From aa12beb7503a13b13a9a417fbd094f5d4a9b5fa6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Fri, 6 Jun 2025 11:30:27 +0200
Subject: [PATCH] =?UTF-8?q?guix-install.sh:=20Add=20the=20=E2=80=9Ckvm?=
 =?UTF-8?q?=E2=80=9D=20GID=20to=20/etc/subgid.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* etc/guix-install.sh (SYSTEMD_REQUIRE): New variable.
(sys_create_build_user): Populate /etc/subgid.

Change-Id: I989c3ff682453d8d65e313c89fb751a20aa48bb8
---
 etc/guix-install.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/etc/guix-install.sh b/etc/guix-install.sh
index 39189304727..57fd88e5098 100755
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@@ -91,6 +91,11 @@ SYSV_INIT_REQUIRE=(
     "daemonize"
 )
 
+# Unprivileged guix-daemon requires 'newgidmap'.
+SYSTEMD_REQUIRE=(
+    "newgidmap"
+)
+
 PAS=$'[ \033[32;1mPASS\033[0m ] '
 ERR=$'[ \033[31;1mFAIL\033[0m ] '
 WAR=$'[ \033[33;1mWARN\033[0m ] '
@@ -516,6 +521,13 @@ sys_create_build_user()
 		       guix-daemon"$KVMGROUP"		\
 		       "Unprivileged Guix Daemon User"
 
+	if getent group kvm > /dev/null; then
+	    # Allow 'newgidmap' to map the "kvm" group.
+	    local kvmgid="$(getent group kvm | cut -f3 -d:)"
+	    _msg_info "allowing kvm mapping (GID $kvmgid) for unprivileged guix-daemon"
+	    echo "guix-daemon:$kvmgid:1" >> /etc/subgid
+	fi
+
 	# ‘tar xf’ creates root:root files.  Change that.
 	chown -R guix-daemon:guix-daemon /gnu /var/guix
 	chown -R root:root /var/guix/profiles/per-user/root