src/login/logind-acl.c

   1 /***
   2   This file is part of systemd.
   3
   4   Copyright 2011 Lennart Poettering
   5
   6   systemd is free software; you can redistribute it and/or modify it
   7   under the terms of the GNU Lesser General Public License as published by
   8   the Free Software Foundation; either version 2.1 of the License, or
   9   (at your option) any later version.
  10
  11   systemd is distributed in the hope that it will be useful, but
  12   WITHOUT ANY WARRANTY; without even the implied warranty of
  13   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  14   Lesser General Public License for more details.
  15
  16   You should have received a copy of the GNU Lesser General Public License
  17   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  18 ***/
  19
  20 #include <errno.h>
  21 #include <string.h>
  22
  23 #include "acl-util.h"
  24 #include "alloc-util.h"
  25 #include "dirent-util.h"
  26 #include "escape.h"
  27 #include "fd-util.h"
  28 #include "format-util.h"
  29 #include "logind-acl.h"
  30 #include "set.h"
  31 #include "string-util.h"
  32 #include "udev-util.h"
  33 #include "util.h"
  34
  35 static int flush_acl(acl_t acl) {
  36         acl_entry_t i;
  37         int found;
  38         bool changed = false;
  39
  40         assert(acl);
  41
  42         for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
  43              found > 0;
  44              found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
  45
  46                 acl_tag_t tag;
  47
  48                 if (acl_get_tag_type(i, &tag) < 0)
  49                         return -errno;
  50
  51                 if (tag != ACL_USER)
  52                         continue;
  53
  54                 if (acl_delete_entry(acl, i) < 0)
  55                         return -errno;
  56
  57                 changed = true;
  58         }
  59
  60         if (found < 0)
  61                 return -errno;
  62
  63         return changed;
  64 }
  65
  66 int devnode_acl(const char *path,
  67                 bool flush,
  68                 bool del, uid_t old_uid,
  69                 bool add, uid_t new_uid) {
  70
  71         acl_t acl;
  72         int r = 0;
  73         bool changed = false;
  74
  75         assert(path);
  76
  77         acl = acl_get_file(path, ACL_TYPE_ACCESS);
  78         if (!acl)
  79                 return -errno;
  80
  81         if (flush) {
  82
  83                 r = flush_acl(acl);
  84                 if (r < 0)
  85                         goto finish;
  86                 if (r > 0)
  87                         changed = true;
  88
  89         } else if (del && old_uid > 0) {
  90                 acl_entry_t entry;
  91
  92                 r = acl_find_uid(acl, old_uid, &entry);
  93                 if (r < 0)
  94                         goto finish;
  95
  96                 if (r > 0) {
  97                         if (acl_delete_entry(acl, entry) < 0) {
  98                                 r = -errno;
  99                                 goto finish;
 100                         }
 101
 102                         changed = true;
 103                 }
 104         }
 105
 106         if (add && new_uid > 0) {
 107                 acl_entry_t entry;
 108                 acl_permset_t permset;
 109                 int rd, wt;
 110
 111                 r = acl_find_uid(acl, new_uid, &entry);
 112                 if (r < 0)
 113                         goto finish;
 114
 115                 if (r == 0) {
 116                         if (acl_create_entry(&acl, &entry) < 0) {
 117                                 r = -errno;
 118                                 goto finish;
 119                         }
 120
 121                         if (acl_set_tag_type(entry, ACL_USER) < 0 ||
 122                             acl_set_qualifier(entry, &new_uid) < 0) {
 123                                 r = -errno;
 124                                 goto finish;
 125                         }
 126                 }
 127
 128                 if (acl_get_permset(entry, &permset) < 0) {
 129                         r = -errno;
 130                         goto finish;
 131                 }
 132
 133                 rd = acl_get_perm(permset, ACL_READ);
 134                 if (rd < 0) {
 135                         r = -errno;
 136                         goto finish;
 137                 }
 138
 139                 wt = acl_get_perm(permset, ACL_WRITE);
 140                 if (wt < 0) {
 141                         r = -errno;
 142                         goto finish;
 143                 }
 144
 145                 if (!rd || !wt) {
 146
 147                         if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) {
 148                                 r = -errno;
 149                                 goto finish;
 150                         }
 151
 152                         changed = true;
 153                 }
 154         }
 155
 156         if (!changed)
 157                 goto finish;
 158
 159         if (acl_calc_mask(&acl) < 0) {
 160                 r = -errno;
 161                 goto finish;
 162         }
 163
 164         if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
 165                 r = -errno;
 166                 goto finish;
 167         }
 168
 169         r = 0;
 170
 171 finish:
 172         acl_free(acl);
 173
 174         return r;
 175 }
 176
 177 int devnode_acl_all(struct udev *udev,
 178                     const char *seat,
 179                     bool flush,
 180                     bool del, uid_t old_uid,
 181                     bool add, uid_t new_uid) {
 182
 183         _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
 184         struct udev_list_entry *item = NULL, *first = NULL;
 185         _cleanup_set_free_free_ Set *nodes = NULL;
 186         _cleanup_closedir_ DIR *dir = NULL;
 187         struct dirent *dent;
 188         Iterator i;
 189         char *n;
 190         int r;
 191
 192         assert(udev);
 193
 194         nodes = set_new(&string_hash_ops);
 195         if (!nodes)
 196                 return -ENOMEM;
 197
 198         e = udev_enumerate_new(udev);
 199         if (!e)
 200                 return -ENOMEM;
 201
 202         if (isempty(seat))
 203                 seat = "seat0";
 204
 205         /* We can only match by one tag in libudev. We choose
 206          * "uaccess" for that. If we could match for two tags here we
 207          * could add the seat name as second match tag, but this would
 208          * be hardly optimizable in libudev, and hence checking the
 209          * second tag manually in our loop is a good solution. */
 210         r = udev_enumerate_add_match_tag(e, "uaccess");
 211         if (r < 0)
 212                 return r;
 213
 214         r = udev_enumerate_add_match_is_initialized(e);
 215         if (r < 0)
 216                 return r;
 217
 218         r = udev_enumerate_scan_devices(e);
 219         if (r < 0)
 220                 return r;
 221
 222         first = udev_enumerate_get_list_entry(e);
 223         udev_list_entry_foreach(item, first) {
 224                 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
 225                 const char *node, *sn;
 226
 227                 d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
 228                 if (!d)
 229                         return -ENOMEM;
 230
 231                 sn = udev_device_get_property_value(d, "ID_SEAT");
 232                 if (isempty(sn))
 233                         sn = "seat0";
 234
 235                 if (!streq(seat, sn))
 236                         continue;
 237
 238                 node = udev_device_get_devnode(d);
 239                 /* In case people mistag devices with nodes, we need to ignore this */
 240                 if (!node)
 241                         continue;
 242
 243                 n = strdup(node);
 244                 if (!n)
 245                         return -ENOMEM;
 246
 247                 log_debug("Found udev node %s for seat %s", n, seat);
 248                 r = set_consume(nodes, n);
 249                 if (r < 0)
 250                         return r;
 251         }
 252
 253         /* udev exports "dead" device nodes to allow module on-demand loading,
 254          * these devices are not known to the kernel at this moment */
 255         dir = opendir("/run/udev/static_node-tags/uaccess");
 256         if (dir) {
 257                 FOREACH_DIRENT(dent, dir, return -errno) {
 258                         _cleanup_free_ char *unescaped_devname = NULL;
 259
 260                         if (cunescape(dent->d_name, UNESCAPE_RELAX, &unescaped_devname) < 0)
 261                                 return -ENOMEM;
 262
 263                         n = strappend("/dev/", unescaped_devname);
 264                         if (!n)
 265                                 return -ENOMEM;
 266
 267                         log_debug("Found static node %s for seat %s", n, seat);
 268                         r = set_consume(nodes, n);
 269                         if (r == -EEXIST)
 270                                 continue;
 271                         if (r < 0)
 272                                 return r;
 273                 }
 274         }
 275
 276         r = 0;
 277         SET_FOREACH(n, nodes, i) {
 278                 int k;
 279
 280                 log_debug("Changing ACLs at %s for seat %s (uid "UID_FMT"→"UID_FMT"%s%s)",
 281                           n, seat, old_uid, new_uid,
 282                           del ? " del" : "", add ? " add" : "");
 283
 284                 k = devnode_acl(n, flush, del, old_uid, add, new_uid);
 285                 if (k == -ENOENT)
 286                         log_debug("Device %s disappeared while setting ACLs", n);
 287                 else if (k < 0 && r == 0)
 288                         r = k;
 289         }
 290
 291         return r;
 292 }