]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/login/logind-acl.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
logind: replace udev_device by sd_device
[thirdparty/systemd.git] / src / login / logind-acl.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <errno.h>
4 #include <string.h>
5
6 #include "sd-device.h"
7
8 #include "acl-util.h"
9 #include "alloc-util.h"
10 #include "device-enumerator-private.h"
11 #include "dirent-util.h"
12 #include "escape.h"
13 #include "fd-util.h"
14 #include "format-util.h"
15 #include "logind-acl.h"
16 #include "set.h"
17 #include "string-util.h"
18 #include "util.h"
19
20 static int flush_acl(acl_t acl) {
21 acl_entry_t i;
22 int found;
23 bool changed = false;
24
25 assert(acl);
26
27 for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
28 found > 0;
29 found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
30
31 acl_tag_t tag;
32
33 if (acl_get_tag_type(i, &tag) < 0)
34 return -errno;
35
36 if (tag != ACL_USER)
37 continue;
38
39 if (acl_delete_entry(acl, i) < 0)
40 return -errno;
41
42 changed = true;
43 }
44
45 if (found < 0)
46 return -errno;
47
48 return changed;
49 }
50
51 int devnode_acl(const char *path,
52 bool flush,
53 bool del, uid_t old_uid,
54 bool add, uid_t new_uid) {
55
56 acl_t acl;
57 int r = 0;
58 bool changed = false;
59
60 assert(path);
61
62 acl = acl_get_file(path, ACL_TYPE_ACCESS);
63 if (!acl)
64 return -errno;
65
66 if (flush) {
67
68 r = flush_acl(acl);
69 if (r < 0)
70 goto finish;
71 if (r > 0)
72 changed = true;
73
74 } else if (del && old_uid > 0) {
75 acl_entry_t entry;
76
77 r = acl_find_uid(acl, old_uid, &entry);
78 if (r < 0)
79 goto finish;
80
81 if (r > 0) {
82 if (acl_delete_entry(acl, entry) < 0) {
83 r = -errno;
84 goto finish;
85 }
86
87 changed = true;
88 }
89 }
90
91 if (add && new_uid > 0) {
92 acl_entry_t entry;
93 acl_permset_t permset;
94 int rd, wt;
95
96 r = acl_find_uid(acl, new_uid, &entry);
97 if (r < 0)
98 goto finish;
99
100 if (r == 0) {
101 if (acl_create_entry(&acl, &entry) < 0) {
102 r = -errno;
103 goto finish;
104 }
105
106 if (acl_set_tag_type(entry, ACL_USER) < 0 ||
107 acl_set_qualifier(entry, &new_uid) < 0) {
108 r = -errno;
109 goto finish;
110 }
111 }
112
113 if (acl_get_permset(entry, &permset) < 0) {
114 r = -errno;
115 goto finish;
116 }
117
118 rd = acl_get_perm(permset, ACL_READ);
119 if (rd < 0) {
120 r = -errno;
121 goto finish;
122 }
123
124 wt = acl_get_perm(permset, ACL_WRITE);
125 if (wt < 0) {
126 r = -errno;
127 goto finish;
128 }
129
130 if (!rd || !wt) {
131
132 if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) {
133 r = -errno;
134 goto finish;
135 }
136
137 changed = true;
138 }
139 }
140
141 if (!changed)
142 goto finish;
143
144 if (acl_calc_mask(&acl) < 0) {
145 r = -errno;
146 goto finish;
147 }
148
149 if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
150 r = -errno;
151 goto finish;
152 }
153
154 r = 0;
155
156 finish:
157 acl_free(acl);
158
159 return r;
160 }
161
162 int devnode_acl_all(const char *seat,
163 bool flush,
164 bool del, uid_t old_uid,
165 bool add, uid_t new_uid) {
166
167 _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL;
168 _cleanup_set_free_free_ Set *nodes = NULL;
169 _cleanup_closedir_ DIR *dir = NULL;
170 struct dirent *dent;
171 sd_device *d;
172 Iterator i;
173 char *n;
174 int r;
175
176 nodes = set_new(&path_hash_ops);
177 if (!nodes)
178 return -ENOMEM;
179
180 r = sd_device_enumerator_new(&e);
181 if (r < 0)
182 return r;
183
184 if (isempty(seat))
185 seat = "seat0";
186
187 /* We can only match by one tag in libudev. We choose
188 * "uaccess" for that. If we could match for two tags here we
189 * could add the seat name as second match tag, but this would
190 * be hardly optimizable in libudev, and hence checking the
191 * second tag manually in our loop is a good solution. */
192 r = sd_device_enumerator_add_match_tag(e, "uaccess");
193 if (r < 0)
194 return r;
195
196 r = device_enumerator_scan_devices(e);
197 if (r < 0)
198 return r;
199
200 FOREACH_DEVICE_AND_SUBSYSTEM(e, d) {
201 const char *node, *sn;
202
203 if (sd_device_get_property_value(d, "ID_SEAT", &sn) < 0 || isempty(sn))
204 sn = "seat0";
205
206 if (!streq(seat, sn))
207 continue;
208
209 /* In case people mistag devices with nodes, we need to ignore this */
210 if (sd_device_get_devname(d, &node) < 0)
211 continue;
212
213 n = strdup(node);
214 if (!n)
215 return -ENOMEM;
216
217 log_debug("Found udev node %s for seat %s", n, seat);
218 r = set_consume(nodes, n);
219 if (r < 0)
220 return r;
221 }
222
223 /* udev exports "dead" device nodes to allow module on-demand loading,
224 * these devices are not known to the kernel at this moment */
225 dir = opendir("/run/udev/static_node-tags/uaccess");
226 if (dir) {
227 FOREACH_DIRENT(dent, dir, return -errno) {
228 _cleanup_free_ char *unescaped_devname = NULL;
229
230 if (cunescape(dent->d_name, UNESCAPE_RELAX, &unescaped_devname) < 0)
231 return -ENOMEM;
232
233 n = strappend("/dev/", unescaped_devname);
234 if (!n)
235 return -ENOMEM;
236
237 log_debug("Found static node %s for seat %s", n, seat);
238 r = set_consume(nodes, n);
239 if (r == -EEXIST)
240 continue;
241 if (r < 0)
242 return r;
243 }
244 }
245
246 r = 0;
247 SET_FOREACH(n, nodes, i) {
248 int k;
249
250 log_debug("Changing ACLs at %s for seat %s (uid "UID_FMT"→"UID_FMT"%s%s)",
251 n, seat, old_uid, new_uid,
252 del ? " del" : "", add ? " add" : "");
253
254 k = devnode_acl(n, flush, del, old_uid, add, new_uid);
255 if (k == -ENOENT)
256 log_debug("Device %s disappeared while setting ACLs", n);
257 else if (k < 0 && r == 0)
258 r = k;
259 }
260
261 return r;
262 }
Unnamed repository; edit this file 'description' to name the repository.