unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#36335: Is /dev/kvm missing ACLs?
@ 2019-06-23  4:20 Chris Marusich
  2019-06-24 19:54 ` Ludovic Courtès
  0 siblings, 1 reply; 8+ messages in thread
From: Chris Marusich @ 2019-06-23  4:20 UTC (permalink / raw)
  To: 36335

[-- Attachment #1: Type: text/plain, Size: 1323 bytes --]

Hi,

I was trying to run some VMs via "guix system vm", and I noticed that
I didn't have permission to use KVM.  This issue can be worked around by
running qemu as root, or by adding yourself to the "kvm" group.
However, I found it curious that the /dev/kvm device didn't have ACLs
granting me access:

--8<---------------cut here---------------start------------->8---
$ getfacl /dev/kvm
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
group::rw-
other::---
--8<---------------cut here---------------end--------------->8---

Is it expected that on Guix System, /dev/kvm does not by default receive
ACLs granting me access?  I'm logged into a GNOME session via GDM, and I
was under the impression that logind or udevd would automatically set up
ACLs for me to access local devices, such as /dev/kvm and /dev/sr0, in
this case.

Note that I DO have ACLs for some other devices, such as video0:

--8<---------------cut here---------------start------------->8---
$ getfacl /dev/video0
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:marusich:rw-
group::rw-
mask::rw-
other::---
--8<---------------cut here---------------end--------------->8---

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#36335: Is /dev/kvm missing ACLs?
  2019-06-23  4:20 bug#36335: Is /dev/kvm missing ACLs? Chris Marusich
@ 2019-06-24 19:54 ` Ludovic Courtès
  2019-06-27  6:32   ` Chris Marusich
  0 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2019-06-24 19:54 UTC (permalink / raw)
  To: Chris Marusich; +Cc: 36335

Hi Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

> I was trying to run some VMs via "guix system vm", and I noticed that
> I didn't have permission to use KVM.  This issue can be worked around by
> running qemu as root, or by adding yourself to the "kvm" group.
> However, I found it curious that the /dev/kvm device didn't have ACLs
> granting me access:
>
> $ getfacl /dev/kvm
> getfacl: Removing leading '/' from absolute path names
> # file: dev/kvm
> # owner: root
> # group: kvm
> user::rw-
> group::rw-
> other::---
>
>
> Is it expected that on Guix System, /dev/kvm does not by default receive
> ACLs granting me access?

Guix System doesn’t use ACLs at all.

However, the udev rule for kvm sets it up like this:

  crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm

and the build users are part of the ‘kvm’ group.  I personally arrange
to have my user account in that group too.

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#36335: Is /dev/kvm missing ACLs?
  2019-06-24 19:54 ` Ludovic Courtès
@ 2019-06-27  6:32   ` Chris Marusich
  2019-06-27 13:45     ` Ludovic Courtès
  0 siblings, 1 reply; 8+ messages in thread
From: Chris Marusich @ 2019-06-27  6:32 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 36335

[-- Attachment #1: Type: text/plain, Size: 901 bytes --]

Hi Ludo,

Ludovic Courtès <ludo@gnu.org> writes:

> Guix System doesn’t use ACLs at all.
>
> However, the udev rule for kvm sets it up like this:
>
>   crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>
> and the build users are part of the ‘kvm’ group.  I personally arrange
> to have my user account in that group too.

It's good to know that the "kvm" group is the right way to grant
permissions.  However, if Guix System doesn't use ACLs, then why do some
of my device files have ACLs on them, such as the video device file?

--8<---------------cut here---------------start------------->8---
$ getfacl /dev/video0 
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:marusich:rw-
group::rw-
mask::rw-
other::---
--8<---------------cut here---------------end--------------->8---

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#36335: Is /dev/kvm missing ACLs?
  2019-06-27  6:32   ` Chris Marusich
@ 2019-06-27 13:45     ` Ludovic Courtès
  2019-07-01  8:41       ` Danny Milosavljevic
  2019-07-10  6:23       ` Chris Marusich
  0 siblings, 2 replies; 8+ messages in thread
From: Ludovic Courtès @ 2019-06-27 13:45 UTC (permalink / raw)
  To: Chris Marusich; +Cc: 36335

Hi Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Guix System doesn’t use ACLs at all.
>>
>> However, the udev rule for kvm sets it up like this:
>>
>>   crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>>
>> and the build users are part of the ‘kvm’ group.  I personally arrange
>> to have my user account in that group too.
>
> It's good to know that the "kvm" group is the right way to grant
> permissions.  However, if Guix System doesn't use ACLs, then why do some
> of my device files have ACLs on them, such as the video device file?
>
> $ getfacl /dev/video0 
> getfacl: Removing leading '/' from absolute path names
> # file: dev/video0
> # owner: root
> # group: video
> user::rw-
> user:marusich:rw-
> group::rw-
> mask::rw-
> other::---

Good question, I see the same thing here.

I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
that, and there’s no code in eudev that fiddles with ACLs either, and
nothing obvious in devtmpfs.c in Linux.  So… it’s a mystery.

Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#36335: Is /dev/kvm missing ACLs?
  2019-06-27 13:45     ` Ludovic Courtès
@ 2019-07-01  8:41       ` Danny Milosavljevic
  2019-07-10  6:23       ` Chris Marusich
  1 sibling, 0 replies; 8+ messages in thread
From: Danny Milosavljevic @ 2019-07-01  8:41 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 36335

[-- Attachment #1: Type: text/plain, Size: 354 bytes --]

On Thu, 27 Jun 2019 15:45:33 +0200
Ludovic Courtès <ludo@gnu.org> wrote:

> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
> that, and there’s no code in eudev that fiddles with ACLs either, and
> nothing obvious in devtmpfs.c in Linux.  So… it’s a mystery.

Might be elogind.  It sets some ACLs on login.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#36335: Is /dev/kvm missing ACLs?
  2019-06-27 13:45     ` Ludovic Courtès
  2019-07-01  8:41       ` Danny Milosavljevic
@ 2019-07-10  6:23       ` Chris Marusich
  2019-07-10 17:10         ` Ludovic Courtès
  1 sibling, 1 reply; 8+ messages in thread
From: Chris Marusich @ 2019-07-10  6:23 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 36335

[-- Attachment #1: Type: text/plain, Size: 1992 bytes --]

Ludovic Courtès <ludo@gnu.org> writes:

> Hi Chris,
>
> Chris Marusich <cmmarusich@gmail.com> skribis:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>>
>>> Guix System doesn’t use ACLs at all.
>>>
>>> However, the udev rule for kvm sets it up like this:
>>>
>>>   crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>>>
>>> and the build users are part of the ‘kvm’ group.  I personally arrange
>>> to have my user account in that group too.
>>
>> It's good to know that the "kvm" group is the right way to grant
>> permissions.  However, if Guix System doesn't use ACLs, then why do some
>> of my device files have ACLs on them, such as the video device file?
>>
>> $ getfacl /dev/video0 
>> getfacl: Removing leading '/' from absolute path names
>> # file: dev/video0
>> # owner: root
>> # group: video
>> user::rw-
>> user:marusich:rw-
>> group::rw-
>> mask::rw-
>> other::---
>
> Good question, I see the same thing here.
>
> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
> that, and there’s no code in eudev that fiddles with ACLs either, and
> nothing obvious in devtmpfs.c in Linux.  So… it’s a mystery.
>
> Ludo’.

Danny Milosavljevic <dannym@scratchpost.org> writes:

> On Thu, 27 Jun 2019 15:45:33 +0200
> Ludovic Courtès <ludo@gnu.org> wrote:
>
>> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
>> that, and there’s no code in eudev that fiddles with ACLs either, and
>> nothing obvious in devtmpfs.c in Linux.  So… it’s a mystery.
>
> Might be elogind.  It sets some ACLs on login.

Might be.

I am content knowing that on Guix System, the intended way to control
access to /dev/kvm is by using the "kvm" group.  However, it still
smells like we may have an ACL-related bug: It seems to be unexpected
that ACLs are getting set for some devices (e.g., /dev/video0), but not
for others (e.g., /dev/kvm).

What do you think?

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#36335: Is /dev/kvm missing ACLs?
  2019-07-10  6:23       ` Chris Marusich
@ 2019-07-10 17:10         ` Ludovic Courtès
  2019-07-11  7:18           ` Danny Milosavljevic
  0 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2019-07-10 17:10 UTC (permalink / raw)
  To: Chris Marusich; +Cc: 36335

Hi,

Chris Marusich <cmmarusich@gmail.com> skribis:

> I am content knowing that on Guix System, the intended way to control
> access to /dev/kvm is by using the "kvm" group.  However, it still
> smells like we may have an ACL-related bug: It seems to be unexpected
> that ACLs are getting set for some devices (e.g., /dev/video0), but not
> for others (e.g., /dev/kvm).
>
> What do you think?

I agree.  I’d like to have a definite answer as to where these come
from; elogind was suspect #1 but I haven’t found anything conclusive.

Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#36335: Is /dev/kvm missing ACLs?
  2019-07-10 17:10         ` Ludovic Courtès
@ 2019-07-11  7:18           ` Danny Milosavljevic
  0 siblings, 0 replies; 8+ messages in thread
From: Danny Milosavljevic @ 2019-07-11  7:18 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 36335

[-- Attachment #1: Type: text/plain, Size: 140 bytes --]

auditd can find those acl setters :)

# auditctl -w /dev/kvm -p a -k kvm-acl-setter-foo

Later on:

# ausearch -k kvm-acl-setter-foo

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2019-07-11  7:19 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-23  4:20 bug#36335: Is /dev/kvm missing ACLs? Chris Marusich
2019-06-24 19:54 ` Ludovic Courtès
2019-06-27  6:32   ` Chris Marusich
2019-06-27 13:45     ` Ludovic Courtès
2019-07-01  8:41       ` Danny Milosavljevic
2019-07-10  6:23       ` Chris Marusich
2019-07-10 17:10         ` Ludovic Courtès
2019-07-11  7:18           ` Danny Milosavljevic

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).