From dfde6640ebad505e7af7dc204a0e2c16dfddfb1e Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Mon, 10 Apr 2023 16:00:34 +0800
Subject: [PATCH 1/2] systemd: Set /dev/kvm mode to 0660

The default /dev/kvm mode is 0666 and we consider it "not so safe".
Like Tim said: "I'm also authenticating to my system all the time and
don't do a chmod -R 777 / after every boot."

With this option, the /dev/kvm mode is set to 0660 and it's tagged
"uaccess" so systemd-logind will add an ACL entry for users logged-in
locally.
---
 chapter08/systemd.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/chapter08/systemd.xml b/chapter08/systemd.xml
index fcac04602..31d89e01a 100644
--- a/chapter08/systemd.xml
+++ b/chapter08/systemd.xml
@@ -66,6 +66,7 @@ meson --prefix=/usr                 \
       -Dman=false                   \
       -Dmode=release                \
       -Dpamconfdir=no               \
+      -Ddev-kvm-mode=0660           \
       -Ddocdir=/usr/share/doc/systemd-&systemd-version; \
       ..</userinput></screen>
 
@@ -167,6 +168,15 @@ meson --prefix=/usr                 \
           functional on LFS.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><parameter>-Ddev-kvm-mode=0660</parameter></term>
+        <listitem>
+          <para>The default udev rule would allow all users to access
+          <filename class='devicefile'>/dev/kvm</filename>.  The editors
+          consider it dangerous.  This option overrides it.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
 
     <para>Compile the package:</para>

From a4b0c6d60a7d6c112fbc6a43e868ac65b34b16bf Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Mon, 10 Apr 2023 16:17:17 +0800
Subject: [PATCH 2/2] eudev: Set /dev/kvm mode to 0660 and tag it "uaccess"

See the parent commit for rationale.
---
 chapter08/eudev.xml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/chapter08/eudev.xml b/chapter08/eudev.xml
index 0cce469e1..f4c5ac5d2 100644
--- a/chapter08/eudev.xml
+++ b/chapter08/eudev.xml
@@ -40,8 +40,6 @@
   <sect2 role="installation">
     <title>Installation of Eudev</title>
 
-    
-
     <para>First fix the location of udev rules in the .pc file:</para>
 
 <screen><userinput remap="pre">sed -i '/udevdir/a udev_dir=${udevdir}' src/udev/udev.pc.in</userinput></screen>
@@ -88,6 +86,20 @@ make -f &udev-lfs-version;/Makefile.lfs install</userinput></screen>
       <secondary>configuring</secondary>
     </indexterm>
 
+    <indexterm zone="conf-eudev">
+      <primary sortas="e-/etc/udev/rules.d/65-kvm.rules">/etc/udev/rules.d/65-kvm.rules</primary>
+    </indexterm>
+
+    <para>
+      The default udev rule installed by Eudev would allow all users to
+      access <filename class='devicefile'>/dev/kvm</filename>.  The editors
+      consider it dangerous.  Create a configuration file to override it:
+    </para>
+
+<screen><userinput remap="configure">cat > /etc/udev/rules.d/65-kvm.rules &lt;&lt; "EOF"
+<literal>KERNEL=="kvm", GROUP="kvm", MODE="0660", TAG+="uaccess"</literal>
+EOF</userinput></screen>
+
     <indexterm zone="conf-eudev">
       <primary sortas="e-/etc/udev/hwdb.bin">/etc/udev/hwdb.bin</primary>
     </indexterm>