Re: [systemd-devel] How to give users permissions to /dev/kfd

2017-10-24 Thread Lennart Poettering 
On Mo, 16.10.17 12:32, Simon McVittie (s...@collabora.com) wrote:

> On Sat, 14 Oct 2017 at 17:50:33 +0300, Mantas Mikulėnas wrote:
> > No, it's only available for local sessions (ones which systemd-logind 
> > considers
> > "local" + "active"). I think the idea is that console users automatically 
> > get
> > more privileges in general.
> 
> Specifically, the idea is that console users should have access to
> devices that are the machine representation of things they can physically
> access anyway. The classic example is audio. If Alice is sitting at a
> desktop/laptop computer and Bob is ssh'd in to the same computer, it's
> fine for Alice to be able to record the same audio that she can hear
> already; but it is usually not OK for Bob to be able to record audio
> because that would let him spy on Alice.
> 
> Similarly, logind defaults to allowing local active users to shut down
> the machine (because they are likely to be in a position to pull the
> plug or remove the battery anyway), but not remote users (to prevent
> them from causing denial-of-service for local users or other remote users).
> 
> > For SSH-only usage, use traditional groups (e.g. add yourself to the "video"
> > group). To assign group ownership to /dev/kfd, use GROUP="foo" in udev 
> > rules.
> 
> And, yes, the way to bypass the "only local users" bit is to add your uid
> to an appropriate group, which is a way of saying: this user has special
> privileges, and can access something (in your case video) even when not
> physically present.

For the sake of the archives this discussion more or less moved to:

https://github.com/systemd/systemd/pull/7112

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] How to give users permissions to /dev/kfd

2017-10-16 Thread Simon McVittie 
On Sat, 14 Oct 2017 at 17:50:33 +0300, Mantas Mikulėnas wrote:
> No, it's only available for local sessions (ones which systemd-logind 
> considers
> "local" + "active"). I think the idea is that console users automatically get
> more privileges in general.

Specifically, the idea is that console users should have access to
devices that are the machine representation of things they can physically
access anyway. The classic example is audio. If Alice is sitting at a
desktop/laptop computer and Bob is ssh'd in to the same computer, it's
fine for Alice to be able to record the same audio that she can hear
already; but it is usually not OK for Bob to be able to record audio
because that would let him spy on Alice.

Similarly, logind defaults to allowing local active users to shut down
the machine (because they are likely to be in a position to pull the
plug or remove the battery anyway), but not remote users (to prevent
them from causing denial-of-service for local users or other remote users).

> For SSH-only usage, use traditional groups (e.g. add yourself to the "video"
> group). To assign group ownership to /dev/kfd, use GROUP="foo" in udev rules.

And, yes, the way to bypass the "only local users" bit is to add your uid
to an appropriate group, which is a way of saying: this user has special
privileges, and can access something (in your case video) even when not
physically present.

smcv
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] How to give users permissions to /dev/kfd

2017-10-14 Thread Mantas Mikulėnas 
On Sat, Oct 14, 2017 at 1:07 AM, Tom Stellard  wrote:

> On 10/12/2017 09:04 PM, Mantas Mikulėnas wrote:
> > On Fri, Oct 13, 2017, 00:30 Tom Stellard > wrote:
> >
> > Hi,
> >
> > The amdkfd kernel driver exposes the /dev/kfd device file for doing
> gpgpu
> > computing on AMD GPUs, I would like to setup the permissions on this
> device
> > file, so that regular users can access it.  I think it makes sense to
> > try to copy what is being done for the other GPU device files, like
> /dev/dri/cardX.
> > I can see the udev rules for these /dev/dri/cardX, but on my system
> it looks like
> > something is giving users access to these files using  access
> control lists
> > (acls), but I'm not sure where the acls are being modified.  Is
> systemd only responsible
> > for the udev rules or is there something else in systemd I need to
> modify to
> > get the acls set correctly?
> >
> >
> > udev applies these ACLs to all devices tagged with TAG+="uaccess" from
> udev rules.
> >
> > (The tagging is kind of an internal detail and your rules are supposed
> to use ENV{ID_this_and_that}, but... for personal use it works well enough.)
> >
> > Just make sure you get the rule ordering right, I think
> 71-something.rules is a good place. I can't check right now, might be
> remembering wrong.
> >
>
> Thanks.  I've been experimenting with this, and I noticed that the ACLs are
> not set when I login to the machine via ssh.  Is there something else I
> need
> to do to get these ACLs enabled for ssh sessions?
>

No, it's only available for local sessions (ones which systemd-logind
considers "local" + "active"). I think the idea is that console users
automatically get more privileges in general.

*(To update my last mail, I *think* the actual ACL setting is done by both
udev (when the device first shows up) and systemd-logind (when sessions are
switched).)*

For SSH-only usage, use traditional groups (e.g. add yourself to the
"video" group). To assign group ownership to /dev/kfd, use GROUP="foo" in
udev rules.

-- 
Mantas Mikulėnas 
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] How to give users permissions to /dev/kfd

2017-10-13 Thread Tom Stellard 
On 10/12/2017 09:04 PM, Mantas Mikulėnas wrote:
> On Fri, Oct 13, 2017, 00:30 Tom Stellard  > wrote:
> 
> Hi,
> 
> The amdkfd kernel driver exposes the /dev/kfd device file for doing gpgpu
> computing on AMD GPUs, I would like to setup the permissions on this 
> device
> file, so that regular users can access it.  I think it makes sense to
> try to copy what is being done for the other GPU device files, like 
> /dev/dri/cardX.
> I can see the udev rules for these /dev/dri/cardX, but on my system it 
> looks like
> something is giving users access to these files using  access control 
> lists
> (acls), but I'm not sure where the acls are being modified.  Is systemd 
> only responsible
> for the udev rules or is there something else in systemd I need to modify 
> to
> get the acls set correctly?
> 
> 
> udev applies these ACLs to all devices tagged with TAG+="uaccess" from udev 
> rules.
> 
> (The tagging is kind of an internal detail and your rules are supposed to use 
> ENV{ID_this_and_that}, but... for personal use it works well enough.)
> 
> Just make sure you get the rule ordering right, I think 71-something.rules is 
> a good place. I can't check right now, might be remembering wrong.
> 

Thanks.  I've been experimenting with this, and I noticed that the ACLs are
not set when I login to the machine via ssh.  Is there something else I need
to do to get these ACLs enabled for ssh sessions?

Thanks,
Tom

> -- 
> 
> Mantas Mikulėnas >
> Sent from my phone
> 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] How to give users permissions to /dev/kfd

2017-10-12 Thread Mantas Mikulėnas 
On Fri, Oct 13, 2017, 00:30 Tom Stellard  wrote:

> Hi,
>
> The amdkfd kernel driver exposes the /dev/kfd device file for doing gpgpu
> computing on AMD GPUs, I would like to setup the permissions on this device
> file, so that regular users can access it.  I think it makes sense to
> try to copy what is being done for the other GPU device files, like
> /dev/dri/cardX.
> I can see the udev rules for these /dev/dri/cardX, but on my system it
> looks like
> something is giving users access to these files using  access control lists
> (acls), but I'm not sure where the acls are being modified.  Is systemd
> only responsible
> for the udev rules or is there something else in systemd I need to modify
> to
> get the acls set correctly?
>

udev applies these ACLs to all devices tagged with TAG+="uaccess" from udev
rules.

(The tagging is kind of an internal detail and your rules are supposed to
use ENV{ID_this_and_that}, but... for personal use it works well enough.)

Just make sure you get the rule ordering right, I think 71-something.rules
is a good place. I can't check right now, might be remembering wrong.

-- 

Mantas Mikulėnas 
Sent from my phone
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] How to give users permissions to /dev/kfd

2017-10-12 Thread Tom Stellard 
Hi,

The amdkfd kernel driver exposes the /dev/kfd device file for doing gpgpu
computing on AMD GPUs, I would like to setup the permissions on this device
file, so that regular users can access it.  I think it makes sense to
try to copy what is being done for the other GPU device files, like 
/dev/dri/cardX.
I can see the udev rules for these /dev/dri/cardX, but on my system it looks 
like
something is giving users access to these files using  access control lists
(acls), but I'm not sure where the acls are being modified.  Is systemd only 
responsible
for the udev rules or is there something else in systemd I need to modify to
get the acls set correctly?

Thanks,
Tom
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel