kvm: access to /dev/kvm should have a different group-ownership

Bug #127704 reported by Andreas John on 2007-07-23
6
Affects Status Importance Assigned to Milestone
kvm (Ubuntu)
Low
Chris Halse Rogers
udev (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: kvm

Hello,
I am not sure where to file this wish. udev or kvm? I'll try on kvm first. I found that bug/wish on feisty/tribe 2.

The device /dev/kvm belongs to root:root which renders it unusable from ordinary users. I recommend to give it group-ownership to a new group "kvm" via udev's 40-permissions.rules. As access to /dev/kvm might invole security risks (users VMs are executed within kernel / CPU ), I would not give the group-ownership to "users" and I would not default new users to that group.

rgds,
Andreas

# diff -u /root/40-permissions.rules /etc/udev/rules.d/40-permissions.rules
--- /root/40-permissions.rules 2007-07-22 15:29:33.000000000 +0200
+++ /etc/udev/rules.d/40-permissions.rules 2007-07-22 15:30:09.000000000 +0200
@@ -19,6 +19,7 @@
 ENV{ID_CDROM}=="?*", GROUP="cdrom"
 KERNEL=="ht[0-9]*", GROUP="tape"
 KERNEL=="nht[0-9]*", GROUP="tape"
+KERNEL=="kvm", GROUP="kvm"

 # IEEE1394 (firewire) devices
 # Please note that raw1394 gives unrestricted, raw access to every single

Maybe it's related to #87634.

This would be a rather useful change. Right now only root can use kvm, which is sort of besides the point.

Also affects gutsy.

Changed in udev:
status: New → Confirmed
Chris Halse Rogers (raof) wrote :

This is already done by the kvm package, and has been for some time (In the file /etc/udev/rules.d/50-kvm.rules). How did you install KVM? I wonder why your kvm device is not getting the correct permissions.

Changed in kvm:
assignee: nobody → raof
importance: Undecided → Low
status: New → Incomplete

I installed KVM by executing
$ sudo aptitude install kvm
i.e. plain vanilla package.

I can confirm this on current gutsy.

Chris, the reason is that /etc/udev/rules.d/50-kvm.rules is simply missing in the kvm package,
see http://packages.ubuntu.com/cgi-bin/search_contents.pl?searchmode=filelist&word=kvm&version=gutsy&arch=i386

Would be nice if this gets fixed by adding an appropriate 50-kvm.rules to kvm.

Changed in kvm:
status: Incomplete → Confirmed

The only harm in allowing normal users to access /dev/kvm is a potential memory DoS until guest swapping is implemented. I suggest that a special group be made until that feature is implemented.

hm,
without digging deeper into the theme, I assume you cannot nice or
schedule the KVM machine, as it is implemented in the kernel. So I would
add a "CPU-consumption DoS", as kernel-mode execution has high prio.
And, as things like scanner and audio have own groups, it makes sense to
give a special group to the "KVM People", too. (not only temporary ....)

Corrections weclome!

Rgds,
Andreas

Anthony Liguori schrieb:
> The only harm in allowing normal users to access /dev/kvm is a potential
> memory DoS until guest swapping is implemented. I suggest that a
> special group be made until that feature is implemented.
>

Andreas, Anthony,

the special group kvm is already there in gutsy, that's not the topic of the bug.

The problem is that the udev rule for assigning /dev/kvm to the group kvm is not shipped.
It's in the source package in debian/kvm.udev, but misses in the binary package.
It should be shipped as /etc/udev/rules.d/50-kvm.rules.

Seems like a small and easy-to-fix packaging bug.
Chris, could you fix that?

Thank you,
Wolfgang

On Monday 24 September 2007 11:05:57 Andreas John wrote:
> hm,
> without digging deeper into the theme, I assume you cannot nice or
> schedule the KVM machine, as it is implemented in the kernel. So I would
> add a "CPU-consumption DoS", as kernel-mode execution has high prio.
> And, as things like scanner and audio have own groups, it makes sense to
> give a special group to the "KVM People", too. (not only temporary ....)

KVM docs say that to the host OS, KVM is a single process (which indeed seems
to be true in my experience) so you likely are able to nice it, after all,
the whole point about KVM is that you get to use all Linux infrastructure
like the scheduler etc.

You may even be able to limit RAM consumption by ulimit then?

Ubuntu policy is that assigning of custom groups to device nodes should be done by rules shipped with the package that creates that group, in this case KVM.

Changed in udev:
status: Confirmed → Invalid
Andreas John (derjohn) wrote :

Hello Scott,
then why did you change the bug report to invalid? The only thing that
needs to be corrected is, replaung the patch with a own udev rule file.
Everything else discussed here, is absolutely correct.

The title of the bugs reads: ""access to /dev/kvm should have a
different group-ownership" which is still the right way to go.

rgds,
Andreas

Scott James Remnant schrieb:
> Ubuntu policy is that assigning of custom groups to device nodes should
> be done by rules shipped with the package that creates that group, in
> this case KVM.
>
> ** Changed in: udev (Ubuntu)
> Status: Confirmed => Invalid
>

As I noted, the udev portion is invalid because it is not Ubuntu policy to apply custom groups in the udev package; this should be done in the kvm package -- and you'll note that task in the bug is left confirmed

Andreas John (derjohn) wrote :

Well,
this bug ( #127704 ) is a bug filed to the kvm package, not the udev
package. So it's still the right place. Only the patch is invalid, which
is no problem: As one of the foreposters noted, there already was such a
udev rule file, provided by the kvm package. So we should simply look
forward to resurrect that one...

I'll have a look at it and attach it here. Would you re-confirm the bug
then?

foobar,
Andreas

Scott James Remnant schrieb:
> As I noted, the udev portion is invalid because it is not Ubuntu policy
> to apply custom groups in the udev package; this should be done in the
> kvm package -- and you'll note that task in the bug is left confirmed
>

Andreas John (derjohn) wrote :

In the old (feisty) package I found in kvm_16-1ubuntu2.diff:

--- kvm-16.orig/debian/kvm.udev
+++ kvm-16/debian/kvm.udev
@@ -0,0 +1 @@
+KERNEL=="kvm", NAME="%k", GROUP="kvm", MODE="0660"

That patche the orig. sources and inserts the udev rule file via .deb
package. Indeed a nice apprioach, until now I wasnt aware that deb
format supports udev rules natively.

I hope, this will be accepted again.

rgds,
Andreas

Andreas John schrieb:
> Well,
> this bug ( #127704 ) is a bug filed to the kvm package, not the udev
> package. So it's still the right place. Only the patch is invalid, which
> is no problem: As one of the foreposters noted, there already was such a
> udev rule file, provided by the kvm package. So we should simply look
> forward to resurrect that one...
>
> I'll have a look at it and attach it here. Would you re-confirm the bug
> then?
>
> foobar,
> Andreas
>
>
> Scott James Remnant schrieb:
>> As I noted, the udev portion is invalid because it is not Ubuntu policy
>> to apply custom groups in the udev package; this should be done in the
>> kvm package -- and you'll note that task in the bug is left confirmed
>>
>

On Monday 24 September 2007 16:09:55 Andreas John wrote:
>
> I hope, this will be accepted again.

Couldnt one simply create a /etc/udev/rules.d/XX-kvm-rules

Andreas John (derjohn) wrote :

Gabriel Ambuehl schrieb:
> On Monday 24 September 2007 16:09:55 Andreas John wrote:
>> I hope, this will be accepted again.
>
> Couldnt one simply create a /etc/udev/rules.d/XX-kvm-rules

I already mailed the diff, that is needed to create a udev rule within
the kvm package.

Scott please re-confirm !

Chris Halse Rogers (raof) wrote :

I'll re-add the udev rule to Gutsy's KVM package.

Changed in kvm:
status: Confirmed → In Progress

Thanks, Chris!

The recently released kvm-1:28-4ubuntu2 fixes the problem for me,
the udev rule is in place, and /dev/kvm is root:kvm as expected.

Wolfgang

Changed in kvm:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers