HAL does not apply ACL on DRM device

The group owner is 'video', and all users on my system belong to that group. What does it show for you?

Could you check if your user account is in the 'video' group? Timo and I wonder if the reason we didn't see it is because our accounts are in that group, so the permissions seem to be ok for us.

fedora doesn't ship a ruleset either:

08:48 < airlied> tjaalton: I found a bug in hal acl setting
08:49 < airlied> tjaalton: the device perms shouldn't be set by X, either hal pam should do it.
08:49 < airlied> otherwise don't enable udev

(that's probably 'hal OR pam')

I am not a member of group video:
$ groups
albert adm dialout cdrom plugdev lpadmin admin sambashare

(first user on the system, installed from intrepid live cd, upgraded to jaunty)

Then for the hal acl:
- polkit-gnome-authorization shows console and active console should have access to Video Devices
- console-kit knows my session:
$ ck-list-sessions
Session2:
 unix-user = '1000'
 realname = 'Albert,,,'
 seat = 'Seat1'
 session-type = ''
 active = TRUE
 x11-display = ':0'
 x11-display-device = '/dev/tty7'
 display-device = ''
 remote-host-name = ''
 is-local = TRUE
 on-since = '2008-12-08T10:58:03.416594Z'
 login-session-id = '4294967295'
- but there is no acl on /dev/dri/card0:
$ sudo getfacl /dev/dri/card0
getfacl: Removing leading '/' from absolute path names
# file: dev/dri/card0
# owner: root
# group: video
user::rw-
group::rw-
other::---

note, for kvm I do get an additional line with getfacl: user:albert:rw-

Attached is the output of hal-find-by-capability --capability drm | xargs hal-device

Comparing the hal-device output to kvm, the key "access_control.file" seems to be missing?
/usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi contains:
    <match key="info.capabilities" contains="drm">
        <append key="info.capabilities" type="strlist">access_control</append>
        <merge key="access_control.file" type="copy_property">input.device</merge>
        <merge key="access_control.type" type="string">video</merge>
    </match>

I guess as the drm device has no key input.device, the key access_control.file is not properly set?

In /usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi I replaced the line:
<merge key="access_control.file" type="copy_property">input.device</merge>

by:
<merge key="access_control.file" type="copy_property">linux.device_file</merge>

After a reboot, I got access to /dev/dri/card0 and graphics performance was back at normal.

~$ sudo getfacl /dev/dri/card0
getfacl: Removing leading '/' from absolute path names
# file: dev/dri/card0
# owner: root
# group: video
user::rw-
user:albert:rw-
group::rw-
mask::rw-
other::---

Cool, looks like you found the problem.

http://cgit.freedesktop.org/hal/tree/fdi/policy/10osvendor/20-acl-management.fdi shows the same lines for the DRM device. Forwarded upstream.

Thank you, editing the fdi-file helped me, although the intel driver in Jaunty still seems to be a bit slow.

With no access to DRI, it can cause serious performance issues, such as measured in this article:
http://www.phoronix.com/scan.php?page=article&item=intel_graphics_q408

This bug is marked as "affects hal" but wouldnt it be a better solution to solve this on a lower leavel by udev?

The given workaround (and also "sudo glxgears") produces rendering errors: glxgears overdraws windows lying over glxgears. So DRI seems to be defect in some way, but I'm not sure if this is related to this bug.

I am member of the video group, and this bugged affected me too.

Fixed in:

hal (0.5.12~rc1-0ubuntu6)

    * Add 00git_fix_drm_acls.patch: Fix copy&paste error which assigned
       the wrong access_control.file for /dev/drm/card* devices. It
       previously copied "input.device", but should be
       "linux.device_file". This brings back hardware GL rendering,
       instead of always using the Mesa software rasterizer. (Part of
       LP #269509)

the above fix doesn't work for me - still no non-root permissions for /dev/dri/card*.

I'm running hal (0.5.12~rc1+git20090120-0ubuntu1) on a fresh Jaunty install and the line:

"<merge key="access_control.file" type="copy_property">linux.device_file</merge>"

already appears in "/usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi"

Of course if I manually change permissions and do a "kill -9 -1" then I get hardware rendering working until the next reboot.