Control: tags -1 + moreinfo Am 05.02.21 um 10:44 schrieb Christopher Obbard:
Currently systemd is built with -Ddev-kvm-mode=0660 which sets the udev rule up to tag /dev/kvm as uaccess.In systemd v236 the uaccess tag was dropped from /dev/kvm (as well as/dev/dri/renderD*) and changing the default permissions to 0666.
Not quite correct, see for v247: 70-uaccess.rules:SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess" and we also have50-udev-default.rules:KERNEL=="kvm", GROUP="kvm", MODE="0660", OPTIONS+="static_node=kvm"
In debos (Debian Image Builder) we create a virtual machine (usually KVM by default) and suggest users use docker containers containing the KVM runtime for reproducibility. Since the permissions on /dev/kvm are tagged as uaccess, this doesn't get picked up by the container. So, it would be really helpful if we could put 0666 permissions on /dev/kvm by default.
A logged in users should get access via the uaccess tag.If you need some unprivileged background service without an active logind session, you can grant that particular access via a static group membership.
This should cover all relevant use cases, no? Michael
OpenPGP_signature
Description: OpenPGP digital signature
