From mboxrd@z Thu Jan  1 00:00:00 1970
From: Chris Marusich <cmmarusich@gmail.com>
Subject: bug#36335: Is /dev/kvm missing ACLs?
Date: Tue, 09 Jul 2019 23:23:28 -0700
Message-ID: <87lfx6l867.fsf_-_@gmail.com>
References: <87sgs1c4r0.fsf@gmail.com> <87v9wu4v3l.fsf@gnu.org>
 <87d0izlere.fsf@gmail.com> <87sgs1c4r0.fsf@gmail.com>
 <87v9wu4v3l.fsf@gnu.org> <87d0izlere.fsf@gmail.com>
 <87sgrv16rm.fsf@gnu.org> <87sgrv16rm.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:42222)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hl61N-0001Ib-Np
 for bug-guix@gnu.org; Wed, 10 Jul 2019 02:24:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hl61L-0003Md-PZ
 for bug-guix@gnu.org; Wed, 10 Jul 2019 02:24:05 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:54167)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1hl61K-0003Ki-E6
 for bug-guix@gnu.org; Wed, 10 Jul 2019 02:24:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hl61K-0001Yz-8S
 for bug-guix@gnu.org; Wed, 10 Jul 2019 02:24:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.36335.B36335.15627398215980@debbugs.gnu.org>
In-Reply-To: <87sgrv16rm.fsf@gnu.org> ("Ludovic
 \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
 \=\?utf-8\?Q\?s\?\= message of "Thu, 27
 Jun 2019 15:45:33 +0200, Mon, 1 Jul 2019 10:41:14 +0200")
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 36335@debbugs.gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Ludovic Court=C3=A8s <ludo@gnu.org> writes:

> Hi Chris,
>
> Chris Marusich <cmmarusich@gmail.com> skribis:
>
>> Ludovic Court=C3=A8s <ludo@gnu.org> writes:
>>
>>> Guix System doesn=E2=80=99t use ACLs at all.
>>>
>>> However, the udev rule for kvm sets it up like this:
>>>
>>>   crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>>>
>>> and the build users are part of the =E2=80=98kvm=E2=80=99 group.  I per=
sonally arrange
>>> to have my user account in that group too.
>>
>> It's good to know that the "kvm" group is the right way to grant
>> permissions.  However, if Guix System doesn't use ACLs, then why do some
>> of my device files have ACLs on them, such as the video device file?
>>
>> $ getfacl /dev/video0=20
>> getfacl: Removing leading '/' from absolute path names
>> # file: dev/video0
>> # owner: root
>> # group: video
>> user::rw-
>> user:marusich:rw-
>> group::rw-
>> mask::rw-
>> other::---
>
> Good question, I see the same thing here.
>
> I suspected a udev rule but =E2=80=98grep=E2=80=99 didn=E2=80=99t find an=
y that explicitly does
> that, and there=E2=80=99s no code in eudev that fiddles with ACLs either,=
 and
> nothing obvious in devtmpfs.c in Linux.  So=E2=80=A6 it=E2=80=99s a myste=
ry.
>
> Ludo=E2=80=99.

Danny Milosavljevic <dannym@scratchpost.org> writes:

> On Thu, 27 Jun 2019 15:45:33 +0200
> Ludovic Court=C3=A8s <ludo@gnu.org> wrote:
>
>> I suspected a udev rule but =E2=80=98grep=E2=80=99 didn=E2=80=99t find a=
ny that explicitly does
>> that, and there=E2=80=99s no code in eudev that fiddles with ACLs either=
, and
>> nothing obvious in devtmpfs.c in Linux.  So=E2=80=A6 it=E2=80=99s a myst=
ery.
>
> Might be elogind.  It sets some ACLs on login.

Might be.

I am content knowing that on Guix System, the intended way to control
access to /dev/kvm is by using the "kvm" group.  However, it still
smells like we may have an ACL-related bug: It seems to be unexpected
that ACLs are getting set for some devices (e.g., /dev/video0), but not
for others (e.g., /dev/kvm).

What do you think?

=2D-=20
Chris

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl0lhGAACgkQ3UCaFdgi
Rp3zIhAAg6dbHuIm1A6R2ExdkV4HFoKp3RWx7hwns8uNTwYQAMhd4myUpqPd1ArL
mDcF6r1sRHXJGH1O1RyBQTybOmkTXDo6Xu9d7793SDkNH0IkdtDi6lG8FFTKa5Vb
+BUwLI/Ec0PKw64XM1d3IxKM7TTnOmR6GyPadSx1ymjHQI39dnl8YBsg+9iQHRqx
llD9Tyt4gxcDEHvxEBlqOYyqFxSCMlnWEQKnm5yXwr81HeLm1v4QySr9CTWy2ML6
KN12G6FuI7d7ORa4J7IXN9hlwvZig7yLOAbFuxKYeSuGzZbrHRlKffmecFekduvC
PlHUx9MvuHoeAGvPgKF+blDDjV2odL6gtAMjeAbwJ2Hl4q/NELgZhhJ2rTVFTBIV
F0aU/oTl7DKHjfWXwdcyQdlfg/d2R8xGSdlJyoPvgUWq8U/PnL39xQ3IDw8vkLum
BLshfhzPmHKFlOmfaLlWv8Sz4j+WiJrJPZ0Yvk24ZEUjofYMEHIVq0ftL9y0boe3
c6tNIHZyAbhQm1oa0gLj/tHmo8752QDY64p64Fr3tRX/NAIGmkcpG9fas4ypniog
MS+kwbL6eo7rB+FaH3lS4/IIs/r6ybgWDUcPnpkhqLJJikKZScwgfm8d3rcH0E01
oSZpzHKzFLQgGqIOdogK8rYyieFwUBjtBpuDGfRnuq7v8Y2hI0M=
=etO6
-----END PGP SIGNATURE-----
--=-=-=--