Skip to content

Automatically grant access to Sunshine input devices on Linux #1127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cgutman merged 6 commits into from
May 6, 2023
Merged

Automatically grant access to Sunshine input devices on Linux #1127

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0de193f
Change udev rule to automatically grant access to virtual input devices
kodemeister Apr 1, 2023
0c90b85
Remove setup of 'input' group from Linux packaging scripts
kodemeister Apr 1, 2023
e7ef1f5
Remove setup of 'input' group from documentation
kodemeister Apr 2, 2023
497035e
Fix path to udev rules in AppRun script
kodemeister Apr 2, 2023
e76bd4c
Do not add 'lizard' user inside Docker container to 'input' group
kodemeister Apr 7, 2023
ca02d2d
Remove group and mode assignment from the udev rule
kodemeister May 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docker/archlinux.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ userdel -r builder

# then create the lizard user
groupadd -f -g "${PGID}" "${UNAME}"
useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -G input -u "${PUID}" "${UNAME}"
useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -u "${PUID}" "${UNAME}"
mkdir -p ${HOME}/.config/sunshine
ln -s ${HOME}/.config/sunshine /config
chown -R ${UNAME} ${HOME}
Expand Down
2 changes: 1 addition & 1 deletion docker/debian-bullseye.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ RUN <<_SETUP_USER
#!/bin/bash
set -e
groupadd -f -g "${PGID}" "${UNAME}"
useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -G input -u "${PUID}" "${UNAME}"
useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -u "${PUID}" "${UNAME}"
mkdir -p ${HOME}/.config/sunshine
ln -s ${HOME}/.config/sunshine /config
chown -R ${UNAME} ${HOME}
Expand Down
2 changes: 1 addition & 1 deletion docker/fedora-36.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ RUN <<_SETUP_USER
#!/bin/bash
set -e
groupadd -f -g "${PGID}" "${UNAME}"
useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -G input -u "${PUID}" "${UNAME}"
useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -u "${PUID}" "${UNAME}"
mkdir -p ${HOME}/.config/sunshine
ln -s ${HOME}/.config/sunshine /config
chown -R ${UNAME} ${HOME}
Expand Down
2 changes: 1 addition & 1 deletion docker/fedora-37.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ RUN <<_SETUP_USER
#!/bin/bash
set -e
groupadd -f -g "${PGID}" "${UNAME}"
useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -G input -u "${PUID}" "${UNAME}"
useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -u "${PUID}" "${UNAME}"
mkdir -p ${HOME}/.config/sunshine
ln -s ${HOME}/.config/sunshine /config
chown -R ${UNAME} ${HOME}
Expand Down
2 changes: 1 addition & 1 deletion docker/ubuntu-20.04.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,7 @@ RUN <<_SETUP_USER
#!/bin/bash
set -e
groupadd -f -g "${PGID}" "${UNAME}"
useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -G input -u "${PUID}" "${UNAME}"
useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -u "${PUID}" "${UNAME}"
mkdir -p ${HOME}/.config/sunshine
ln -s ${HOME}/.config/sunshine /config
chown -R ${UNAME} ${HOME}
Expand Down
2 changes: 1 addition & 1 deletion docker/ubuntu-22.04.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ RUN <<_SETUP_USER
#!/bin/bash
set -e
groupadd -f -g "${PGID}" "${UNAME}"
useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -G input -u "${PUID}" "${UNAME}"
useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -u "${PUID}" "${UNAME}"
mkdir -p ${HOME}/.config/sunshine
ln -s ${HOME}/.config/sunshine /config
chown -R ${UNAME} ${HOME}
Expand Down
11 changes: 3 additions & 8 deletions docs/source/about/usage.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,16 +68,11 @@ The `deb`, `rpm`, `Flatpak` and `AppImage` packages handle these steps automatic

Sunshine needs access to `uinput` to create mouse and gamepad events.

#. Add user to group `input`, if this is the first time installing.
.. code-block:: bash

sudo usermod -a -G input $USER

#. Create `udev` rules.
.. code-block::
.. code-block:: bash

echo 'KERNEL=="uinput", GROUP="input", MODE="0660", OPTIONS+="static_node=uinput"' | \
sudo tee /etc/udev/rules.d/85-sunshine-input.rules
echo 'KERNEL=="uinput", SUBSYSTEM=="misc", OPTIONS+="static_node=uinput", TAG+="uaccess"' | \
sudo tee /etc/udev/rules.d/85-sunshine.rules

#. Optionally, configure autostart service

Expand Down
3 changes: 1 addition & 2 deletions packaging/linux/AppImage/AppRun
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,8 @@ echo "

function install() {
# user input rules
sudo usermod -a -G input $USER
# shellcheck disable=SC2002
cat "$SUNSHINE_SHARE_HERE/udev/rules.d/85-sunshine.rules" | sudo tee /etc/udev/85-sunshine.rules
cat "$SUNSHINE_SHARE_HERE/udev/rules.d/85-sunshine.rules" | sudo tee /etc/udev/rules.d/85-sunshine.rules

# sunshine service
mkdir -p ~/.config/systemd/user
Expand Down
4 changes: 2 additions & 2 deletions packaging/linux/flatpak/scripts/additional-install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ cp /app/share/sunshine/systemd/user/sunshine.service $HOME/.config/systemd/user/
echo Sunshine User Service has been installed.
echo Use [systemctl --user enable sunshine] once to autostart Sunshine on login.

# Udev rule and input group
# Udev rule
UDEV=$(cat /app/share/sunshine/udev/rules.d/85-sunshine.rules)
echo Configuring mouse permission.
flatpak-spawn --host pkexec sh -c "usermod -a -G input $USER && echo '$UDEV' > /etc/udev/rules.d/85-sunshine.rules"
flatpak-spawn --host pkexec sh -c "echo '$UDEV' > /etc/udev/rules.d/85-sunshine.rules"
echo Restart computer for mouse permission to take effect.
4 changes: 2 additions & 2 deletions packaging/linux/flatpak/scripts/remove-additional-install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,6 @@ rm $HOME/.config/systemd/user/sunshine.service
systemctl --user daemon-reload
echo Sunshine User Service has been removed.

# Udev rule and input group
flatpak-spawn --host pkexec sh -c "gpasswd -d $USER input && rm /etc/udev/rules.d/85-sunshine.rules"
# Udev rule
flatpak-spawn --host pkexec sh -c "rm /etc/udev/rules.d/85-sunshine.rules"
echo Mouse permission removed. Restart computer to take effect.
2 changes: 1 addition & 1 deletion src_assets/linux/misc/85-sunshine.rules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
KERNEL=="uinput", GROUP="input", MODE="0660", OPTIONS+="static_node=uinput"
KERNEL=="uinput", SUBSYSTEM=="misc", OPTIONS+="static_node=uinput", TAG+="uaccess"
12 changes: 0 additions & 12 deletions src_assets/linux/misc/postinst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,5 @@
#!/bin/sh

export GROUP_INPUT=input

if [ -f /etc/group ]; then
if ! grep -q $GROUP_INPUT /etc/group; then
echo "Creating group $GROUP_INPUT"

groupadd $GROUP_INPUT
Copy link
Collaborator

@cgutman cgutman Apr 7, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this broke the Docker builds.

Copy link
Contributor Author

@kodemeister kodemeister Apr 7, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you're right. I removed creation of input group from DEB/RPM postinstall script since udev rule makes it unnecessary. However, Docker images still try to create a lizard user and add it to input group:

useradd -lm -d ${HOME} -s /bin/bash -g "${PGID}" -G input -u "${PUID}" "${UNAME}"

Unfortunately, Debian/Ubuntu images don't have input group by default. That's why the build fails.

In this case I suggest to create lizard user without input group. Normally, users created in Docker containers don't have access to host devices. But as I see, UID and GID of lizard user are set to match UID and GID of host user. This means that if we properly install udev rule on the host, both host user and lizard user should be able to access Sunshine virtual devices. No input group needed.

Applied the changes in the commit below.

Copy link
Collaborator

@cgutman cgutman Apr 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ABeltramo does this seem like a sane approach to you?

Copy link
Contributor

@ABeltramo ABeltramo Apr 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a tricky one and would have to be tested, but if the udev rules are going to give group access to the specified GID and that's the same group mapped to the container, it should work.
Am I getting the approach here right?

Copy link
Contributor Author

@kodemeister kodemeister Apr 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ABeltramo Basically yes, except that udev rules are going to give user access to the specified UID and that's the same user mapped to the container. Groups are not involved at all. The whole point of this PR is to avoid group permissions and rely on user permissions exclusively. It is intended to work in the following way:

  1. We install udev rule on the host.
  2. udev rule sets up ACL on /dev/uinput to grant R/W access to user on the host. Here is how permissions look on my system:
$ getfacl /dev/uinput
getfacl: Removing leading '/' from absolute path names
# file: dev/uinput
# owner: root
# group: input
user::rw-
user:kodemeister:rw-
group::rw-
mask::rw-
other::---

Please note the line user:kodemeister:rw-. This means that user kodemeister has R/W access to /dev/uinput in addition to standard Unix user/group/other permissions.
3. We run Docker container and mount /dev directory from host to container (-v /dev:/dev).
4. We create a new lizard user in the container and assign it the same UID as kodemeister user on the host.
5. As a result, lizard user should have access to /dev/uinput without messing with group permissions.

Indeed, this needs to be tested. Are there any instructions on running dockerized Sunshine? Setting up GUI apps in a container is a bit of pain.

Copy link
Contributor

@ABeltramo ABeltramo Apr 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, makes perfect sense to me.
I'm on my phone, but I'll try just to add a couple of random notes:

  • There's no need to pass the full /dev to the docker container you can add: -v /dev/input:/dev/input:rw and --device /dev/uinput and that should be enough
  • As for running Sunshine in Docker I'm the main mantainer of Games on Whales https://github.com/games-on-whales/gow where we build a little image on top of Sunshine (coincidentally it's mainly just to setup additional user/group access) and a bunch of others so that you can "easily" run this in Docker.

fi
else
echo "Warning: /etc/group not found"
fi

# Ensure Sunshine can grab images from KMS
path_to_setcap=$(which setcap)
if [ -x "$path_to_setcap" ] ; then
Expand Down