[systemd-devel] [PATCH] udev/rules: Add default user access and permissions for vfio

Kay Sievers kay at vrfy.org
Tue Apr 30 13:44:43 PDT 2013


On Tue, Apr 30, 2013 at 9:16 PM, Alex Williamson
<alex.williamson at redhat.com> wrote:
> The /dev/vfio/vfio device file is intended to be an unprivileged
> interface.

If that is common, and not subject to system policy, the kernel driver
should request that right away, and better not rely on udev rules to
adjust that. Like it is done here:
  http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/tty/tty_io.c#n3494

New stuff should go into udev only if it is subject of necessary
"configurability" or if the kernel has more use cases which should not
work that way, and therefore the kernel cannot carry out the policy on
its own.

> Only by attaching it to a group (/dev/vfio/$GROUP) does
> it allow privileged access.  The group is therefore used to grant
> access and /dev/vfio/vfio can be used by anyone.  Update the udev
> rules to provide this.

> +SUBSYSTEM=="vfio", KERNEL=="vfio", MODE="0666"

> +SUBSYSTEM=="vfio", KERNEL=="vfio", TAG+="uaccess"

Hmm, I don't understand, 0666 is open to anybody, all the time. What
would an additional ACL do here?

Kay


More information about the systemd-devel mailing list