GNU bug report logs -
#36335
Is /dev/kvm missing ACLs?
Previous Next
To reply to this bug, email your comments to 36335 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#36335; Package
guix.
(Sun, 23 Jun 2019 04:21:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Chris Marusich <cmmarusich <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sun, 23 Jun 2019 04:21:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
I was trying to run some VMs via "guix system vm", and I noticed that
I didn't have permission to use KVM. This issue can be worked around by
running qemu as root, or by adding yourself to the "kvm" group.
However, I found it curious that the /dev/kvm device didn't have ACLs
granting me access:
--8<---------------cut here---------------start------------->8---
$ getfacl /dev/kvm
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
group::rw-
other::---
--8<---------------cut here---------------end--------------->8---
Is it expected that on Guix System, /dev/kvm does not by default receive
ACLs granting me access? I'm logged into a GNOME session via GDM, and I
was under the impression that logind or udevd would automatically set up
ACLs for me to access local devices, such as /dev/kvm and /dev/sr0, in
this case.
Note that I DO have ACLs for some other devices, such as video0:
--8<---------------cut here---------------start------------->8---
$ getfacl /dev/video0
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:marusich:rw-
group::rw-
mask::rw-
other::---
--8<---------------cut here---------------end--------------->8---
--
Chris
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#36335; Package
guix.
(Mon, 24 Jun 2019 19:56:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 36335 <at> debbugs.gnu.org (full text, mbox):
Hi Chris,
Chris Marusich <cmmarusich <at> gmail.com> skribis:
> I was trying to run some VMs via "guix system vm", and I noticed that
> I didn't have permission to use KVM. This issue can be worked around by
> running qemu as root, or by adding yourself to the "kvm" group.
> However, I found it curious that the /dev/kvm device didn't have ACLs
> granting me access:
>
> $ getfacl /dev/kvm
> getfacl: Removing leading '/' from absolute path names
> # file: dev/kvm
> # owner: root
> # group: kvm
> user::rw-
> group::rw-
> other::---
>
>
> Is it expected that on Guix System, /dev/kvm does not by default receive
> ACLs granting me access?
Guix System doesn’t use ACLs at all.
However, the udev rule for kvm sets it up like this:
crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
and the build users are part of the ‘kvm’ group. I personally arrange
to have my user account in that group too.
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#36335; Package
guix.
(Thu, 27 Jun 2019 06:33:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 36335 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Ludo,
Ludovic Courtès <ludo <at> gnu.org> writes:
> Guix System doesn’t use ACLs at all.
>
> However, the udev rule for kvm sets it up like this:
>
> crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>
> and the build users are part of the ‘kvm’ group. I personally arrange
> to have my user account in that group too.
It's good to know that the "kvm" group is the right way to grant
permissions. However, if Guix System doesn't use ACLs, then why do some
of my device files have ACLs on them, such as the video device file?
--8<---------------cut here---------------start------------->8---
$ getfacl /dev/video0
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:marusich:rw-
group::rw-
mask::rw-
other::---
--8<---------------cut here---------------end--------------->8---
--
Chris
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#36335; Package
guix.
(Thu, 27 Jun 2019 13:46:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 36335 <at> debbugs.gnu.org (full text, mbox):
Hi Chris,
Chris Marusich <cmmarusich <at> gmail.com> skribis:
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Guix System doesn’t use ACLs at all.
>>
>> However, the udev rule for kvm sets it up like this:
>>
>> crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>>
>> and the build users are part of the ‘kvm’ group. I personally arrange
>> to have my user account in that group too.
>
> It's good to know that the "kvm" group is the right way to grant
> permissions. However, if Guix System doesn't use ACLs, then why do some
> of my device files have ACLs on them, such as the video device file?
>
> $ getfacl /dev/video0
> getfacl: Removing leading '/' from absolute path names
> # file: dev/video0
> # owner: root
> # group: video
> user::rw-
> user:marusich:rw-
> group::rw-
> mask::rw-
> other::---
Good question, I see the same thing here.
I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
that, and there’s no code in eudev that fiddles with ACLs either, and
nothing obvious in devtmpfs.c in Linux. So… it’s a mystery.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#36335; Package
guix.
(Mon, 01 Jul 2019 08:42:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 36335 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Thu, 27 Jun 2019 15:45:33 +0200
Ludovic Courtès <ludo <at> gnu.org> wrote:
> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
> that, and there’s no code in eudev that fiddles with ACLs either, and
> nothing obvious in devtmpfs.c in Linux. So… it’s a mystery.
Might be elogind. It sets some ACLs on login.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#36335; Package
guix.
(Wed, 10 Jul 2019 06:24:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 36335 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:
> Hi Chris,
>
> Chris Marusich <cmmarusich <at> gmail.com> skribis:
>
>> Ludovic Courtès <ludo <at> gnu.org> writes:
>>
>>> Guix System doesn’t use ACLs at all.
>>>
>>> However, the udev rule for kvm sets it up like this:
>>>
>>> crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>>>
>>> and the build users are part of the ‘kvm’ group. I personally arrange
>>> to have my user account in that group too.
>>
>> It's good to know that the "kvm" group is the right way to grant
>> permissions. However, if Guix System doesn't use ACLs, then why do some
>> of my device files have ACLs on them, such as the video device file?
>>
>> $ getfacl /dev/video0
>> getfacl: Removing leading '/' from absolute path names
>> # file: dev/video0
>> # owner: root
>> # group: video
>> user::rw-
>> user:marusich:rw-
>> group::rw-
>> mask::rw-
>> other::---
>
> Good question, I see the same thing here.
>
> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
> that, and there’s no code in eudev that fiddles with ACLs either, and
> nothing obvious in devtmpfs.c in Linux. So… it’s a mystery.
>
> Ludo’.
Danny Milosavljevic <dannym <at> scratchpost.org> writes:
> On Thu, 27 Jun 2019 15:45:33 +0200
> Ludovic Courtès <ludo <at> gnu.org> wrote:
>
>> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
>> that, and there’s no code in eudev that fiddles with ACLs either, and
>> nothing obvious in devtmpfs.c in Linux. So… it’s a mystery.
>
> Might be elogind. It sets some ACLs on login.
Might be.
I am content knowing that on Guix System, the intended way to control
access to /dev/kvm is by using the "kvm" group. However, it still
smells like we may have an ACL-related bug: It seems to be unexpected
that ACLs are getting set for some devices (e.g., /dev/video0), but not
for others (e.g., /dev/kvm).
What do you think?
--
Chris
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#36335; Package
guix.
(Wed, 10 Jul 2019 17:11:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 36335 <at> debbugs.gnu.org (full text, mbox):
Hi,
Chris Marusich <cmmarusich <at> gmail.com> skribis:
> I am content knowing that on Guix System, the intended way to control
> access to /dev/kvm is by using the "kvm" group. However, it still
> smells like we may have an ACL-related bug: It seems to be unexpected
> that ACLs are getting set for some devices (e.g., /dev/video0), but not
> for others (e.g., /dev/kvm).
>
> What do you think?
I agree. I’d like to have a definite answer as to where these come
from; elogind was suspect #1 but I haven’t found anything conclusive.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#36335; Package
guix.
(Thu, 11 Jul 2019 07:19:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 36335 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
auditd can find those acl setters :)
# auditctl -w /dev/kvm -p a -k kvm-acl-setter-foo
Later on:
# ausearch -k kvm-acl-setter-foo
[Message part 2 (application/pgp-signature, inline)]
This bug report was last modified 5 years and 336 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.