udev: add default group for sgx enclave access

Closes #18669. This creates a "well known" for sgx_enclave ownership. By doing this here we avoid the risk that various projects making use of the device will provide similar-but-slightly-incompatible installation instructions, in particular using different group names. ACLs are actually a better approach to grant access to users, but not in all cases, so we want to provide a standard group anyway. Mode is 0o660, not 0o666 because this is very new code and distributions are likely to not want to give full access to all users. This might change in the future, but being conservative is a good default in the beginning. Rules for /dev/sgx_provision will be provided by libsg-ae-pce: https://github.com/intel/linux-sgx/issues/678.
update TODO
2025-10-03 18:54:45 +02:00 · 2021-03-10 23:05:48 +01:00 · 2021-03-10 22:38:28 +01:00
3 changed files with 20 additions and 1 deletions
--- a/18
+++ b/18
@ -22,8 +22,24 @@ Janitorial Clean-ups:

 Features:

+* nspawn: default to 1:1 userns
+
+* Provide a reasonably bespoke solution for mounting host $HOME directories
+  into containers:
+  • add new option --mount-user=$USER for mounting $HOME of the user into the
+    container at the same place
+  • check /etc/passwd for UID or user name clashes. If UID clash pick a different
+    UID in container, and map via userns. If user name clash, refuse. If
+    matching user already exists use that.
+  • otherwise: write user record of specified user into /run/host/passwd or so
+  • in nss-systemd pick up user record from there and make available to system
+  With all that in place if nspawn host and container payload are up-to-date
+  enough we have a very simple way to make host users available in containers.
+
 * systemd-sysusers: pick up passwords from credentials logic, so that users can
-  easily set root user pw
+  easily set root user pw. enable cred inheriting for root user from PID 1, so
+  that for containers we can configure the root pw automatically via nspawn's
+  --set-credential= switch. (Also do this for systemd-firstboot)

 * whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the
  reception limit the kernel silently enforces.
--- a/rules.d/50-udev-default.rules.in
+++ b/rules.d/50-udev-default.rules.in
@ -39,6 +39,8 @@ SUBSYSTEM=="cec", GROUP="video"
 SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="@GROUP_RENDER_MODE@"
 SUBSYSTEM=="kfd", GROUP="render", MODE="@GROUP_RENDER_MODE@"

+SUBSYSTEM=="misc", KERNEL=="sgx_enclave", GROUP="sgx", MODE="0660"
+
 # When using static_node= with non-default permissions, also update
 # tmpfiles.d/static-nodes-permissions.conf.in to keep permissions synchronized.

--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@ -31,6 +31,7 @@ g input   -     -            -
 g kvm     -     -            -
 g lp      -     -            -
 g render  -     -            -
+g sgx     -     -            -
 g tape    -     -            -
 g video   -     -            -