[Spice-devel] Using systemd/udev acl management to open up additional /dev nodes on request

Hans de Goede hdegoede at redhat.com
Fri Sep 16 04:35:34 PDT 2011 

Hi,

On 09/15/2011 06:45 PM, Frédéric Grelot wrote:
> hi Hans,
>
> Instead of using a privileged helper, wouldn't it be better to do it just like another virtualization solution (from the society that also licences a very-well known object-oriented programming language) does : create a special user group, add an udev rule that associates that group to the devices in /dev/bus/usb as they get plugged, and thus allow people of that group to use usb devices transparently?
> Of course, the main problem that it raises is that it will break that other virtualization solution's, since devices cannot be assigned to 2 different user groups...

The problem with using a group for this, is that it will require admin
intervention to make things work. We want this to "just" work for
anyone who does a fresh install of a distro, and then creates
a virtual machine using for example virt-manager.

Using a privileged helper + policykit allows us to offer such a
"just" works experience, where as using a unix group does not.

Regards,

hans



>
> Frederic.
>
>
> ----- Mail original -----
>> Hi,
>>
>> Currently when people want to use usbredirection to a virtual machine
>> from
>> spice-client, they must launch the spice-client as root so that it
>> can
>> access device nodes under /dev/bus/usb.
>>
>> Since the purpose is for usbredirection to just work plug and play
>> for
>> virtual machines, this needs to change.
>>
>> My plan is to write a (privileged) helper program which will:
>> 1) Check if it is invoked from a console session (using ConsoleKit
>>      or the new ConsoleKit equivalent functionality in systemd in
>>      F-16)
>> 2) Poke PolicyKit asking it if it is ok for the user to get access
>>      to raw usb devices
>> 3) Do something to actually open up the device to the spice-client,
>>      there are 2 options:
>>      a) relax permissions (set an acl)
>>      b) open the device node and hand over a fd, but since I'm using
>>      libusb
>>      to access the device nodes this is not really an option, leaving
>>      only a.
>>
>> 3) Is a part where I've some systemd/udev questions about. Currently
>> udev already does similar opening up of acl's for the active console
>> user for things like soundcards, etc. I wonder if somehow I could
>> hook
>> into udev to make use of this for the usb device nodes (after having
>> done the policykit tests?
>>
>> Thanks&  Regards,
>>
>> Hans
>> _______________________________________________
>> Spice-devel mailing list
>> Spice-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>

More information about the Spice-devel mailing list