Ubuntu
gnome-boxes package

Comment 6 for bug 1767302

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2018-09-17:

I found the actual issue, thanks for all your feedback.

I was mistakenly KVM membership for libvirtd membership.

So what happens is the following:
1. gnome-boxes depends on libvirt-daemon, but not libvirt-daemon-system
   The latter would contain the system integration with services and users for libvirt.
   That would make the users in 'sudo' be a member of group 'libvirtd' and that would let you
   control libvirt which would then 'for you' would drive KVM (the user libvirt-qemu which it uses
   is a member of kvm group)
   The dependency to libvirt-daemon only brings the binaries, but not this integration
2. Now gnome boxes seems to try driving some things on its own. It uses libvirt bindings, but seems
   not to want the service.
   But it does not set

   qemu(-system-common) that adds the KVM group never added users to the group (not back to
   Xenial at least, I didn't check further)
3. gnome-boxes does not use the libvirt-qemu user that libvirt sytem integration would use.
   That is why you can not access /dev/kvm

The same is true for any user on the system, which is meant to be an administrators decision - matching your manual addition of the user to the group.

I'm not sure yet what to do about it yet, but at least we found and can think about it now.

Two solutions come to mind:
1. qemu-system-common could add users in sudo to group kvm (as we do with group libvirtd)
   That comes at the drawback of handing out that permission by default to more users
   than before.
2. gnome-boxes is not driving it the way it is intended through libvirt. It should either use it
   the same way (isolated to user libvirt-qemu which is allowed to reach KVM).
   Or it can use it's own user and would then want to make sure it has KVM membership.
#. If gnome-boxes is meant to work with the current desktops user, then this is the same as #1
   And if it is ok - security-wise - should be done in #1. If not acceptable security wise we
   should not do it in any package.

I'll try to get hold of the security Team this week to get an ack to add sudo users to group kvm being ok or not.

I found the actual issue, thanks for all your feedback.

I was mistakenly KVM membership for libvirtd membership.

So what happens is the following:
1. gnome-boxes depends on libvirt-daemon, but not libvirt-daemon-system
   The latter would contain the system integration with services and users for libvirt.
   That would make the users in 'sudo' be a member of group 'libvirtd' and that would let you
   control libvirt which would then 'for you' would drive KVM (the user libvirt-qemu which it uses
   is a member of kvm group)
   The dependency to libvirt-daemon only brings the binaries, but not this integration
2. Now gnome boxes seems to try driving some things on its own. It uses libvirt bindings, but seems 
   not to want the service.
   But it does not set

qemu(-system-common) that adds the KVM group never added users to the group (not back to 
   Xenial at least, I didn't check further)
3. gnome-boxes does not use the libvirt-qemu user that libvirt sytem integration would use.
   That is why you can not access /dev/kvm

The same is true for any user on the system, which is meant to be an administrators decision - matching your manual addition of the user to the group.

I'm not sure yet what to do about it yet, but at least we found and can think about it now.

Two solutions come to mind:
1. qemu-system-common could add users in sudo to group kvm (as we do with group libvirtd)
   That comes at the drawback of handing out that permission by default to more users
   than before.
2. gnome-boxes is not driving it the way it is intended through libvirt. It should either use it 
   the same way (isolated to user libvirt-qemu which is allowed to reach KVM).
   Or it can use it's own user and would then want to make sure it has KVM membership.
#. If gnome-boxes is meant to work with the current desktops user, then this is the same as #1
   And if it is ok - security-wise - should be done in #1. If not acceptable security wise we 
   should not do it in any package.

I'll try to get hold of the security Team this week to get an ack to add sudo users to group kvm being ok or not.

Ubuntugnome-boxes package

Comment 6 for bug 1767302

Ubuntu
gnome-boxes package