[Spice-devel] Using systemd/udev acl management to open up additional /dev nodes on request
Frédéric Grelot
fredericg_99 at yahoo.fr
Thu Sep 15 09:45:55 PDT 2011
hi Hans,
Instead of using a privileged helper, wouldn't it be better to do it just like another virtualization solution (from the society that also licences a very-well known object-oriented programming language) does : create a special user group, add an udev rule that associates that group to the devices in /dev/bus/usb as they get plugged, and thus allow people of that group to use usb devices transparently?
Of course, the main problem that it raises is that it will break that other virtualization solution's, since devices cannot be assigned to 2 different user groups...
Frederic.
----- Mail original -----
> Hi,
>
> Currently when people want to use usbredirection to a virtual machine
> from
> spice-client, they must launch the spice-client as root so that it
> can
> access device nodes under /dev/bus/usb.
>
> Since the purpose is for usbredirection to just work plug and play
> for
> virtual machines, this needs to change.
>
> My plan is to write a (privileged) helper program which will:
> 1) Check if it is invoked from a console session (using ConsoleKit
> or the new ConsoleKit equivalent functionality in systemd in
> F-16)
> 2) Poke PolicyKit asking it if it is ok for the user to get access
> to raw usb devices
> 3) Do something to actually open up the device to the spice-client,
> there are 2 options:
> a) relax permissions (set an acl)
> b) open the device node and hand over a fd, but since I'm using
> libusb
> to access the device nodes this is not really an option, leaving
> only a.
>
> 3) Is a part where I've some systemd/udev questions about. Currently
> udev already does similar opening up of acl's for the active console
> user for things like soundcards, etc. I wonder if somehow I could
> hook
> into udev to make use of this for the usb device nodes (after having
> done the policykit tests?
>
> Thanks & Regards,
>
> Hans
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
More information about the Spice-devel
mailing list