udev-rules: Permission changes for /dev/dri/renderD*

- Remove the uaccess tag from /dev/dri/renderD*.
- Change the owning group from video to render.
- Change default mode to 0666.
- Add an option to allow users to set the access mode for these devices at
compile time.

5 files changed, 9 insertions, 2 deletions

diff --git a/meson.build b/meson.build
index 34eed35190..e935a09374 100644
--- a/meson.build
+++ b/meson.build
@@ -614,6 +614,7 @@ if get_option('wheel-group')
 endif
 
 substs.set('DEV_KVM_MODE', get_option('dev-kvm-mode'))
+substs.set('GROUP_RENDER_MODE', get_option('group-render-mode'))
 
 kill_user_processes = get_option('default-kill-user-processes')
 conf.set10('KILL_USER_PROCESSES', kill_user_processes)
@@ -2452,6 +2453,7 @@ status = [
         'maximum system UID:                @0@'.format(system_uid_max),
         'maximum system GID:                @0@'.format(system_gid_max),
         '/dev/kvm access mode:              @0@'.format(get_option('dev-kvm-mode')),
+        'render group access mode:          @0@'.format(get_option('group-render-mode')),
         'certificate root:                  @0@'.format(get_option('certificate-root')),
         'support URL:                       @0@'.format(support_url),
         'nobody user name:                  @0@'.format(get_option('nobody-user')),
diff --git a/meson_options.txt b/meson_options.txt
index 50f24df1b3..037c298887 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -146,6 +146,8 @@ option('nobody-group', type : 'string',
        value : 'nobody')
 option('dev-kvm-mode', type : 'string', value : '0666',
        description : '/dev/kvm access mode')
+option('group-render-mode', type : 'string', value : '0666',
+       description : 'Access mode for devices owned by render group (e.g. /dev/dri/renderD*, /dev/kfd).')
 option('default-kill-user-processes', type : 'boolean',
        description : 'the default value for KillUserProcesses= setting')
 option('gshadow', type : 'boolean',
diff --git a/rules/50-udev-default.rules.in b/rules/50-udev-default.rules.in
index d3d1c9a206..b17d3cf87e 100644
--- a/rules/50-udev-default.rules.in
+++ b/rules/50-udev-default.rules.in
@@ -31,11 +31,13 @@ SUBSYSTEM=="input", KERNEL=="js[0-9]*", MODE="0664"
 
 SUBSYSTEM=="video4linux", GROUP="video"
 SUBSYSTEM=="graphics", GROUP="video"
-SUBSYSTEM=="drm", GROUP="video"
+SUBSYSTEM=="drm", KERNEL!="renderD*", GROUP="video"
 SUBSYSTEM=="dvb", GROUP="video"
 SUBSYSTEM=="media", GROUP="video"
 SUBSYSTEM=="cec", GROUP="video"
 
+SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="@GROUP_RENDER_MODE@"
+
 SUBSYSTEM=="sound", GROUP="audio", \
   OPTIONS+="static_node=snd/seq", OPTIONS+="static_node=snd/timer"
 
diff --git a/src/login/70-uaccess.rules b/src/login/70-uaccess.rules
index 9e9dbae0e0..e946bf2380 100644
--- a/src/login/70-uaccess.rules
+++ b/src/login/70-uaccess.rules
@@ -43,7 +43,7 @@ SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", TAG+="uaccess"
 SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="uaccess"
 
 # DRI video devices
-SUBSYSTEM=="drm", KERNEL=="card*|renderD*", TAG+="uaccess"
+SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess"
 
 # smart-card readers
 ENV{ID_SMARTCARD_READER}=="?*", TAG+="uaccess"
diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in
index 7d6021e855..6c23f4216d 100644
--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@@ -32,6 +32,7 @@ g lp      -     -            -
 g kvm     -     -            -
 g tape    -     -            -
 g video   -     -            -
+g render  -     -            -
 
 # Default group for normal users
 g users   -     -            -