Hi! I did some further digging in git and here's what I found:
In systemd 235, these two rules managed /dev/kvm:
50-udev-default.rules.in:
KERNEL=="kvm", GROUP="kvm", MODE="@DEV_KVM_MODE@"
https://github.com/systemd/systemd/blob/v235/rules/50-udev-default.rules.in#L78
70-uaccess.rules:
SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"
https://github.com/systemd/systemd/blob/v235/src/login/70-uaccess.rules#L49
Upstream commit b8fd3d82205f632ce001fade74fed287e1564a1a (part of PR
7112) removed the KVM related bits from the second file, but changed
the default value for @DEV_KVM_MODE@ from 0660 to 0666.
Unfortunately Debian has been removing the KVM related bits from the
first file for some time now, see
https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/patches/debian/Avoid-requiring-a-kvm-system-group.patch
The result is, that in Debian, there is now no systemd-owned udev rule
managing /dev/kvm. This causes the regression that logind does no
longer grant access to /dev/kvm to local users.
Personally, I think that Debian should remove the patch mentioned
above, make kvm a static system group, and remove the udev rule from
QEMU since there *are* other users of /dev/kvm (e.g. kvmtool, which
doesn't ship a udev rule). Then, choose a value for the 'dev-kvm-mode'
meson build option of systemd. I like the upstream default, but there
is Debian bug #640328. But then again, this was in 2011.
So, ultimately this is a maintainer decision, I just wanted to warn you
that people might trip over this on stretch -> buster upgrades!
Best regards
Alexander Kurtz
signature.asc
Description: This is a digitally signed message part
