Ubuntu
usbview package

  1. Hardy (8.04)
  2. Bug #156085
  3. Comment #53

Comment 53 for bug 156085

Revision history for this message
Martin Pitt (pitti) wrote : Re: [Bug 156085] Could not open /proc/bus/usb/devices

Hi TJ,

CC'ing the bug again to have a more permanent record of the
discussion. I hope it is ok for you?

TJ [2008-09-04 18:20 +0100]:
> I've finished a sys file-system patch for kvm and qemu that continues to
> support the legacy /proc/ and /dev/ device lists. It is based on a patch
> in the Novell bug-tracker but doesn't rip out legacy support.

What does that mean? I hope not that kvm/qemu are supposed to directly
access USB devices through /sys? (that would be EBW).

> The USB devices in /dev/bus/usb/*/* have root:root permissions.

... by default. E. g. scanners and cameras get ACLs assigned to them
by hal/consolekit, so that the currently active local user session can
access those as well.

> Obviously it wouldn't be a great idea to have VMs running as root so I
> was looking for an existing group that might be used to modify those
> permissions so that kvm/qemu can obtain read/write access to the
> devices. Without it USB support fails.
>
> Matt Zimmerman pointed out 'plugdev' is being deprecated and I didn't
> want to use 'kvm' as that is package-specific.

In fact we want to completely deprecate the (ab)use of groups for
device access:
https://wiki.ubuntu.com/DesktopTeam/Specs/Intrepid/DevicePermissions

So please don't proliferate groups too much. 'kvm' should ideally
disappear as well eventually.

The current two recommended possibilities for providing device access
are:

 - Provide a backend running as root (which can access the devices),
   expose the backend functionality through a D-BUS API (well, could
   be IP or something else as well, but D-BUS is very convenient), and
   control access to the backend through PolicyKit. Then device access
   can be configured with polkit-gnome-authorization (with defaulting
   to something sane, like "local users only"). That's the way e. g.
   mounting internal hard drives through hal works.

 - For pure client-side programs, use the hal ACL management facility:
   /usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi
   /usr/share/PolicyKit/policy/org.freedesktop.hal.device-access.policy

   The FDI configures which device classes get ACL controlled, and
   assigns access_control.type. The .policy maps that type to a
   PolicyKit privilege, and assigns the default rights.

Please let me know if either of those options are feasible for you.

If you really must use a group for now, then I suppose you coordinate
with Soren, to use a more generic group name than 'kvm'. 'plugdev' is
not appropriate at all, it is meant for hotpluggable block devices,
not virtualization hypervisor access.

Martin

--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)