GNU bug report logs - #36335
Is /dev/kvm missing ACLs?

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Chris Marusich <cmmarusich@HIDDEN>; dated Sun, 23 Jun 2019 04:21:02 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 36335 <at> debbugs.gnu.org:


Received: (at 36335) by debbugs.gnu.org; 24 Jun 2019 19:55:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jun 24 15:55:05 2019
Received: from localhost ([127.0.0.1]:58040 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hfV3R-0006un-Cq
	for submit <at> debbugs.gnu.org; Mon, 24 Jun 2019 15:55:05 -0400
Received: from eggs.gnu.org ([209.51.188.92]:48080)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1hfV3P-0006uA-HS
 for 36335 <at> debbugs.gnu.org; Mon, 24 Jun 2019 15:55:03 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:43115)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1hfV3I-0004fJ-9O; Mon, 24 Jun 2019 15:54:57 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43718 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1hfV3H-0006JT-Ry; Mon, 24 Jun 2019 15:54:56 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Chris Marusich <cmmarusich@HIDDEN>
Subject: Re: bug#36335: Is /dev/kvm missing ACLs?
References: <87sgs1c4r0.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 6 Messidor an 227 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 24 Jun 2019 21:54:54 +0200
In-Reply-To: <87sgs1c4r0.fsf@HIDDEN> (Chris Marusich's message of "Sat, 22
 Jun 2019 21:20:03 -0700")
Message-ID: <87v9wu4v3l.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 36335
Cc: 36335 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Chris,

Chris Marusich <cmmarusich@HIDDEN> skribis:

> I was trying to run some VMs via "guix system vm", and I noticed that
> I didn't have permission to use KVM.  This issue can be worked around by
> running qemu as root, or by adding yourself to the "kvm" group.
> However, I found it curious that the /dev/kvm device didn't have ACLs
> granting me access:
>
> $ getfacl /dev/kvm
> getfacl: Removing leading '/' from absolute path names
> # file: dev/kvm
> # owner: root
> # group: kvm
> user::rw-
> group::rw-
> other::---
>
>
> Is it expected that on Guix System, /dev/kvm does not by default receive
> ACLs granting me access?

Guix System doesn=E2=80=99t use ACLs at all.

However, the udev rule for kvm sets it up like this:

  crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm

and the build users are part of the =E2=80=98kvm=E2=80=99 group.  I persona=
lly arrange
to have my user account in that group too.

Thanks,
Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#36335; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 23 Jun 2019 04:20:11 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 23 00:20:11 2019
Received: from localhost ([127.0.0.1]:52805 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hetz8-0007k6-Nm
	for submit <at> debbugs.gnu.org; Sun, 23 Jun 2019 00:20:10 -0400
Received: from lists.gnu.org ([209.51.188.17]:54992)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cmmarusich@HIDDEN>) id 1hetz7-0007jy-Hi
 for submit <at> debbugs.gnu.org; Sun, 23 Jun 2019 00:20:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:57666)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <cmmarusich@HIDDEN>) id 1hetz6-0002Ei-LC
 for bug-guix@HIDDEN; Sun, 23 Jun 2019 00:20:09 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,FREEMAIL_FROM
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <cmmarusich@HIDDEN>) id 1hetz5-0004Rn-PY
 for bug-guix@HIDDEN; Sun, 23 Jun 2019 00:20:08 -0400
Received: from mail-pl1-x62f.google.com ([2607:f8b0:4864:20::62f]:40167)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <cmmarusich@HIDDEN>)
 id 1hetz5-0004Qp-Fz
 for bug-guix@HIDDEN; Sun, 23 Jun 2019 00:20:07 -0400
Received: by mail-pl1-x62f.google.com with SMTP id a93so4993326pla.7
 for <bug-guix@HIDDEN>; Sat, 22 Jun 2019 21:20:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:user-agent:mime-version;
 bh=0eCvwliti82tMx+3/MAlkWk2xhUr0jkbfbtl8uMxmmo=;
 b=OkfwK5NT7HuZDYeC2RSUIp9O/Bl/4dbXEOcrDQDA3ltSYQLZ0WgmrKoSBdwPjl9d0y
 2V5hnPFJ+sY2QYZ0TonljLM4/Q29azRZalLEQuouttly/fvKvam2Ul6DqQp/g6Graq+O
 Mpxp25Hv5F2ONhpFb4FJTwq41RFgt+dFzzhZ8Nq6ZnlMLLALQuzk4Re2vrU0i6IOOPpT
 O6d4LRZ+EA5X1qK0PSf0kj0TOEWZEvYWPjSlWqSrum1kfvX7Xi1MHTtTqeh+j/+STPjC
 8qtslkABNvloA8lwwfXuyxcPdW6yZtvpN6Xlr+wBVZf6yQL0wqYdINdrpZvgE3xXjdYo
 Bomw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:user-agent
 :mime-version;
 bh=0eCvwliti82tMx+3/MAlkWk2xhUr0jkbfbtl8uMxmmo=;
 b=RgCUq/0pHrQzKPeyG8pysn7m6d9LuqeqTn4obhXiENXRNqxafPzSI++qMDGS8XMbCe
 RvdaeWcIxgRZL6rtWj+9OcZpSA6970m3GRvl++riMMJcpGKqwmTl1I5jB3MujDLRe2ED
 ZNN7R9eGIlMWJMvMY7Dt+IF2JcNqXXQzHFKk1FzhQeIwoOWKKccgMZ6PSmBfbdxJ3LFk
 3dCOHr0WhnYlIVNHXEK01h5v8Gl4oc8nMrrhTeQTRUT4EQvaO0X2LjXwx07FqivgAMG6
 a4aJdHdVgj0wnMu68V0B/0oSw3wLmqYLy3HIP8KHwDrsP0w2Pfksn9qOdzdiPdUsBEpJ
 iRSA==
X-Gm-Message-State: APjAAAVeB600+evwuKnBHnf7LKmNDwWLwDYY3ZwBVQRaLh6T8ZmZvgZe
 LaJDwEU/Fp2LtZfhRVKdwrBf6c5X
X-Google-Smtp-Source: APXvYqw1mqRGqSIciNfqQHebbHcPWGzmHw33IXPu3yZ+Z2QjBBf+UkXfkRCpV+3ZqcDF3ibPtCijSA==
X-Received: by 2002:a17:902:848b:: with SMTP id
 c11mr117759092plo.217.1561263605823; 
 Sat, 22 Jun 2019 21:20:05 -0700 (PDT)
Received: from garuda.local ([2601:601:9d80:25b2::d12])
 by smtp.gmail.com with ESMTPSA id d187sm7641106pfa.38.2019.06.22.21.20.04
 for <bug-guix@HIDDEN>
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Sat, 22 Jun 2019 21:20:04 -0700 (PDT)
From: Chris Marusich <cmmarusich@HIDDEN>
To: bug-guix@HIDDEN
Subject: Is /dev/kvm missing ACLs?
Date: Sat, 22 Jun 2019 21:20:03 -0700
Message-ID: <87sgs1c4r0.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2607:f8b0:4864:20::62f
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi,

I was trying to run some VMs via "guix system vm", and I noticed that
I didn't have permission to use KVM.  This issue can be worked around by
running qemu as root, or by adding yourself to the "kvm" group.
However, I found it curious that the /dev/kvm device didn't have ACLs
granting me access:

=2D-8<---------------cut here---------------start------------->8---
$ getfacl /dev/kvm
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
group::rw-
other::---
=2D-8<---------------cut here---------------end--------------->8---

Is it expected that on Guix System, /dev/kvm does not by default receive
ACLs granting me access?  I'm logged into a GNOME session via GDM, and I
was under the impression that logind or udevd would automatically set up
ACLs for me to access local devices, such as /dev/kvm and /dev/sr0, in
this case.

Note that I DO have ACLs for some other devices, such as video0:

=2D-8<---------------cut here---------------start------------->8---
$ getfacl /dev/video0
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:marusich:rw-
group::rw-
mask::rw-
other::---
=2D-8<---------------cut here---------------end--------------->8---

=2D-=20
Chris

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl0O/fMACgkQ3UCaFdgi
Rp3oTw//c+BeaSCb0JZaRk5Bj80bswCV9Wll9cOLAymneGeZ8RB73JquD/aMtFWN
9sdueKSK9X7HOy/v247PNzBwZ8K8axOFFgCd1jsI9LVgUNT4xdCsZgGDYoEYjbbQ
oGWmr4hY/L3i3aVlVl2QLxBTd+af3HnVm1xSYWWAfxBcdprf7gn+a9lJ40jbP4XE
CT4n920J9C17aLnPBrx34RHcLFZXsoEt9JLixQopmgV8l3uD1NlCbG9p9cVJeG17
mk1RraAZZaGe0jb433QcZrrdwKkbk7OrQmS1LxqnMau2Q4seLbew1BDwtpB3LAjo
jQ9SA24sXTjqtV/2zxpiRfA0dgWNxAzXCVYJLKRiHfyhDg56VUcSN86qdrVMVgm4
sMSO8hYazshjQZ6Lou76OuQNnRDKn/wRK4u24kBqurvlV+CvGlhwsdBLn+JGhArV
O6v4omOwESUaTnHXJbjnbqE2wDqHgXxQ9KEsEyNVhMs6w87upLj9cx/npvHv+9Z0
LFOzlS7TedfaKrQ9VglJIVnRIAl19/ImMZl3GXv4nEwISlTpViczQsl3FcSM+1jJ
2JmIrH4f/jEKWiAPnth0XjG/A7qDQdn2MbUOpbsIUzPr1CZAMzA8h5v/SVSoIrJ7
EG4iHbFHfLQZnsGeH4+swKNT4d5X8i0o2Gr+2CCrrDge3I+aw1Y=
=I5Ij
-----END PGP SIGNATURE-----
--=-=-=--




Acknowledgement sent to Chris Marusich <cmmarusich@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#36335; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 24 Jun 2019 20:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.