-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Nov 28, 2016 at 06:15:57AM -0800, Andrew David Wong wrote:
> On 2016-11-28 03:29, Jean-Philippe Ouellet wrote:
> > If you use `qvm-usb` to assign a particular USB device to a particular
> > VM, it's probably because you wanted to actually use that device! (or
> > more likely some program which interfaces with that device)
> >
> > Currently, such programs will likely fail due to the `user` account
> > not having write access to the device node.
> >
> > Under Qubes' threat model, we assume there is no meaningful privilege
> > boundary between user and root[1], so would it make sense to just make
> > all passed-through USB devs world-writable (or at least user-writable)
> > to enable software using them to "Just Work" by default?
> >
> > Right now things only work if some application provides udev rules
> > changing ownership/permissions, or if a user observes things failing
> > and happens to know to go chmod stuff in /dev.
> >
> > [1]:
https://www.qubes-os.org/doc/vm-sudo/
> >
>
> This sounds reasonable to me. Tracking it here:
>
>
https://github.com/QubesOS/qubes-issues/issues/2465
I wonder how it works on bare metal Fedora/Debian? Couldn't the same
mechanism be engaged in Qubes AppVM?
And actually it looks to be working (at least in Fedora 24 and Debian 8)
- - if I plug some USB webcam into USB VM, /dev/video0 automatically get
ACL allowing user "user" read-write access:
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:user:rw-
group::rw-
mask::rw-
other::---
So, if it does not work for some type of devices, I would say it's an
upstream issue.
Any particular example?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYPD/WAAoJENuP0xzK19csjlgH/RA1XhIy0sJ4Aa1RNopP/A+K
OuG3aW+2nUZU//NSPlSOh/vMWXDJKwbB3JWnvyt3kMPRgAC9mTFoq8M7HGvo8xGY
DSJFK8NqhI0CQzmb7/mUbUi+ZbCJ7nr5lpnGZkA51FoRYq0DFWhW8l8n8AFDwC0y
eDqC9ctOiBNw1LTIN+5nSPSurUylLffL7/usWT7G3oNR9s0/Sp9+1Ufd005aYr1G
xUiRSQSFrIioGJcDxG/wZYSKqQqT2vGdB7TeuIbckH3MTkvMXZ0Pe+SrNQNzPSlr
KPnDpvUut5N96VKt5T6lBtoWdeIkES6kY0YW8I4pMJQfn2BgotvxMxd++cqQiHc=
=TVEi
-----END PGP SIGNATURE-----