50-udev-default.rules
 /99-systemd.rules
diff --git a/rules/50-udev-default.rules b/rules/50-udev-default.rules.in
similarity index 98%
rename from rules/50-udev-default.rules
rename to rules/50-udev-default.rules.in
index 3347c8cd89e..064f66a9769 100644
--- a/rules/50-udev-default.rules
+++ b/rules/50-udev-default.rules.in
@@ -74,6 +74,8 @@ KERNEL=="tun", MODE="0666", OPTIONS+="static_node=net/tun"
 
 KERNEL=="fuse", MODE="0666", OPTIONS+="static_node=fuse"
 
+KERNEL=="kvm", GROUP="kvm", MODE="@DEV_KVM_MODE@"
+
 SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK += "ptp_kvm"
 
 LABEL="default_end"
diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in
index b2dc5ebd4ff..7d6021e855a 100644
--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@@ -29,6 +29,7 @@ g dialout -     -            -
 g disk    -     -            -
 g input   -     -            -
 g lp      -     -            -
+g kvm     -     -            -
 g tape    -     -            -
 g video   -     -            -