m/n/k/plugins/kvmdevice: allow everyone to access /dev/kvm
This changes the permissions of /dev/kvm to allow everyone access.
Previously, only the owner, which is root, had access.
This allows containers which don't run as root to use KVM. It also makes
KVM accessible in user namespace containers, where the owner is mapped
to nobody, such that access is only possible if "other" has permissions.
Change-Id: Ie438d2ab40468a6d3002c3890b75b9c43188198d
Reviewed-on: https://review.monogon.dev/c/monogon/+/4654
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
diff --git a/metropolis/node/kubernetes/plugins/kvmdevice/kvmdevice.go b/metropolis/node/kubernetes/plugins/kvmdevice/kvmdevice.go
index 15f1d9e..8cf72d9 100644
--- a/metropolis/node/kubernetes/plugins/kvmdevice/kvmdevice.go
+++ b/metropolis/node/kubernetes/plugins/kvmdevice/kvmdevice.go
@@ -150,10 +150,14 @@
return fmt.Errorf("failed to parse KVM device node: %w", err)
}
- err = unix.Mknod("/dev/kvm", 0660, int(kvmDevNode))
+ err = unix.Mknod("/dev/kvm", 0666, int(kvmDevNode))
if err != nil && !errors.Is(err, unix.EEXIST) {
return fmt.Errorf("failed to create KVM device node: %w", err)
}
+ err = unix.Chmod("/dev/kvm", 0666)
+ if err != nil {
+ return fmt.Errorf("failed to set KVM device node permissions: %w", err)
+ }
// Try to remove socket if an unclean shutdown happened
os.Remove(k.KubeletDirectory.Plugins.KVM.FullPath())