[thirdparty/systemd.git] / src / logind-acl.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2011 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <assert.h>
#include <sys/acl.h>
#include <acl/libacl.h>
#include <errno.h>
#include <string.h>

#include "logind-acl.h"
#include "util.h"

static int find_acl(acl_t acl, uid_t uid, acl_entry_t *entry) {
        acl_entry_t i;
        int found;

        assert(acl);
        assert(entry);

        for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
             found > 0;
             found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {

                acl_tag_t tag;
                uid_t *u;
                bool b;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag != ACL_USER)
                        continue;

                u = acl_get_qualifier(i);
                if (!u)
                        return -errno;

                b = *u == uid;
                acl_free(u);

                if (b) {
                        *entry = i;
                        return 1;
                }
        }

        if (found < 0)
                return -errno;

        return 0;
}

static int flush_acl(acl_t acl) {
        acl_entry_t i;
        int found;
        bool changed = false;

        assert(acl);

        for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
             found > 0;
             found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {

                acl_tag_t tag;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag != ACL_USER)
                        continue;

                if (acl_delete_entry(acl, i) < 0)
                        return -errno;

                changed = true;
        }

        if (found < 0)
                return -errno;

        return changed;
}

int devnode_acl(const char *path,
                bool flush,
                bool del, uid_t old_uid,
                bool add, uid_t new_uid) {

        acl_t acl;
        int r = 0;
        bool changed = false;

        assert(path);

        acl = acl_get_file(path, ACL_TYPE_ACCESS);
        if (!acl)
                return -errno;

        if (flush) {

                r = flush_acl(acl);
                if (r < 0)
                        goto finish;
                if (r > 0)
                        changed = true;

        } else if (del && old_uid > 0) {
                acl_entry_t entry;

                r = find_acl(acl, old_uid, &entry);
                if (r < 0)
                        goto finish;

                if (r > 0) {
                        if (acl_delete_entry(acl, entry) < 0) {
                                r = -errno;
                                goto finish;
                        }

                        changed = true;
                }
        }

        if (add && new_uid > 0) {
                acl_entry_t entry;
                acl_permset_t permset;
                int rd, wt;

                r = find_acl(acl, new_uid, &entry);
                if (r < 0)
                        goto finish;

                if (r == 0) {
                        if (acl_create_entry(&acl, &entry) < 0) {
                                r = -errno;
                                goto finish;
                        }

                        if (acl_set_tag_type(entry, ACL_USER) < 0 ||
                            acl_set_qualifier(entry, &new_uid) < 0) {
                                r = -errno;
                                goto finish;
                        }
                }

                if (acl_get_permset(entry, &permset) < 0) {
                        r = -errno;
                        goto finish;
                }

                rd = acl_get_perm(permset, ACL_READ);
                if (rd < 0) {
                        r = -errno;
                        goto finish;
                }

                wt = acl_get_perm(permset, ACL_WRITE);
                if (wt < 0) {
                        r = -errno;
                        goto finish;
                }

                if (!rd || !wt) {

                        if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) {
                                r = -errno;
                                goto finish;
                        }

                        changed = true;
                }
        }

        if (!changed)
                goto finish;

        if (acl_calc_mask(&acl) < 0) {
                r = -errno;
                goto finish;
        }

        if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
                r = -errno;
                goto finish;
        }

        r = 0;

finish:
        acl_free(acl);

        return r;
}

int devnode_acl_all(struct udev *udev,
                    const char *seat,
                    bool flush,
                    bool del, uid_t old_uid,
                    bool add, uid_t new_uid) {

        struct udev_list_entry *item = NULL, *first = NULL;
        struct udev_enumerate *e;
        int r;

        assert(udev);

        if (isempty(seat))
                seat = "seat0";

        e = udev_enumerate_new(udev);
        if (!e)
                return -ENOMEM;

        /* We can only match by one tag in libudev. We choose
         * "uaccess" for that. If we could match for two tags here we
         * could add the seat name as second match tag, but this would
         * be hardly optimizable in libudev, and hence checking the
         * second tag manually in our loop is a good solution. */

        r = udev_enumerate_add_match_tag(e, "uaccess");
        if (r < 0)
                goto finish;

        r = udev_enumerate_scan_devices(e);
        if (r < 0)
                goto finish;

        first = udev_enumerate_get_list_entry(e);
        udev_list_entry_foreach(item, first) {
                struct udev_device *d;
                const char *node, *sn;

                d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
                if (!d) {
                        r = -ENOMEM;
                        goto finish;
                }

                sn = udev_device_get_property_value(d, "ID_SEAT");
                if (isempty(sn))
                        sn = "seat0";

                if (!streq(seat, sn)) {
                        udev_device_unref(d);
                        continue;
                }

                node = udev_device_get_devnode(d);
                if (!node) {
                        /* In case people mistag devices with nodes, we need to ignore this */
                        udev_device_unref(d);
                        continue;
                }

                log_debug("Fixing up %s for seat %s...", node, sn);

                r = devnode_acl(node, flush, del, old_uid, add, new_uid);
                udev_device_unref(d);

                if (r < 0)
                        goto finish;
        }

finish:
        if (e)
                udev_enumerate_unref(e);

        return r;
}
Commit	Line	Data
5eda94dd LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2011 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU General Public License as published by
	10	the Free Software Foundation; either version 2 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	General Public License for more details.
	17
	18	You should have received a copy of the GNU General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <assert.h>
	23	#include <sys/acl.h>
	24	#include <acl/libacl.h>
	25	#include <errno.h>
	26	#include <string.h>
	27
	28	#include "logind-acl.h"
	29	#include "util.h"
	30
	31	static int find_acl(acl_t acl, uid_t uid, acl_entry_t *entry) {
	32	acl_entry_t i;
	33	int found;
	34
	35	assert(acl);
	36	assert(entry);
	37
	38	for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
	39	found > 0;
	40	found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
	41
	42	acl_tag_t tag;
	43	uid_t *u;
	44	bool b;
	45
	46	if (acl_get_tag_type(i, &tag) < 0)
	47	return -errno;
	48
	49	if (tag != ACL_USER)
	50	continue;
	51
	52	u = acl_get_qualifier(i);
	53	if (!u)
	54	return -errno;
	55
	56	b = *u == uid;
ce0f7c97	57	acl_free(u);
5eda94dd LP	58
	59	if (b) {
	60	*entry = i;
	61	return 1;
	62	}
	63	}
	64
	65	if (found < 0)
	66	return -errno;
	67
	68	return 0;
	69	}
	70
	71	static int flush_acl(acl_t acl) {
	72	acl_entry_t i;
	73	int found;
	74	bool changed = false;
	75
	76	assert(acl);
	77
	78	for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
	79	found > 0;
	80	found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
	81
	82	acl_tag_t tag;
	83
	84	if (acl_get_tag_type(i, &tag) < 0)
	85	return -errno;
	86
	87	if (tag != ACL_USER)
	88	continue;
	89
	90	if (acl_delete_entry(acl, i) < 0)
	91	return -errno;
	92
	93	changed = true;
	94	}
	95
	96	if (found < 0)
	97	return -errno;
	98
	99	return changed;
	100	}
	101
	102	int devnode_acl(const char *path,
	103	bool flush,
	104	bool del, uid_t old_uid,
	105	bool add, uid_t new_uid) {
	106
	107	acl_t acl;
501c92c4	108	int r = 0;
5eda94dd LP	109	bool changed = false;
	110
	111	assert(path);
	112
	113	acl = acl_get_file(path, ACL_TYPE_ACCESS);
	114	if (!acl)
	115	return -errno;
	116
	117	if (flush) {
	118
	119	r = flush_acl(acl);
	120	if (r < 0)
	121	goto finish;
	122	if (r > 0)
	123	changed = true;
	124
	125	} else if (del && old_uid > 0) {
	126	acl_entry_t entry;
	127
	128	r = find_acl(acl, old_uid, &entry);
	129	if (r < 0)
	130	goto finish;
	131
	132	if (r > 0) {
	133	if (acl_delete_entry(acl, entry) < 0) {
	134	r = -errno;
	135	goto finish;
	136	}
	137
	138	changed = true;
	139	}
	140	}
	141
	142	if (add && new_uid > 0) {
	143	acl_entry_t entry;
	144	acl_permset_t permset;
	145	int rd, wt;
	146
	147	r = find_acl(acl, new_uid, &entry);
	148	if (r < 0)
	149	goto finish;
	150
	151	if (r == 0) {
	152	if (acl_create_entry(&acl, &entry) < 0) {
	153	r = -errno;
	154	goto finish;
	155	}
	156
	157	if (acl_set_tag_type(entry, ACL_USER) < 0 \|\|
	158	acl_set_qualifier(entry, &new_uid) < 0) {
	159	r = -errno;
	160	goto finish;
	161	}
	162	}
	163
	164	if (acl_get_permset(entry, &permset) < 0) {
	165	r = -errno;
	166	goto finish;
	167	}
	168
	169	rd = acl_get_perm(permset, ACL_READ);
	170	if (rd < 0) {
	171	r = -errno;
	172	goto finish;
173	}
174
175	wt = acl_get_perm(permset, ACL_WRITE);
176	if (wt < 0) {
177	r = -errno;
178	goto finish;
179	}
180
181	if (!rd \|\| !wt) {
182
183	if (acl_add_perm(permset, ACL_READ\|ACL_WRITE) < 0) {
184	r = -errno;
185	goto finish;
186	}
187
188	changed = true;
189	}
190	}
191
192	if (!changed)
193	goto finish;
194
195	if (acl_calc_mask(&acl) < 0) {
196	r = -errno;
197	goto finish;
198	}
199
200	if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
201	r = -errno;
202	goto finish;
203	}
204
205	r = 0;
206
207	finish:
208	acl_free(acl);
209
210	return r;
211	}
212
213	int devnode_acl_all(struct udev *udev,
214	const char *seat,
215	bool flush,
216	bool del, uid_t old_uid,
217	bool add, uid_t new_uid) {
218
219	struct udev_list_entry item = NULL, first = NULL;
220	struct udev_enumerate *e;
221	int r;
222
223	assert(udev);
224
53907215	225	if (isempty(seat))
5eda94dd LP	226	seat = "seat0";
	227
	228	e = udev_enumerate_new(udev);
	229	if (!e)
	230	return -ENOMEM;
	231
7b3afbac LP	232	/* We can only match by one tag in libudev. We choose
	233	* "uaccess" for that. If we could match for two tags here we
	234	* could add the seat name as second match tag, but this would
	235	* be hardly optimizable in libudev, and hence checking the
	236	* second tag manually in our loop is a good solution. */
	237
5eda94dd LP	238	r = udev_enumerate_add_match_tag(e, "uaccess");
	239	if (r < 0)
	240	goto finish;
	241
5eda94dd LP	242	r = udev_enumerate_scan_devices(e);
	243	if (r < 0)
	244	goto finish;
	245
	246	first = udev_enumerate_get_list_entry(e);
	247	udev_list_entry_foreach(item, first) {
	248	struct udev_device *d;
	249	const char node, sn;
	250
	251	d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
	252	if (!d) {
	253	r = -ENOMEM;
	254	goto finish;
	255	}
	256
53907215 LP	257	sn = udev_device_get_property_value(d, "ID_SEAT");
53907215 LP	258	if (isempty(sn))
5eda94dd LP	259	sn = "seat0";
	260
	261	if (!streq(seat, sn)) {
	262	udev_device_unref(d);
	263	continue;
	264	}
	265
	266	node = udev_device_get_devnode(d);
5eda94dd	267	if (!node) {
d2d4b038	268	/* In case people mistag devices with nodes, we need to ignore this */
ce0f7c97	269	udev_device_unref(d);
d2d4b038	270	continue;
5eda94dd LP	271	}
5eda94dd LP	272
53907215 LP	273	log_debug("Fixing up %s for seat %s...", node, sn);
53907215 LP	274
5eda94dd	275	r = devnode_acl(node, flush, del, old_uid, add, new_uid);
ce0f7c97 LP	276	udev_device_unref(d);
ce0f7c97 LP	277
5eda94dd LP	278	if (r < 0)
	279	goto finish;
	280	}
	281
	282	finish:
	283	if (e)
	284	udev_enumerate_unref(e);
	285
	286	return r;
	287	}