Make /dev/dri/renderD* accessible to group "render"

Follow upstream and make render nodes available to a dedicated system
group "render" instead of "video". Keep the uaccess tag for local,
active users.

debian/patches/Re-add-uaccess-tag-for-dev-dri-renderD.patch

@@ -0,0 +1,49 @@
+From: Michael Biebl <biebl@debian.org>
+Date: Wed, 13 Mar 2019 23:22:26 +0100
+Subject: Re-add uaccess tag for /dev/dri/renderD*
+
+Setting an access mode != 0666 is explicitly supported via -Dgroup-render-mode
+In such a case, re-add the uaccess tag.
+
+This is basically the same change that was done for /dev/kvm in
+commit fa53e24130af3a389573acb9585eadbf7192955f and
+ace5e3111c0b8d8bfd84b32f2c689b0a4d92c061
+and partially reverts the changes from
+4e15a7343cb389e97f3eb4f49699161862d8b8b2
+
+(cherry picked from commit 055a083a47de968744c4988fe305592477118c86)
+---
+ meson.build                   | 4 +++-
+ src/login/70-uaccess.rules.m4 | 4 ++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index 56c98b9..d340736 100644
+--- a/meson.build
++++ b/meson.build
+@@ -818,7 +818,9 @@ conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group'))
+ dev_kvm_mode = get_option('dev-kvm-mode')
+ substs.set('DEV_KVM_MODE', dev_kvm_mode)
+ conf.set10('DEV_KVM_UACCESS', dev_kvm_mode != '0666')
+-substs.set('GROUP_RENDER_MODE', get_option('group-render-mode'))
++group_render_mode = get_option('group-render-mode')
++substs.set('GROUP_RENDER_MODE', group_render_mode)
++conf.set10('GROUP_RENDER_UACCESS', group_render_mode != '0666')
+ 
+ kill_user_processes = get_option('default-kill-user-processes')
+ conf.set10('KILL_USER_PROCESSES', kill_user_processes)
+diff --git a/src/login/70-uaccess.rules.m4 b/src/login/70-uaccess.rules.m4
+index d55e5bf..4bb144a 100644
+--- a/src/login/70-uaccess.rules.m4
++++ b/src/login/70-uaccess.rules.m4
+@@ -46,6 +46,10 @@ SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="uaccess"
+ 
+ # DRI video devices
+ SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess"
++m4_ifdef(`GROUP_RENDER_UACCESS',``
++# DRI render nodes
++SUBSYSTEM=="drm", KERNEL=="renderD*", TAG+="uaccess"''
++)m4_dnl
+ m4_ifdef(`DEV_KVM_UACCESS',``
+ # KVM
+ SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"''

debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch

@@ -1,82 +0,0 @@
-From: Michael Biebl <biebl@debian.org>
-Date: Sun, 17 Dec 2017 00:31:20 +0100
-Subject: Revert "udev-rules: Permission changes for /dev/dri/renderD*"
-
-This would introduce a new system group "render". As the name is rather
-generic, this needs further discussion first, so revert this change for
-now.
-
-This reverts commit 4e15a7343cb389e97f3eb4f49699161862d8b8b2.
----
- meson.build                    | 2 --
- meson_options.txt              | 2 --
- rules/50-udev-default.rules.in | 5 +----
- src/login/70-uaccess.rules.m4  | 2 +-
- 4 files changed, 2 insertions(+), 9 deletions(-)
-
-diff --git a/meson.build b/meson.build
-index c539a00..1c00000 100644
---- a/meson.build
-+++ b/meson.build
-@@ -818,7 +818,6 @@ conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group'))
- dev_kvm_mode = get_option('dev-kvm-mode')
- substs.set('DEV_KVM_MODE', dev_kvm_mode)
- conf.set10('DEV_KVM_UACCESS', dev_kvm_mode != '0666')
--substs.set('GROUP_RENDER_MODE', get_option('group-render-mode'))
- 
- kill_user_processes = get_option('default-kill-user-processes')
- conf.set10('KILL_USER_PROCESSES', kill_user_processes)
-@@ -3107,7 +3106,6 @@ status = [
-         'minimum container UID base:        @0@'.format(container_uid_base_min),
-         'maximum container UID base:        @0@'.format(container_uid_base_max),
-         '/dev/kvm access mode:              @0@'.format(get_option('dev-kvm-mode')),
--        'render group access mode:          @0@'.format(get_option('group-render-mode')),
-         'certificate root directory:        @0@'.format(get_option('certificate-root')),
-         'support URL:                       @0@'.format(support_url),
-         'nobody user name:                  @0@'.format(nobody_user),
-diff --git a/meson_options.txt b/meson_options.txt
-index 044bb79..2dcfa3b 100644
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -192,8 +192,6 @@ option('nobody-group', type : 'string',
-        value : 'nobody')
- option('dev-kvm-mode', type : 'string', value : '0666',
-        description : '/dev/kvm access mode')
--option('group-render-mode', type : 'string', value : '0666',
--       description : 'Access mode for devices owned by render group (e.g. /dev/dri/renderD*, /dev/kfd).')
- option('default-kill-user-processes', type : 'boolean',
-        description : 'the default value for KillUserProcesses= setting')
- option('gshadow', type : 'boolean',
-diff --git a/rules/50-udev-default.rules.in b/rules/50-udev-default.rules.in
-index 191f56f..63aa3db 100644
---- a/rules/50-udev-default.rules.in
-+++ b/rules/50-udev-default.rules.in
-@@ -31,14 +31,11 @@ SUBSYSTEM=="input", KERNEL=="js[0-9]*", MODE="0664"
- 
- SUBSYSTEM=="video4linux", GROUP="video"
- SUBSYSTEM=="graphics", GROUP="video"
--SUBSYSTEM=="drm", KERNEL!="renderD*", GROUP="video"
-+SUBSYSTEM=="drm", GROUP="video"
- SUBSYSTEM=="dvb", GROUP="video"
- SUBSYSTEM=="media", GROUP="video"
- SUBSYSTEM=="cec", GROUP="video"
- 
--SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="@GROUP_RENDER_MODE@"
--SUBSYSTEM=="kfd", GROUP="render", MODE="@GROUP_RENDER_MODE@"
--
- SUBSYSTEM=="sound", GROUP="audio", \
-   OPTIONS+="static_node=snd/seq", OPTIONS+="static_node=snd/timer"
- 
-diff --git a/src/login/70-uaccess.rules.m4 b/src/login/70-uaccess.rules.m4
-index d55e5bf..e46cacb 100644
---- a/src/login/70-uaccess.rules.m4
-+++ b/src/login/70-uaccess.rules.m4
-@@ -45,7 +45,7 @@ SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", TAG+="uaccess"
- SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="uaccess"
- 
- # DRI video devices
--SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess"
-+SUBSYSTEM=="drm", KERNEL=="card*|renderD*", TAG+="uaccess"
- m4_ifdef(`DEV_KVM_UACCESS',``
- # KVM
- SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"''

debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch

@@ -239,10 +239,10 @@ index 0000000..b7ad58d
 +
 +</refentry>
 diff --git a/meson.build b/meson.build
-index 56c98b9..c539a00 100644
+index d340736..d4887d5 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -2393,6 +2393,14 @@ executable('systemd-makefs',
+@@ -2395,6 +2395,14 @@ executable('systemd-makefs',
             install : true,
             install_dir : rootlibexecdir)
  

debian/patches/series

@@ -9,6 +9,7 @@ timedate-fix-emitted-value-when-ntp-client-is-enabled-dis.patch
 cgtop-Fix-processing-of-controllers-other-than-CPU.patch
 udev-restore-debug-level-when-logging-a-failure-in-the-ex.patch
 remove-.-path-components-from-required-mount-paths.patch
+Re-add-uaccess-tag-for-dev-dri-renderD.patch
 debian/Use-Debian-specific-config-files.patch
 debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
 debian/Make-run-lock-tmpfs-an-API-fs.patch
@@ -24,5 +25,4 @@ debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch
 debian/Revert-core-enable-TasksMax-for-all-services-by-default-a.patch
 debian/Let-graphical-session-pre.target-be-manually-started.patch
 debian/Add-env-variable-for-machine-ID-path.patch
-debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch
 debian/Drop-seccomp-system-call-filter-for-udev.patch

debian/rules

@@ -73,7 +73,8 @@ CONFFLAGS = \
 	-Dnobody-user=nobody \
 	-Dnobody-group=nogroup \
 	-Dbump-proc-sys-fs-nr-open=false \
-	-Ddev-kvm-mode=0660
+	-Ddev-kvm-mode=0660 \
+	-Dgroup-render-mode=0660
 
 # resolved's DNSSEC support is still not mature enough, don't enable it by
 # default on stable Debian or any Ubuntu releases

debian/udev.postinst

@@ -107,6 +107,9 @@ case "$1" in
     # Make /dev/kvm accessible to kvm group
     addgroup --quiet --system kvm
 
+    # Make /dev/dri/renderD* accessible to render group
+    addgroup --quiet --system render
+
     if [ -z "$2" ]; then # first install
       if ! chrooted && ! in_debootstrap; then
 	enable_udev