From dfde6640ebad505e7af7dc204a0e2c16dfddfb1e Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Mon, 10 Apr 2023 16:00:34 +0800
Subject: [PATCH] systemd: Set /dev/kvm mode to 0660

The default /dev/kvm mode is 0666 and we consider it "not so safe".
Like Tim said: "I'm also authenticating to my system all the time and
don't do a chmod -R 777 / after every boot."

With this option, the /dev/kvm mode is set to 0660 and it's tagged
"uaccess" so systemd-logind will add an ACL entry for users logged-in
locally.
---
 chapter08/systemd.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/chapter08/systemd.xml b/chapter08/systemd.xml
index fcac04602..31d89e01a 100644
--- a/chapter08/systemd.xml
+++ b/chapter08/systemd.xml
@@ -66,6 +66,7 @@ meson --prefix=/usr                 \
       -Dman=false                   \
       -Dmode=release                \
       -Dpamconfdir=no               \
+      -Ddev-kvm-mode=0660           \
       -Ddocdir=/usr/share/doc/systemd-&systemd-version; \
       ..</userinput></screen>
 
@@ -167,6 +168,15 @@ meson --prefix=/usr                 \
           functional on LFS.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><parameter>-Ddev-kvm-mode=0660</parameter></term>
+        <listitem>
+          <para>The default udev rule would allow all users to access
+          <filename class='devicefile'>/dev/kvm</filename>.  The editors
+          consider it dangerous.  This option overrides it.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
 
     <para>Compile the package:</para>