From c6108ca850b946d385b1780c49ccda270ec6ae69 Mon Sep 17 00:00:00 2001
From: Dusty Mabe <dusty@dustymabe.com>
Date: Fri, 5 Jun 2026 16:25:07 -0400
Subject: [PATCH] init: loosen perms on /dev/kvm if it exists

Best effort loosen /dev/kvm permissions to allow nested virtualization by
unprivileged processes inside the microVM (usually a single purpose
environment). Log errors but don't log ENOENT since the guest kernel may
not support KVM or nested virtualization might not be enabled.

Assisted-by: OpenCode:claude-opus-4.6

Signed-off-by: Dusty Mabe <dusty@dustymabe.com>
---
 init/init.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/init/init.c b/init/init.c
index a65d68015..8ab4b64fe 100644
--- a/init/init.c
+++ b/init/init.c
@@ -521,6 +521,16 @@ static int mount_filesystems()
         return -1;
     }
 
+    /*
+     * Best effort loosen /dev/kvm permissions to allow nested virtualization by
+     * unprivileged processes inside the microVM (usually a single purpose
+     * environment). Log errors but don't log ENOENT since the guest kernel may
+     * not support KVM or nested virtualization might not be enabled.
+     */
+    if (chmod("/dev/kvm", 0666) < 0 && errno != ENOENT) {
+        perror("chmod(/dev/kvm)");
+    }
+
     if (mount("proc", "/proc", "proc",
               MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RELATIME, NULL) < 0 &&
         errno != EBUSY) {