As part of the discussion at the systemd bugtracker [1], people from Debian said that they prefer 0660 mode, group kvm, because this limits the exposure to kernel bugs in the kvm module. Those are not frequent, but they do happen, so it's hard to argue that increases security at least a bit. Currently, kvm is tagged with uaccess, so locally logged in users also get access to /dev/kvm, no matter what the access mode is. With the 0660 mode, users (not locally logged in) need to be added to kvm group to get access. Would such a mode where one need to either log in locally, or be root, or be in the kvm group work for Fedora? [1] https://github.com/systemd/systemd/pull/5597 Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
