1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2011 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include "formats-util.h"
29 #include "udev-util.h"
31 #include "logind-acl.h"
33 static int flush_acl(acl_t acl
) {
40 for (found
= acl_get_entry(acl
, ACL_FIRST_ENTRY
, &i
);
42 found
= acl_get_entry(acl
, ACL_NEXT_ENTRY
, &i
)) {
46 if (acl_get_tag_type(i
, &tag
) < 0)
52 if (acl_delete_entry(acl
, i
) < 0)
64 int devnode_acl(const char *path
,
66 bool del
, uid_t old_uid
,
67 bool add
, uid_t new_uid
) {
75 acl
= acl_get_file(path
, ACL_TYPE_ACCESS
);
87 } else if (del
&& old_uid
> 0) {
90 r
= acl_find_uid(acl
, old_uid
, &entry
);
95 if (acl_delete_entry(acl
, entry
) < 0) {
104 if (add
&& new_uid
> 0) {
106 acl_permset_t permset
;
109 r
= acl_find_uid(acl
, new_uid
, &entry
);
114 if (acl_create_entry(&acl
, &entry
) < 0) {
119 if (acl_set_tag_type(entry
, ACL_USER
) < 0 ||
120 acl_set_qualifier(entry
, &new_uid
) < 0) {
126 if (acl_get_permset(entry
, &permset
) < 0) {
131 rd
= acl_get_perm(permset
, ACL_READ
);
137 wt
= acl_get_perm(permset
, ACL_WRITE
);
145 if (acl_add_perm(permset
, ACL_READ
|ACL_WRITE
) < 0) {
157 if (acl_calc_mask(&acl
) < 0) {
162 if (acl_set_file(path
, ACL_TYPE_ACCESS
, acl
) < 0) {
175 int devnode_acl_all(struct udev
*udev
,
178 bool del
, uid_t old_uid
,
179 bool add
, uid_t new_uid
) {
181 _cleanup_udev_enumerate_unref_
struct udev_enumerate
*e
= NULL
;
182 struct udev_list_entry
*item
= NULL
, *first
= NULL
;
183 _cleanup_set_free_free_ Set
*nodes
= NULL
;
184 _cleanup_closedir_
DIR *dir
= NULL
;
192 nodes
= set_new(&string_hash_ops
);
196 e
= udev_enumerate_new(udev
);
203 /* We can only match by one tag in libudev. We choose
204 * "uaccess" for that. If we could match for two tags here we
205 * could add the seat name as second match tag, but this would
206 * be hardly optimizable in libudev, and hence checking the
207 * second tag manually in our loop is a good solution. */
208 r
= udev_enumerate_add_match_tag(e
, "uaccess");
212 r
= udev_enumerate_add_match_is_initialized(e
);
216 r
= udev_enumerate_scan_devices(e
);
220 first
= udev_enumerate_get_list_entry(e
);
221 udev_list_entry_foreach(item
, first
) {
222 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
223 const char *node
, *sn
;
225 d
= udev_device_new_from_syspath(udev
, udev_list_entry_get_name(item
));
229 sn
= udev_device_get_property_value(d
, "ID_SEAT");
233 if (!streq(seat
, sn
))
236 node
= udev_device_get_devnode(d
);
237 /* In case people mistag devices with nodes, we need to ignore this */
245 log_debug("Found udev node %s for seat %s", n
, seat
);
246 r
= set_consume(nodes
, n
);
251 /* udev exports "dead" device nodes to allow module on-demand loading,
252 * these devices are not known to the kernel at this moment */
253 dir
= opendir("/run/udev/static_node-tags/uaccess");
255 FOREACH_DIRENT(dent
, dir
, return -errno
) {
256 _cleanup_free_
char *unescaped_devname
= NULL
;
258 if (cunescape(dent
->d_name
, UNESCAPE_RELAX
, &unescaped_devname
) < 0)
261 n
= strappend("/dev/", unescaped_devname
);
265 log_debug("Found static node %s for seat %s", n
, seat
);
266 r
= set_consume(nodes
, n
);
275 SET_FOREACH(n
, nodes
, i
) {
278 log_debug("Changing ACLs at %s for seat %s (uid "UID_FMT
"→"UID_FMT
"%s%s)",
279 n
, seat
, old_uid
, new_uid
,
280 del
? " del" : "", add
? " add" : "");
282 k
= devnode_acl(n
, flush
, del
, old_uid
, add
, new_uid
);
284 log_debug("Device %s disappeared while setting ACLs", n
);
285 else if (k
< 0 && r
== 0)