[thirdparty/systemd.git] / src / login / logind-acl.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2011 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <string.h>

#include "acl-util.h"
#include "escape.h"
#include "formats-util.h"
#include "set.h"
#include "string-util.h"
#include "udev-util.h"
#include "util.h"
#include "logind-acl.h"

static int flush_acl(acl_t acl) {
        acl_entry_t i;
        int found;
        bool changed = false;

        assert(acl);

        for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
             found > 0;
             found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {

                acl_tag_t tag;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag != ACL_USER)
                        continue;

                if (acl_delete_entry(acl, i) < 0)
                        return -errno;

                changed = true;
        }

        if (found < 0)
                return -errno;

        return changed;
}

int devnode_acl(const char *path,
                bool flush,
                bool del, uid_t old_uid,
                bool add, uid_t new_uid) {

        acl_t acl;
        int r = 0;
        bool changed = false;

        assert(path);

        acl = acl_get_file(path, ACL_TYPE_ACCESS);
        if (!acl)
                return -errno;

        if (flush) {

                r = flush_acl(acl);
                if (r < 0)
                        goto finish;
                if (r > 0)
                        changed = true;

        } else if (del && old_uid > 0) {
                acl_entry_t entry;

                r = acl_find_uid(acl, old_uid, &entry);
                if (r < 0)
                        goto finish;

                if (r > 0) {
                        if (acl_delete_entry(acl, entry) < 0) {
                                r = -errno;
                                goto finish;
                        }

                        changed = true;
                }
        }

        if (add && new_uid > 0) {
                acl_entry_t entry;
                acl_permset_t permset;
                int rd, wt;

                r = acl_find_uid(acl, new_uid, &entry);
                if (r < 0)
                        goto finish;

                if (r == 0) {
                        if (acl_create_entry(&acl, &entry) < 0) {
                                r = -errno;
                                goto finish;
                        }

                        if (acl_set_tag_type(entry, ACL_USER) < 0 ||
                            acl_set_qualifier(entry, &new_uid) < 0) {
                                r = -errno;
                                goto finish;
                        }
                }

                if (acl_get_permset(entry, &permset) < 0) {
                        r = -errno;
                        goto finish;
                }

                rd = acl_get_perm(permset, ACL_READ);
                if (rd < 0) {
                        r = -errno;
                        goto finish;
                }

                wt = acl_get_perm(permset, ACL_WRITE);
                if (wt < 0) {
                        r = -errno;
                        goto finish;
                }

                if (!rd || !wt) {

                        if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) {
                                r = -errno;
                                goto finish;
                        }

                        changed = true;
                }
        }

        if (!changed)
                goto finish;

        if (acl_calc_mask(&acl) < 0) {
                r = -errno;
                goto finish;
        }

        if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
                r = -errno;
                goto finish;
        }

        r = 0;

finish:
        acl_free(acl);

        return r;
}

int devnode_acl_all(struct udev *udev,
                    const char *seat,
                    bool flush,
                    bool del, uid_t old_uid,
                    bool add, uid_t new_uid) {

        _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
        struct udev_list_entry *item = NULL, *first = NULL;
        _cleanup_set_free_free_ Set *nodes = NULL;
        _cleanup_closedir_ DIR *dir = NULL;
        struct dirent *dent;
        Iterator i;
        char *n;
        int r;

        assert(udev);

        nodes = set_new(&string_hash_ops);
        if (!nodes)
                return -ENOMEM;

        e = udev_enumerate_new(udev);
        if (!e)
                return -ENOMEM;

        if (isempty(seat))
                seat = "seat0";

        /* We can only match by one tag in libudev. We choose
         * "uaccess" for that. If we could match for two tags here we
         * could add the seat name as second match tag, but this would
         * be hardly optimizable in libudev, and hence checking the
         * second tag manually in our loop is a good solution. */
        r = udev_enumerate_add_match_tag(e, "uaccess");
        if (r < 0)
                return r;

        r = udev_enumerate_add_match_is_initialized(e);
        if (r < 0)
                return r;

        r = udev_enumerate_scan_devices(e);
        if (r < 0)
                return r;

        first = udev_enumerate_get_list_entry(e);
        udev_list_entry_foreach(item, first) {
                _cleanup_udev_device_unref_ struct udev_device *d = NULL;
                const char *node, *sn;

                d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
                if (!d)
                        return -ENOMEM;

                sn = udev_device_get_property_value(d, "ID_SEAT");
                if (isempty(sn))
                        sn = "seat0";

                if (!streq(seat, sn))
                        continue;

                node = udev_device_get_devnode(d);
                /* In case people mistag devices with nodes, we need to ignore this */
                if (!node)
                        continue;

                n = strdup(node);
                if (!n)
                        return -ENOMEM;

                log_debug("Found udev node %s for seat %s", n, seat);
                r = set_consume(nodes, n);
                if (r < 0)
                        return r;
        }

        /* udev exports "dead" device nodes to allow module on-demand loading,
         * these devices are not known to the kernel at this moment */
        dir = opendir("/run/udev/static_node-tags/uaccess");
        if (dir) {
                FOREACH_DIRENT(dent, dir, return -errno) {
                        _cleanup_free_ char *unescaped_devname = NULL;

                        if (cunescape(dent->d_name, UNESCAPE_RELAX, &unescaped_devname) < 0)
                                return -ENOMEM;

                        n = strappend("/dev/", unescaped_devname);
                        if (!n)
                                return -ENOMEM;

                        log_debug("Found static node %s for seat %s", n, seat);
                        r = set_consume(nodes, n);
                        if (r == -EEXIST)
                                continue;
                        if (r < 0)
                                return r;
                }
        }

        r = 0;
        SET_FOREACH(n, nodes, i) {
                int k;

                log_debug("Changing ACLs at %s for seat %s (uid "UID_FMT"→"UID_FMT"%s%s)",
                          n, seat, old_uid, new_uid,
                          del ? " del" : "", add ? " add" : "");

                k = devnode_acl(n, flush, del, old_uid, add, new_uid);
                if (k == -ENOENT)
                        log_debug("Device %s disappeared while setting ACLs", n);
                else if (k < 0 && r == 0)
                        r = k;
        }

        return r;
}
Commit	Line	Data
5eda94dd LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2011 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
5eda94dd LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
5eda94dd	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
5eda94dd LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
5eda94dd LP	22	#include <errno.h>
	23	#include <string.h>
	24
79c07722	25	#include "acl-util.h"
4f5dd394 LP	26	#include "escape.h"
4f5dd394 LP	27	#include "formats-util.h"
6b78df0a	28	#include "set.h"
07630cea	29	#include "string-util.h"
bf5332d2	30	#include "udev-util.h"
4f5dd394 LP	31	#include "util.h"
4f5dd394 LP	32	#include "logind-acl.h"
5eda94dd LP	33
	34	static int flush_acl(acl_t acl) {
	35	acl_entry_t i;
	36	int found;
	37	bool changed = false;
	38
	39	assert(acl);
	40
	41	for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
	42	found > 0;
	43	found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
	44
	45	acl_tag_t tag;
	46
	47	if (acl_get_tag_type(i, &tag) < 0)
	48	return -errno;
	49
	50	if (tag != ACL_USER)
	51	continue;
	52
	53	if (acl_delete_entry(acl, i) < 0)
	54	return -errno;
	55
	56	changed = true;
	57	}
	58
	59	if (found < 0)
	60	return -errno;
	61
	62	return changed;
	63	}
	64
	65	int devnode_acl(const char *path,
	66	bool flush,
	67	bool del, uid_t old_uid,
	68	bool add, uid_t new_uid) {
	69
	70	acl_t acl;
501c92c4	71	int r = 0;
5eda94dd LP	72	bool changed = false;
	73
	74	assert(path);
	75
	76	acl = acl_get_file(path, ACL_TYPE_ACCESS);
	77	if (!acl)
	78	return -errno;
	79
	80	if (flush) {
	81
	82	r = flush_acl(acl);
	83	if (r < 0)
	84	goto finish;
	85	if (r > 0)
	86	changed = true;
	87
	88	} else if (del && old_uid > 0) {
	89	acl_entry_t entry;
	90
f4b47811	91	r = acl_find_uid(acl, old_uid, &entry);
5eda94dd LP	92	if (r < 0)
	93	goto finish;
	94
	95	if (r > 0) {
	96	if (acl_delete_entry(acl, entry) < 0) {
	97	r = -errno;
	98	goto finish;
	99	}
	100
	101	changed = true;
	102	}
	103	}
	104
	105	if (add && new_uid > 0) {
	106	acl_entry_t entry;
	107	acl_permset_t permset;
	108	int rd, wt;
	109
f4b47811	110	r = acl_find_uid(acl, new_uid, &entry);
5eda94dd LP	111	if (r < 0)
	112	goto finish;
	113
	114	if (r == 0) {
	115	if (acl_create_entry(&acl, &entry) < 0) {
	116	r = -errno;
	117	goto finish;
	118	}
	119
	120	if (acl_set_tag_type(entry, ACL_USER) < 0 \|\|
	121	acl_set_qualifier(entry, &new_uid) < 0) {
	122	r = -errno;
	123	goto finish;
	124	}
	125	}
	126
	127	if (acl_get_permset(entry, &permset) < 0) {
	128	r = -errno;
	129	goto finish;
	130	}
	131
	132	rd = acl_get_perm(permset, ACL_READ);
	133	if (rd < 0) {
	134	r = -errno;
	135	goto finish;
	136	}
	137
	138	wt = acl_get_perm(permset, ACL_WRITE);
	139	if (wt < 0) {
	140	r = -errno;
	141	goto finish;
	142	}
	143
	144	if (!rd \|\| !wt) {
	145
	146	if (acl_add_perm(permset, ACL_READ\|ACL_WRITE) < 0) {
	147	r = -errno;
	148	goto finish;
	149	}
	150
	151	changed = true;
	152	}
	153	}
	154
	155	if (!changed)
	156	goto finish;
	157
	158	if (acl_calc_mask(&acl) < 0) {
	159	r = -errno;
	160	goto finish;
	161	}
	162
	163	if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
	164	r = -errno;
	165	goto finish;
	166	}
	167
	168	r = 0;
	169
	170	finish:
	171	acl_free(acl);
	172
	173	return r;
	174	}
175
176	int devnode_acl_all(struct udev *udev,
177	const char *seat,
178	bool flush,
179	bool del, uid_t old_uid,
180	bool add, uid_t new_uid) {
181
bf5332d2	182	_cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
5eda94dd	183	struct udev_list_entry item = NULL, first = NULL;
bf5332d2	184	_cleanup_set_free_free_ Set *nodes = NULL;
db0c1e3b	185	_cleanup_closedir_ DIR *dir = NULL;
6b78df0a	186	struct dirent *dent;
bf5332d2 LP	187	Iterator i;
bf5332d2 LP	188	char *n;
5eda94dd LP	189	int r;
	190
	191	assert(udev);
	192
d5099efc	193	nodes = set_new(&string_hash_ops);
cc377381	194	if (!nodes)
6b78df0a	195	return -ENOMEM;
5eda94dd LP	196
5eda94dd LP	197	e = udev_enumerate_new(udev);
bf5332d2 LP	198	if (!e)
bf5332d2 LP	199	return -ENOMEM;
6b78df0a TG	200
	201	if (isempty(seat))
	202	seat = "seat0";
5eda94dd	203
7b3afbac LP	204	/* We can only match by one tag in libudev. We choose
	205	* "uaccess" for that. If we could match for two tags here we
	206	* could add the seat name as second match tag, but this would
	207	* be hardly optimizable in libudev, and hence checking the
	208	* second tag manually in our loop is a good solution. */
5eda94dd LP	209	r = udev_enumerate_add_match_tag(e, "uaccess");
5eda94dd LP	210	if (r < 0)
bf5332d2	211	return r;
5eda94dd	212
e1202047 LP	213	r = udev_enumerate_add_match_is_initialized(e);
	214	if (r < 0)
	215	return r;
	216
5eda94dd LP	217	r = udev_enumerate_scan_devices(e);
5eda94dd LP	218	if (r < 0)
bf5332d2	219	return r;
5eda94dd LP	220
	221	first = udev_enumerate_get_list_entry(e);
	222	udev_list_entry_foreach(item, first) {
bf5332d2	223	_cleanup_udev_device_unref_ struct udev_device *d = NULL;
5eda94dd LP	224	const char node, sn;
	225
	226	d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
bf5332d2 LP	227	if (!d)
	228	return -ENOMEM;
	229
53907215 LP	230	sn = udev_device_get_property_value(d, "ID_SEAT");
53907215 LP	231	if (isempty(sn))
5eda94dd LP	232	sn = "seat0";
5eda94dd LP	233
bf5332d2	234	if (!streq(seat, sn))
5eda94dd	235	continue;
5eda94dd LP	236
5eda94dd LP	237	node = udev_device_get_devnode(d);
bf5332d2 LP	238	/* In case people mistag devices with nodes, we need to ignore this */
bf5332d2 LP	239	if (!node)
d2d4b038	240	continue;
5eda94dd	241
6b78df0a	242	n = strdup(node);
6b78df0a	243	if (!n)
bf5332d2	244	return -ENOMEM;
ce0f7c97	245
6b78df0a	246	log_debug("Found udev node %s for seat %s", n, seat);
bf5332d2	247	r = set_consume(nodes, n);
5eda94dd	248	if (r < 0)
bf5332d2	249	return r;
5eda94dd LP	250	}
5eda94dd LP	251
6b78df0a TG	252	/* udev exports "dead" device nodes to allow module on-demand loading,
	253	* these devices are not known to the kernel at this moment */
	254	dir = opendir("/run/udev/static_node-tags/uaccess");
	255	if (dir) {
bf5332d2	256	FOREACH_DIRENT(dent, dir, return -errno) {
6b78df0a	257	_cleanup_free_ char *unescaped_devname = NULL;
5eda94dd	258
527b7a42	259	if (cunescape(dent->d_name, UNESCAPE_RELAX, &unescaped_devname) < 0)
bf5332d2	260	return -ENOMEM;
6b78df0a TG	261
6b78df0a TG	262	n = strappend("/dev/", unescaped_devname);
bf5332d2 LP	263	if (!n)
bf5332d2 LP	264	return -ENOMEM;
6b78df0a TG	265
6b78df0a TG	266	log_debug("Found static node %s for seat %s", n, seat);
bf5332d2 LP	267	r = set_consume(nodes, n);
	268	if (r == -EEXIST)
	269	continue;
	270	if (r < 0)
	271	return r;
6b78df0a	272	}
6b78df0a TG	273	}
6b78df0a TG	274
bf5332d2	275	r = 0;
6b78df0a	276	SET_FOREACH(n, nodes, i) {
bf5332d2 LP	277	int k;
bf5332d2 LP	278
6b9732b2 ZJS	279	log_debug("Changing ACLs at %s for seat %s (uid "UID_FMT"→"UID_FMT"%s%s)",
	280	n, seat, old_uid, new_uid,
	281	del ? " del" : "", add ? " add" : "");
	282
bf5332d2	283	k = devnode_acl(n, flush, del, old_uid, add, new_uid);
8016b904 DH	284	if (k == -ENOENT)
8016b904 DH	285	log_debug("Device %s disappeared while setting ACLs", n);
f7a5bb28	286	else if (k < 0 && r == 0)
bf5332d2	287	r = k;
6b78df0a TG	288	}
6b78df0a TG	289
5eda94dd LP	290	return r;
5eda94dd LP	291	}