From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tokarev <mjt@tls.msk.ru>
Subject: Re: /dev/kvm not sufficiently restricted, and in ways I didn't think
 were possible
Date: Tue, 28 Aug 2012 11:40:25 +0400
Message-ID: <503C75E9.60901@msgid.tls.msk.ru>
References: <CAPKXxCp3DebWNWAMuzfnSUn2e4=o5165JimFY=+sEby43ZJGxw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: kvm@vger.kernel.org
To: Henry Cejtin <henry.cejtin@gmail.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from isrv.corpit.ru ([86.62.121.231]:53714 "EHLO isrv.corpit.ru"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751790Ab2H1Hk1 (ORCPT <rfc822;kvm@vger.kernel.org>);
	Tue, 28 Aug 2012 03:40:27 -0400
In-Reply-To: <CAPKXxCp3DebWNWAMuzfnSUn2e4=o5165JimFY=+sEby43ZJGxw@mail.gmail.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 28.08.2012 00:11, Henry Cejtin wrote:
> I'm  completely  confused  about  access to /dev/kvm.  In particular, it
> looks like it is too  open  to  access,  but  in  a  way  that  I  don't
> understand.
> 
> On my machine, /dev/kvm is owned by root.root and mode 660.  Here is the
> output of ls:
> 
>     % ls -l /dev/kvm
>     crw-rw----+ 1 root root 10, 232 Aug 24 15:03 /dev/kvm

Note the plus sign in there (+).  Run getfacl on this file.

Most likely it is consolekit/policykit which has a rule to add
ACLs to some devices (audio etc) for a current session user.

/mjt