[thirdparty/systemd.git] / src / login / logind-acl.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2011 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <assert.h>
#include <sys/acl.h>
#include <acl/libacl.h>
#include <errno.h>
#include <string.h>

#include "logind-acl.h"
#include "util.h"
#include "acl-util.h"

static int flush_acl(acl_t acl) {
        acl_entry_t i;
        int found;
        bool changed = false;

        assert(acl);

        for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
             found > 0;
             found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {

                acl_tag_t tag;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag != ACL_USER)
                        continue;

                if (acl_delete_entry(acl, i) < 0)
                        return -errno;

                changed = true;
        }

        if (found < 0)
                return -errno;

        return changed;
}

int devnode_acl(const char *path,
                bool flush,
                bool del, uid_t old_uid,
                bool add, uid_t new_uid) {

        acl_t acl;
        int r = 0;
        bool changed = false;

        assert(path);

        acl = acl_get_file(path, ACL_TYPE_ACCESS);
        if (!acl)
                return -errno;

        if (flush) {

                r = flush_acl(acl);
                if (r < 0)
                        goto finish;
                if (r > 0)
                        changed = true;

        } else if (del && old_uid > 0) {
                acl_entry_t entry;

                r = acl_find_uid(acl, old_uid, &entry);
                if (r < 0)
                        goto finish;

                if (r > 0) {
                        if (acl_delete_entry(acl, entry) < 0) {
                                r = -errno;
                                goto finish;
                        }

                        changed = true;
                }
        }

        if (add && new_uid > 0) {
                acl_entry_t entry;
                acl_permset_t permset;
                int rd, wt;

                r = acl_find_uid(acl, new_uid, &entry);
                if (r < 0)
                        goto finish;

                if (r == 0) {
                        if (acl_create_entry(&acl, &entry) < 0) {
                                r = -errno;
                                goto finish;
                        }

                        if (acl_set_tag_type(entry, ACL_USER) < 0 ||
                            acl_set_qualifier(entry, &new_uid) < 0) {
                                r = -errno;
                                goto finish;
                        }
                }

                if (acl_get_permset(entry, &permset) < 0) {
                        r = -errno;
                        goto finish;
                }

                rd = acl_get_perm(permset, ACL_READ);
                if (rd < 0) {
                        r = -errno;
                        goto finish;
                }

                wt = acl_get_perm(permset, ACL_WRITE);
                if (wt < 0) {
                        r = -errno;
                        goto finish;
                }

                if (!rd || !wt) {

                        if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) {
                                r = -errno;
                                goto finish;
                        }

                        changed = true;
                }
        }

        if (!changed)
                goto finish;

        if (acl_calc_mask(&acl) < 0) {
                r = -errno;
                goto finish;
        }

        if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
                r = -errno;
                goto finish;
        }

        r = 0;

finish:
        acl_free(acl);

        return r;
}

int devnode_acl_all(struct udev *udev,
                    const char *seat,
                    bool flush,
                    bool del, uid_t old_uid,
                    bool add, uid_t new_uid) {

        struct udev_list_entry *item = NULL, *first = NULL;
        struct udev_enumerate *e;
        int r;

        assert(udev);

        if (isempty(seat))
                seat = "seat0";

        e = udev_enumerate_new(udev);
        if (!e)
                return -ENOMEM;

        /* We can only match by one tag in libudev. We choose
         * "uaccess" for that. If we could match for two tags here we
         * could add the seat name as second match tag, but this would
         * be hardly optimizable in libudev, and hence checking the
         * second tag manually in our loop is a good solution. */

        r = udev_enumerate_add_match_tag(e, "uaccess");
        if (r < 0)
                goto finish;

        r = udev_enumerate_scan_devices(e);
        if (r < 0)
                goto finish;

        first = udev_enumerate_get_list_entry(e);
        udev_list_entry_foreach(item, first) {
                struct udev_device *d;
                const char *node, *sn;

                d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
                if (!d) {
                        r = -ENOMEM;
                        goto finish;
                }

                sn = udev_device_get_property_value(d, "ID_SEAT");
                if (isempty(sn))
                        sn = "seat0";

                if (!streq(seat, sn)) {
                        udev_device_unref(d);
                        continue;
                }

                node = udev_device_get_devnode(d);
                if (!node) {
                        /* In case people mistag devices with nodes, we need to ignore this */
                        udev_device_unref(d);
                        continue;
                }

                log_debug("Fixing up %s for seat %s...", node, sn);

                r = devnode_acl(node, flush, del, old_uid, add, new_uid);
                udev_device_unref(d);

                if (r < 0)
                        goto finish;
        }

finish:
        if (e)
                udev_enumerate_unref(e);

        return r;
}
Commit	Line	Data
5eda94dd LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2011 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
5eda94dd LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
5eda94dd	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
5eda94dd LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <assert.h>
	23	#include <sys/acl.h>
	24	#include <acl/libacl.h>
	25	#include <errno.h>
	26	#include <string.h>
	27
	28	#include "logind-acl.h"
	29	#include "util.h"
79c07722	30	#include "acl-util.h"
5eda94dd LP	31
	32	static int flush_acl(acl_t acl) {
	33	acl_entry_t i;
	34	int found;
	35	bool changed = false;
	36
	37	assert(acl);
	38
	39	for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
	40	found > 0;
	41	found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
	42
	43	acl_tag_t tag;
	44
	45	if (acl_get_tag_type(i, &tag) < 0)
	46	return -errno;
	47
	48	if (tag != ACL_USER)
	49	continue;
	50
	51	if (acl_delete_entry(acl, i) < 0)
	52	return -errno;
	53
	54	changed = true;
	55	}
	56
	57	if (found < 0)
	58	return -errno;
	59
	60	return changed;
	61	}
	62
	63	int devnode_acl(const char *path,
	64	bool flush,
	65	bool del, uid_t old_uid,
	66	bool add, uid_t new_uid) {
	67
	68	acl_t acl;
501c92c4	69	int r = 0;
5eda94dd LP	70	bool changed = false;
	71
	72	assert(path);
	73
	74	acl = acl_get_file(path, ACL_TYPE_ACCESS);
	75	if (!acl)
	76	return -errno;
	77
	78	if (flush) {
	79
	80	r = flush_acl(acl);
	81	if (r < 0)
	82	goto finish;
	83	if (r > 0)
	84	changed = true;
	85
	86	} else if (del && old_uid > 0) {
	87	acl_entry_t entry;
	88
f4b47811	89	r = acl_find_uid(acl, old_uid, &entry);
5eda94dd LP	90	if (r < 0)
	91	goto finish;
	92
	93	if (r > 0) {
	94	if (acl_delete_entry(acl, entry) < 0) {
	95	r = -errno;
	96	goto finish;
	97	}
	98
	99	changed = true;
	100	}
	101	}
	102
	103	if (add && new_uid > 0) {
	104	acl_entry_t entry;
	105	acl_permset_t permset;
	106	int rd, wt;
	107
f4b47811	108	r = acl_find_uid(acl, new_uid, &entry);
5eda94dd LP	109	if (r < 0)
	110	goto finish;
	111
	112	if (r == 0) {
	113	if (acl_create_entry(&acl, &entry) < 0) {
	114	r = -errno;
	115	goto finish;
	116	}
	117
	118	if (acl_set_tag_type(entry, ACL_USER) < 0 \|\|
	119	acl_set_qualifier(entry, &new_uid) < 0) {
	120	r = -errno;
	121	goto finish;
	122	}
	123	}
	124
	125	if (acl_get_permset(entry, &permset) < 0) {
	126	r = -errno;
	127	goto finish;
	128	}
	129
	130	rd = acl_get_perm(permset, ACL_READ);
	131	if (rd < 0) {
	132	r = -errno;
	133	goto finish;
	134	}
	135
	136	wt = acl_get_perm(permset, ACL_WRITE);
	137	if (wt < 0) {
	138	r = -errno;
	139	goto finish;
	140	}
	141
	142	if (!rd \|\| !wt) {
	143
	144	if (acl_add_perm(permset, ACL_READ\|ACL_WRITE) < 0) {
	145	r = -errno;
	146	goto finish;
	147	}
	148
	149	changed = true;
	150	}
	151	}
	152
	153	if (!changed)
	154	goto finish;
	155
	156	if (acl_calc_mask(&acl) < 0) {
	157	r = -errno;
	158	goto finish;
	159	}
	160
	161	if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
	162	r = -errno;
	163	goto finish;
	164	}
	165
	166	r = 0;
	167
	168	finish:
	169	acl_free(acl);
	170
	171	return r;
	172	}
173
174	int devnode_acl_all(struct udev *udev,
175	const char *seat,
176	bool flush,
177	bool del, uid_t old_uid,
178	bool add, uid_t new_uid) {
179
180	struct udev_list_entry item = NULL, first = NULL;
181	struct udev_enumerate *e;
182	int r;
183
184	assert(udev);
185
53907215	186	if (isempty(seat))
5eda94dd LP	187	seat = "seat0";
	188
	189	e = udev_enumerate_new(udev);
	190	if (!e)
	191	return -ENOMEM;
	192
7b3afbac LP	193	/* We can only match by one tag in libudev. We choose
	194	* "uaccess" for that. If we could match for two tags here we
	195	* could add the seat name as second match tag, but this would
	196	* be hardly optimizable in libudev, and hence checking the
	197	* second tag manually in our loop is a good solution. */
	198
5eda94dd LP	199	r = udev_enumerate_add_match_tag(e, "uaccess");
	200	if (r < 0)
	201	goto finish;
	202
5eda94dd LP	203	r = udev_enumerate_scan_devices(e);
	204	if (r < 0)
	205	goto finish;
	206
	207	first = udev_enumerate_get_list_entry(e);
	208	udev_list_entry_foreach(item, first) {
	209	struct udev_device *d;
	210	const char node, sn;
	211
	212	d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
	213	if (!d) {
	214	r = -ENOMEM;
	215	goto finish;
	216	}
	217
53907215 LP	218	sn = udev_device_get_property_value(d, "ID_SEAT");
53907215 LP	219	if (isempty(sn))
5eda94dd LP	220	sn = "seat0";
	221
	222	if (!streq(seat, sn)) {
	223	udev_device_unref(d);
	224	continue;
	225	}
	226
	227	node = udev_device_get_devnode(d);
5eda94dd	228	if (!node) {
d2d4b038	229	/* In case people mistag devices with nodes, we need to ignore this */
ce0f7c97	230	udev_device_unref(d);
d2d4b038	231	continue;
5eda94dd LP	232	}
5eda94dd LP	233
53907215 LP	234	log_debug("Fixing up %s for seat %s...", node, sn);
53907215 LP	235
5eda94dd	236	r = devnode_acl(node, flush, del, old_uid, add, new_uid);
ce0f7c97 LP	237	udev_device_unref(d);
ce0f7c97 LP	238
5eda94dd LP	239	if (r < 0)
	240	goto finish;
	241	}
	242
	243	finish:
	244	if (e)
	245	udev_enumerate_unref(e);
	246
	247	return r;
	248	}