Remove acl-restore.sh and do setfacl via udev instead

0405ysj · 0405ysj · commit 047bea76425b · 2026-05-28T15:16:29.000Z
diff --git a/.github/workflows/presubmit.yaml b/.github/workflows/presubmit.yaml
@@ -520,8 +520,6 @@ jobs:
           containers-storage:localhost/cuttlefish-orchestration:latest
     - name: Run cvd e2e test for podcvd
       run: |
-        # Grant permission on devices as it's hard to grant on test env
-        sudo chmod 666 /dev/kvm /dev/vhost-net /dev/vhost-vsock
         cd e2etests
         bazel test \
           //cvd/cvd_powerwash_tests \
diff --git a/container/debian/cuttlefish-podcvd.cuttlefish-podcvd.init b/container/debian/cuttlefish-podcvd.cuttlefish-podcvd.init
@@ -34,6 +34,9 @@ podcvd_cidr=${podcvd_cidr:-192.168.112.0/20}
 podcvd_ifname="podcvd"
 
 start() {
+    modprobe vhost_net || true
+    modprobe vhost_vsock || true
+
     ip link add "${podcvd_ifname}" type dummy
     ip link set "${podcvd_ifname}" up
     ip route add local "${podcvd_cidr}" dev "${podcvd_ifname}"
diff --git a/container/debian/cuttlefish-podcvd.install b/container/debian/cuttlefish-podcvd.install
@@ -1,5 +1,4 @@
 src/podcvd/podcvd /usr/lib/cuttlefish-podcvd/bin/
 debian/podcvd-setup /usr/lib/cuttlefish-podcvd/bin/
-debian/restore-acls.sh /usr/lib/cuttlefish-podcvd/bin/
 debian/podcvd.users /etc/
 src/podcvd/skill /usr/lib/cuttlefish-podcvd/
diff --git a/container/debian/cuttlefish-podcvd.podcvd-acl-restore.service b/container/debian/cuttlefish-podcvd.podcvd-acl-restore.service
diff --git a/container/debian/podcvd-setup b/container/debian/podcvd-setup
@@ -99,11 +99,17 @@ echo "${username}:${assigned_range}" | sudo tee -a "$USER_CONFIG" > /dev/null
 
 echo "Successfully allocated range $assigned_range to user '$username'."
 
-# 5. Apply ACLs immediately (requires sudo)
-echo "Configuring device permissions..."
-sudo setfacl -m "u:$username:rw" /dev/kvm
-sudo setfacl -m "u:$username:rw" /dev/vhost-net
-sudo setfacl -m "u:$username:rw" /dev/vhost-vsock
+# 5. Add udev rule for applying ACLs and triggers immediately. (requires sudo)
+echo "Configuring custom udev rules for applying ACLs for user '$username'..."
+cat <<EOF | sudo tee /etc/udev/rules.d/99-podcvd-acls-$username.rules > /dev/null
+KERNEL=="kvm", RUN+="/usr/bin/setfacl -m u:$username:rw /dev/%k"
+KERNEL=="vhost-net", RUN+="/usr/bin/setfacl -m u:$username:rw /dev/%k"
+KERNEL=="vhost-vsock", RUN+="/usr/bin/setfacl -m u:$username:rw /dev/%k"
+EOF
+sudo udevadm control --reload-rules
+sudo udevadm trigger --action=change /dev/kvm
+sudo udevadm trigger --action=change /dev/vhost-net
+sudo udevadm trigger --action=change /dev/vhost-vsock
 
 # 6. Enable rootless podman socket for the user (runs as unprivileged user)
 echo "Starting Podman user service..."
diff --git a/container/debian/restore-acls.sh b/container/debian/restore-acls.sh
diff --git a/container/debian/rules b/container/debian/rules
@@ -35,7 +35,6 @@ override_dh_installinit:
 
 .PHONY: override_dh_installsystemd
 override_dh_installsystemd:
-	dh_installsystemd --name=podcvd-acl-restore
 	dh_installsystemd --name=cuttlefish-podcvd
 	dh_installsystemd
 
