GNU bug report logs - #36335
Is /dev/kvm missing ACLs?

Previous Next

Package: guix;

Reported by: Chris Marusich <cmmarusich <at> gmail.com>

Date: Sun, 23 Jun 2019 04:21:02 UTC

Severity: normal

Full log

Message #20 received at 36335 <at> debbugs.gnu.org (full text, mbox):

From: Chris Marusich <cmmarusich <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Danny Milosavljevic <dannym <at> scratchpost.org>, 36335 <at> debbugs.gnu.org
Subject: Re: bug#36335: Is /dev/kvm missing ACLs?
Date: Tue, 09 Jul 2019 23:23:28 -0700

[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:

> Hi Chris,
>
> Chris Marusich <cmmarusich <at> gmail.com> skribis:
>
>> Ludovic Courtès <ludo <at> gnu.org> writes:
>>
>>> Guix System doesn’t use ACLs at all.
>>>
>>> However, the udev rule for kvm sets it up like this:
>>>
>>>   crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>>>
>>> and the build users are part of the ‘kvm’ group.  I personally arrange
>>> to have my user account in that group too.
>>
>> It's good to know that the "kvm" group is the right way to grant
>> permissions.  However, if Guix System doesn't use ACLs, then why do some
>> of my device files have ACLs on them, such as the video device file?
>>
>> $ getfacl /dev/video0 
>> getfacl: Removing leading '/' from absolute path names
>> # file: dev/video0
>> # owner: root
>> # group: video
>> user::rw-
>> user:marusich:rw-
>> group::rw-
>> mask::rw-
>> other::---
>
> Good question, I see the same thing here.
>
> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
> that, and there’s no code in eudev that fiddles with ACLs either, and
> nothing obvious in devtmpfs.c in Linux.  So… it’s a mystery.
>
> Ludo’.

Danny Milosavljevic <dannym <at> scratchpost.org> writes:

> On Thu, 27 Jun 2019 15:45:33 +0200
> Ludovic Courtès <ludo <at> gnu.org> wrote:
>
>> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
>> that, and there’s no code in eudev that fiddles with ACLs either, and
>> nothing obvious in devtmpfs.c in Linux.  So… it’s a mystery.
>
> Might be elogind.  It sets some ACLs on login.

Might be.

I am content knowing that on Guix System, the intended way to control
access to /dev/kvm is by using the "kvm" group.  However, it still
smells like we may have an ACL-related bug: It seems to be unexpected
that ACLs are getting set for some devices (e.g., /dev/video0), but not
for others (e.g., /dev/kvm).

What do you think?

-- 
Chris

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 338 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.