Changeset dfde664

Timestamp:

04/10/2023 08:17:04 AM (13 months ago)

Author:

Xi Ruoyao <xry111@…>

Branches:

12.0, 12.0-rc1, 12.1, 12.1-rc1, bdubbs/gcc13, multilib, renodr/libudev-from-systemd, trunk, xry111/arm64, xry111/arm64-12.0, xry111/clfs-ng, xry111/loongarch, xry111/loongarch-12.0, xry111/loongarch-12.1, xry111/mips64el, xry111/update-glibc

Children:

a4b0c6d

Parents:

e9ab2b3

git-author:

Xi Ruoyao <xry111@…> (04/10/2023 08:00:34 AM)

git-committer:

Xi Ruoyao <xry111@…> (04/10/2023 08:17:04 AM)

Message:

systemd: Set /dev/kvm mode to 0660

The default /dev/kvm mode is 0666 and we consider it "not so safe".
Like Tim said: "I'm also authenticating to my system all the time and
don't do a chmod -R 777 / after every boot."

With this option, the /dev/kvm mode is set to 0660 and it's tagged
"uaccess" so systemd-logind will add an ACL entry for users logged-in
locally.

File:

• chapter08/systemd.xml (modified) (2 diffs)

chapter08/systemd.xml

@@ -67 +67 @@
       -Dmode=release                \
       -Dpamconfdir=no               \
+      -Ddev-kvm-mode=0660           \
       -Ddocdir=/usr/share/doc/systemd-&systemd-version; \
       ..</userinput></screen>
@@ -166 +167 @@
           <para>Prevent the installation of a PAM configuration file not
           functional on LFS.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><parameter>-Ddev-kvm-mode=0660</parameter></term>
+        <listitem>
+          <para>The default udev rule would allow all users to access
+          <filename class='devicefile'>/dev/kvm</filename>.  The editors
+          consider it dangerous.  This option overrides it.</para>
         </listitem>
       </varlistentry>