Is /dev/kvm missing ACLs?

  • Open
  • quality assurance status badge
Details
3 participants
  • Chris Marusich
  • Danny Milosavljevic
  • Ludovic Courtès
Owner
unassigned
Submitted by
Chris Marusich
Severity
normal
C
C
Chris Marusich wrote on 23 Jun 2019 06:20
(address . bug-guix@gnu.org)
87sgs1c4r0.fsf@gmail.com
Hi,

I was trying to run some VMs via "guix system vm", and I noticed that
I didn't have permission to use KVM. This issue can be worked around by
running qemu as root, or by adding yourself to the "kvm" group.
However, I found it curious that the /dev/kvm device didn't have ACLs
granting me access:

Toggle snippet (10 lines)
$ getfacl /dev/kvm
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
group::rw-
other::---

Is it expected that on Guix System, /dev/kvm does not by default receive
ACLs granting me access? I'm logged into a GNOME session via GDM, and I
was under the impression that logind or udevd would automatically set up
ACLs for me to access local devices, such as /dev/kvm and /dev/sr0, in
this case.

Note that I DO have ACLs for some other devices, such as video0:

Toggle snippet (12 lines)
$ getfacl /dev/video0
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:marusich:rw-
group::rw-
mask::rw-
other::---

--
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl0O/fMACgkQ3UCaFdgi
Rp3oTw//c+BeaSCb0JZaRk5Bj80bswCV9Wll9cOLAymneGeZ8RB73JquD/aMtFWN
9sdueKSK9X7HOy/v247PNzBwZ8K8axOFFgCd1jsI9LVgUNT4xdCsZgGDYoEYjbbQ
oGWmr4hY/L3i3aVlVl2QLxBTd+af3HnVm1xSYWWAfxBcdprf7gn+a9lJ40jbP4XE
CT4n920J9C17aLnPBrx34RHcLFZXsoEt9JLixQopmgV8l3uD1NlCbG9p9cVJeG17
mk1RraAZZaGe0jb433QcZrrdwKkbk7OrQmS1LxqnMau2Q4seLbew1BDwtpB3LAjo
jQ9SA24sXTjqtV/2zxpiRfA0dgWNxAzXCVYJLKRiHfyhDg56VUcSN86qdrVMVgm4
sMSO8hYazshjQZ6Lou76OuQNnRDKn/wRK4u24kBqurvlV+CvGlhwsdBLn+JGhArV
O6v4omOwESUaTnHXJbjnbqE2wDqHgXxQ9KEsEyNVhMs6w87upLj9cx/npvHv+9Z0
LFOzlS7TedfaKrQ9VglJIVnRIAl19/ImMZl3GXv4nEwISlTpViczQsl3FcSM+1jJ
2JmIrH4f/jEKWiAPnth0XjG/A7qDQdn2MbUOpbsIUzPr1CZAMzA8h5v/SVSoIrJ7
EG4iHbFHfLQZnsGeH4+swKNT4d5X8i0o2Gr+2CCrrDge3I+aw1Y=
=I5Ij
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 24 Jun 2019 21:54
(name . Chris Marusich)(address . cmmarusich@gmail.com)(address . 36335@debbugs.gnu.org)
87v9wu4v3l.fsf@gnu.org
Hi Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

Toggle quote (19 lines)
> I was trying to run some VMs via "guix system vm", and I noticed that
> I didn't have permission to use KVM. This issue can be worked around by
> running qemu as root, or by adding yourself to the "kvm" group.
> However, I found it curious that the /dev/kvm device didn't have ACLs
> granting me access:
>
> $ getfacl /dev/kvm
> getfacl: Removing leading '/' from absolute path names
> # file: dev/kvm
> # owner: root
> # group: kvm
> user::rw-
> group::rw-
> other::---
>
>
> Is it expected that on Guix System, /dev/kvm does not by default receive
> ACLs granting me access?

Guix System doesn’t use ACLs at all.

However, the udev rule for kvm sets it up like this:

crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm

and the build users are part of the ‘kvm’ group. I personally arrange
to have my user account in that group too.

Thanks,
Ludo’.
C
C
Chris Marusich wrote on 27 Jun 2019 08:32
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 36335@debbugs.gnu.org)
87d0izlere.fsf@gmail.com
Hi Ludo,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (9 lines)
> Guix System doesn’t use ACLs at all.
>
> However, the udev rule for kvm sets it up like this:
>
> crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>
> and the build users are part of the ‘kvm’ group. I personally arrange
> to have my user account in that group too.

It's good to know that the "kvm" group is the right way to grant
permissions. However, if Guix System doesn't use ACLs, then why do some
of my device files have ACLs on them, such as the video device file?

Toggle snippet (12 lines)
$ getfacl /dev/video0
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:marusich:rw-
group::rw-
mask::rw-
other::---

--
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl0UYwYACgkQ3UCaFdgi
Rp1dfxAAsK8bU+YALhclhjKNCJ6RiYbNK4PEMwnxtzpakqLyPAFc6y8fB3hpUge8
S+Pbgiz4LuSBY4iJQ/ZPSRHtyS4BtlmxLOEBe2opf7acXhXup1CelMk/RSHysIT6
sotZu1DhGJZliFsG8ksCjpJi17UCleBDNpIOOudzVZ5qf9oykuhIUh+4n05j8pX0
JXY+R5rfeaTPYBuqP1M4y0byk5ugwmIghh9Zbmq8hOOVg8Nbzj7hwD3CTtO8a3PJ
IhHvN0H7xXJIgzQtgJIkd1zG7mGXWwKdsZLgeDrEvOmWdEHac5+c2qxcnjRWViGM
GZsUWSYa+jlUXQLlM9JgtVpLXIZSK6DwdyK21J4gH5eYka8MRvBcRotk1lctqNGo
zemqvnFykt1Z4gzkZ3R3sSzRvHQG0rqyo7HtAxg7awoEt13YTV8aFoEBwJaIT1z+
ySFiSO449MMn81M3U4atJm6cVzGhtSSyQoiV+PcBXOmJmcZZ6gfm+oFheI6l54nZ
g/vdgftSNLeljwRT1jAlXkHHnzgxKBxTv3N4kvOtcPyuZUU2m6JwOiibhBVN0tCs
uWayKqXrZ+5mzotg+zf+fjNaP64OKu65saEYDhZv+mM5eRGrZMK/lzA8s68awM9e
Kh8DXB2jJJWQW8UhIpOjBhzDDvxLzlHPUk6M3E4E065V3Ht02Xg=
=LLpi
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 27 Jun 2019 15:45
(name . Chris Marusich)(address . cmmarusich@gmail.com)(address . 36335@debbugs.gnu.org)
87sgrv16rm.fsf@gnu.org
Hi Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

Toggle quote (26 lines)
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Guix System doesn’t use ACLs at all.
>>
>> However, the udev rule for kvm sets it up like this:
>>
>> crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>>
>> and the build users are part of the ‘kvm’ group. I personally arrange
>> to have my user account in that group too.
>
> It's good to know that the "kvm" group is the right way to grant
> permissions. However, if Guix System doesn't use ACLs, then why do some
> of my device files have ACLs on them, such as the video device file?
>
> $ getfacl /dev/video0
> getfacl: Removing leading '/' from absolute path names
> # file: dev/video0
> # owner: root
> # group: video
> user::rw-
> user:marusich:rw-
> group::rw-
> mask::rw-
> other::---

Good question, I see the same thing here.

I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
that, and there’s no code in eudev that fiddles with ACLs either, and
nothing obvious in devtmpfs.c in Linux. So… it’s a mystery.

Ludo’.
D
D
Danny Milosavljevic wrote on 1 Jul 2019 10:41
(name . Ludovic Courtès)(address . ludo@gnu.org)
20190701104114.0d0aca46@scratchpost.org
On Thu, 27 Jun 2019 15:45:33 +0200
Ludovic Courtès <ludo@gnu.org> wrote:

Toggle quote (4 lines)
> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
> that, and there’s no code in eudev that fiddles with ACLs either, and
> nothing obvious in devtmpfs.c in Linux. So… it’s a mystery.

Might be elogind. It sets some ACLs on login.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl0ZxyoACgkQ5xo1VCww
uqUNMQf5AUKYuUZigE1cx2lJR6Zc7kaSqXmrKmdrcObWh0ekKECd5x6805XbkSMQ
+jczH1z5SfbvamIGRUHV9/zPkkxjmqMQujrKiQskx4SF95J7/0Z9WtGDvEhMU0RA
tZte6SzpO+mU6uZI2zIl0o/CTh6Zv3xzwWLqF+L99xWza9NRxoa3f2NZeoHCMFU6
nFeAP5LJ2dbBemo+MTZoI2LvE9cnd595QjU0k/QMwS7DLyvyQ1gKnToPQR5gyoWh
buDQ5lzWfDY/c2aDFNTjTTrssNw8xSbQIT/QZg+WDaKrWeF2bwqHHNEckp9l6hai
8K/bfmDKHal1LNwHbZ/IHHT6EH62Zg==
=wTZy
-----END PGP SIGNATURE-----


C
C
Chris Marusich wrote on 10 Jul 2019 08:23
(name . Ludovic Courtès)(address . ludo@gnu.org)
87lfx6l867.fsf_-_@gmail.com
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (38 lines)
> Hi Chris,
>
> Chris Marusich <cmmarusich@gmail.com> skribis:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>>
>>> Guix System doesn’t use ACLs at all.
>>>
>>> However, the udev rule for kvm sets it up like this:
>>>
>>> crw-rw---- 1 root kvm 10, 232 Jun 24 08:38 /dev/kvm
>>>
>>> and the build users are part of the ‘kvm’ group. I personally arrange
>>> to have my user account in that group too.
>>
>> It's good to know that the "kvm" group is the right way to grant
>> permissions. However, if Guix System doesn't use ACLs, then why do some
>> of my device files have ACLs on them, such as the video device file?
>>
>> $ getfacl /dev/video0
>> getfacl: Removing leading '/' from absolute path names
>> # file: dev/video0
>> # owner: root
>> # group: video
>> user::rw-
>> user:marusich:rw-
>> group::rw-
>> mask::rw-
>> other::---
>
> Good question, I see the same thing here.
>
> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
> that, and there’s no code in eudev that fiddles with ACLs either, and
> nothing obvious in devtmpfs.c in Linux. So… it’s a mystery.
>
> Ludo’.

Danny Milosavljevic <dannym@scratchpost.org> writes:

Toggle quote (9 lines)
> On Thu, 27 Jun 2019 15:45:33 +0200
> Ludovic Courtès <ludo@gnu.org> wrote:
>
>> I suspected a udev rule but ‘grep’ didn’t find any that explicitly does
>> that, and there’s no code in eudev that fiddles with ACLs either, and
>> nothing obvious in devtmpfs.c in Linux. So… it’s a mystery.
>
> Might be elogind. It sets some ACLs on login.

Might be.

I am content knowing that on Guix System, the intended way to control
access to /dev/kvm is by using the "kvm" group. However, it still
smells like we may have an ACL-related bug: It seems to be unexpected
that ACLs are getting set for some devices (e.g., /dev/video0), but not
for others (e.g., /dev/kvm).

What do you think?

--
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl0lhGAACgkQ3UCaFdgi
Rp3zIhAAg6dbHuIm1A6R2ExdkV4HFoKp3RWx7hwns8uNTwYQAMhd4myUpqPd1ArL
mDcF6r1sRHXJGH1O1RyBQTybOmkTXDo6Xu9d7793SDkNH0IkdtDi6lG8FFTKa5Vb
+BUwLI/Ec0PKw64XM1d3IxKM7TTnOmR6GyPadSx1ymjHQI39dnl8YBsg+9iQHRqx
llD9Tyt4gxcDEHvxEBlqOYyqFxSCMlnWEQKnm5yXwr81HeLm1v4QySr9CTWy2ML6
KN12G6FuI7d7ORa4J7IXN9hlwvZig7yLOAbFuxKYeSuGzZbrHRlKffmecFekduvC
PlHUx9MvuHoeAGvPgKF+blDDjV2odL6gtAMjeAbwJ2Hl4q/NELgZhhJ2rTVFTBIV
F0aU/oTl7DKHjfWXwdcyQdlfg/d2R8xGSdlJyoPvgUWq8U/PnL39xQ3IDw8vkLum
BLshfhzPmHKFlOmfaLlWv8Sz4j+WiJrJPZ0Yvk24ZEUjofYMEHIVq0ftL9y0boe3
c6tNIHZyAbhQm1oa0gLj/tHmo8752QDY64p64Fr3tRX/NAIGmkcpG9fas4ypniog
MS+kwbL6eo7rB+FaH3lS4/IIs/r6ybgWDUcPnpkhqLJJikKZScwgfm8d3rcH0E01
oSZpzHKzFLQgGqIOdogK8rYyieFwUBjtBpuDGfRnuq7v8Y2hI0M=
=etO6
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 10 Jul 2019 19:10
(name . Chris Marusich)(address . cmmarusich@gmail.com)
87o921zuhh.fsf@gnu.org
Hi,

Chris Marusich <cmmarusich@gmail.com> skribis:

Toggle quote (8 lines)
> I am content knowing that on Guix System, the intended way to control
> access to /dev/kvm is by using the "kvm" group. However, it still
> smells like we may have an ACL-related bug: It seems to be unexpected
> that ACLs are getting set for some devices (e.g., /dev/video0), but not
> for others (e.g., /dev/kvm).
>
> What do you think?

I agree. I’d like to have a definite answer as to where these come
from; elogind was suspect #1 but I haven’t found anything conclusive.

Ludo’.
D
D
Danny Milosavljevic wrote on 11 Jul 2019 09:18
(name . Ludovic Courtès)(address . ludo@gnu.org)
20190711091807.679799f6@scratchpost.org
auditd can find those acl setters :)

# auditctl -w /dev/kvm -p a -k kvm-acl-setter-foo

Later on:

# ausearch -k kvm-acl-setter-foo
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl0m4q8ACgkQ5xo1VCww
uqWNTQf/TOsdDmK9XFT7iDP+MUNQzIYwFOGHl/uhzg+Wc9qpzz2E2tI5SPutunuJ
dUlzVih5XbzqsHKSexDGnAOidAmINpWcmZ7w+r7WVH0kZrl6QV9iF6D/GYsk6jmZ
4tjvaWTsZX/wmfvwRPxiKfVeXV221aIuG4Y2fPY8/SjQZqfrFR6mxEQhJ49TpNZS
Nl7xVbH85s79ge+fS4j0Y3r0prP7tDtF/URkeUtJEr4GbMMXUlsHeiETXrJqGWFR
TX1knyrZsN3dYEUXZWFVKVvI6rqrpEFqrrEEjTG9yjOCaFBZQosw9KxHr3UdPAID
0ZxGnWN1yVSodsAremXc3RQFb7tS9A==
=g4wp
-----END PGP SIGNATURE-----


?