From 136bb02b91f920dd8610bbea7968d09858a6978a Mon Sep 17 00:00:00 2001
From: Nathan Chancellor <nathan@kernel.org>
Date: Sun, 29 Dec 2024 21:37:29 -0700
Subject: [PATCH] python: sd_nspawn: Only add kvm.conf if the user has rw
 access to /dev/kvm

Signed-off-by: Nathan Chancellor <nathan@kernel.org>
---
 python/scripts/sd_nspawn.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/python/scripts/sd_nspawn.py b/python/scripts/sd_nspawn.py
index 06379a5a..96bcaec0 100755
--- a/python/scripts/sd_nspawn.py
+++ b/python/scripts/sd_nspawn.py
@@ -23,6 +23,8 @@
     'x86_64': 'dev-arch',
 }
 
+DEV_KVM_ACCESS = os.access('/dev/kvm', os.R_OK | os.W_OK)
+
 
 class NspawnConfig(UserDict):
 
@@ -223,8 +225,8 @@ def install_files(self):
         # Allow containers started as services to access /dev/kvm to run
         # accelerated VMs, which allows avoiding installing QEMU in the host
         # environment.
-        if not (kvm_conf :=
-                Path('/etc/systemd/system/systemd-nspawn@.service.d/kvm.conf')).exists():
+        if DEV_KVM_ACCESS and not (kvm_conf := Path(
+                '/etc/systemd/system/systemd-nspawn@.service.d/kvm.conf')).exists():
             kvm_conf_txt = ('[Service]\n'
                             'DeviceAllow=/dev/kvm rw\n')
             if not kvm_conf.parent.exists():
@@ -315,8 +317,9 @@ def reset(self, mode):
         setup_files = {
             SYSTEMD_RUN_M,
             Path('/etc/polkit-1/rules.d', f"50-permit-{USER}-machinectl-shell.rules"),
-            Path('/etc/systemd/system/systemd-nspawn@.service.d/kvm.conf'),
         }
+        if DEV_KVM_ACCESS:
+            setup_files.add(Path('/etc/systemd/system/systemd-nspawn@.service.d/kvm.conf'))
 
         if mode == 'machine':
             items_to_remove = machine_files