]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/devnode-acl.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: Record ExecMainStartTimestamp before forking
[thirdparty/systemd.git] / src / shared / devnode-acl.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <errno.h>
4
5 #include "sd-device.h"
6
7 #include "acl-util.h"
8 #include "alloc-util.h"
9 #include "device-util.h"
10 #include "devnode-acl.h"
11 #include "dirent-util.h"
12 #include "fd-util.h"
13 #include "format-util.h"
14 #include "fs-util.h"
15 #include "glyph-util.h"
16 #include "set.h"
17 #include "string-util.h"
18
19 static int flush_acl(acl_t acl) {
20 acl_entry_t i;
21 int found;
22 bool changed = false;
23
24 assert(acl);
25
26 for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
27 found > 0;
28 found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
29
30 acl_tag_t tag;
31
32 if (acl_get_tag_type(i, &tag) < 0)
33 return -errno;
34
35 if (tag != ACL_USER)
36 continue;
37
38 if (acl_delete_entry(acl, i) < 0)
39 return -errno;
40
41 changed = true;
42 }
43
44 if (found < 0)
45 return -errno;
46
47 return changed;
48 }
49
50 int devnode_acl(const char *path,
51 bool flush,
52 bool del, uid_t old_uid,
53 bool add, uid_t new_uid) {
54
55 _cleanup_(acl_freep) acl_t acl = NULL;
56 int r;
57 bool changed = false;
58
59 assert(path);
60
61 acl = acl_get_file(path, ACL_TYPE_ACCESS);
62 if (!acl)
63 return -errno;
64
65 if (flush) {
66
67 r = flush_acl(acl);
68 if (r < 0)
69 return r;
70 if (r > 0)
71 changed = true;
72
73 } else if (del && old_uid > 0) {
74 acl_entry_t entry;
75
76 r = acl_find_uid(acl, old_uid, &entry);
77 if (r < 0)
78 return r;
79
80 if (r > 0) {
81 if (acl_delete_entry(acl, entry) < 0)
82 return -errno;
83
84 changed = true;
85 }
86 }
87
88 if (add && new_uid > 0) {
89 acl_entry_t entry;
90 acl_permset_t permset;
91 int rd, wt;
92
93 r = acl_find_uid(acl, new_uid, &entry);
94 if (r < 0)
95 return r;
96
97 if (r == 0) {
98 if (acl_create_entry(&acl, &entry) < 0)
99 return -errno;
100
101 if (acl_set_tag_type(entry, ACL_USER) < 0 ||
102 acl_set_qualifier(entry, &new_uid) < 0)
103 return -errno;
104 }
105
106 if (acl_get_permset(entry, &permset) < 0)
107 return -errno;
108
109 rd = acl_get_perm(permset, ACL_READ);
110 if (rd < 0)
111 return -errno;
112
113 wt = acl_get_perm(permset, ACL_WRITE);
114 if (wt < 0)
115 return -errno;
116
117 if (!rd || !wt) {
118
119 if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0)
120 return -errno;
121
122 changed = true;
123 }
124 }
125
126 if (!changed)
127 return 0;
128
129 if (acl_calc_mask(&acl) < 0)
130 return -errno;
131
132 if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0)
133 return -errno;
134
135 return 0;
136 }
137
138 int devnode_acl_all(const char *seat,
139 bool flush,
140 bool del, uid_t old_uid,
141 bool add, uid_t new_uid) {
142
143 _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL;
144 _cleanup_set_free_ Set *nodes = NULL;
145 _cleanup_closedir_ DIR *dir = NULL;
146 char *n;
147 int r;
148
149 r = sd_device_enumerator_new(&e);
150 if (r < 0)
151 return r;
152
153 if (isempty(seat))
154 seat = "seat0";
155
156 /* We can only match by one tag in libudev. We choose
157 * "uaccess" for that. If we could match for two tags here we
158 * could add the seat name as second match tag, but this would
159 * be hardly optimizable in libudev, and hence checking the
160 * second tag manually in our loop is a good solution. */
161 r = sd_device_enumerator_add_match_tag(e, "uaccess");
162 if (r < 0)
163 return r;
164
165 FOREACH_DEVICE(e, d) {
166 const char *node, *sn;
167
168 /* Make sure the tag is still in place */
169 if (sd_device_has_current_tag(d, "uaccess") <= 0)
170 continue;
171
172 if (sd_device_get_property_value(d, "ID_SEAT", &sn) < 0 || isempty(sn))
173 sn = "seat0";
174
175 if (!streq(seat, sn))
176 continue;
177
178 /* In case people mistag devices with nodes, we need to ignore this */
179 if (sd_device_get_devname(d, &node) < 0)
180 continue;
181
182 log_device_debug(d, "Found udev node %s for seat %s", node, seat);
183 r = set_put_strdup_full(&nodes, &path_hash_ops_free, node);
184 if (r < 0)
185 return r;
186 }
187
188 /* udev exports "dead" device nodes to allow module on-demand loading,
189 * these devices are not known to the kernel at this moment */
190 dir = opendir("/run/udev/static_node-tags/uaccess");
191 if (dir) {
192 FOREACH_DIRENT(de, dir, return -errno) {
193 r = readlinkat_malloc(dirfd(dir), de->d_name, &n);
194 if (r == -ENOENT)
195 continue;
196 if (r < 0) {
197 log_debug_errno(r,
198 "Unable to read symlink '/run/udev/static_node-tags/uaccess/%s', ignoring: %m",
199 de->d_name);
200 continue;
201 }
202
203 log_debug("Found static node %s for seat %s", n, seat);
204 r = set_ensure_consume(&nodes, &path_hash_ops_free, n);
205 if (r < 0)
206 return r;
207 }
208 }
209
210 r = 0;
211 SET_FOREACH(n, nodes) {
212 int k;
213
214 log_debug("Changing ACLs at %s for seat %s (uid "UID_FMT"%s"UID_FMT"%s%s)",
215 n, seat, old_uid, special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), new_uid,
216 del ? " del" : "", add ? " add" : "");
217
218 k = devnode_acl(n, flush, del, old_uid, add, new_uid);
219 if (k == -ENOENT)
220 log_debug("Device %s disappeared while setting ACLs", n);
221 else
222 RET_GATHER(r, k);
223 }
224
225 return r;
226 }
Unnamed repository; edit this file 'description' to name the repository.