[Spice-devel] Using systemd/udev acl management to open up additional /dev nodes on request
Hans de Goede
hdegoede at redhat.com
Fri Sep 16 04:35:34 PDT 2011
On 09/15/2011 06:45 PM, Frédéric Grelot wrote:
> hi Hans,
> Instead of using a privileged helper, wouldn't it be better to do it just like another virtualization solution (from the society that also licences a very-well known object-oriented programming language) does : create a special user group, add an udev rule that associates that group to the devices in /dev/bus/usb as they get plugged, and thus allow people of that group to use usb devices transparently?
> Of course, the main problem that it raises is that it will break that other virtualization solution's, since devices cannot be assigned to 2 different user groups...
The problem with using a group for this, is that it will require admin
intervention to make things work. We want this to "just" work for
anyone who does a fresh install of a distro, and then creates
a virtual machine using for example virt-manager.
Using a privileged helper + policykit allows us to offer such a
"just" works experience, where as using a unix group does not.
> ----- Mail original -----
>> Currently when people want to use usbredirection to a virtual machine
>> spice-client, they must launch the spice-client as root so that it
>> access device nodes under /dev/bus/usb.
>> Since the purpose is for usbredirection to just work plug and play
>> virtual machines, this needs to change.
>> My plan is to write a (privileged) helper program which will:
>> 1) Check if it is invoked from a console session (using ConsoleKit
>> or the new ConsoleKit equivalent functionality in systemd in
>> 2) Poke PolicyKit asking it if it is ok for the user to get access
>> to raw usb devices
>> 3) Do something to actually open up the device to the spice-client,
>> there are 2 options:
>> a) relax permissions (set an acl)
>> b) open the device node and hand over a fd, but since I'm using
>> to access the device nodes this is not really an option, leaving
>> only a.
>> 3) Is a part where I've some systemd/udev questions about. Currently
>> udev already does similar opening up of acl's for the active console
>> user for things like soundcards, etc. I wonder if somehow I could
>> into udev to make use of this for the usb device nodes (after having
>> done the policykit tests?
>> Thanks& Regards,
>> Spice-devel mailing list
>> Spice-devel at lists.freedesktop.org
More information about the Spice-devel