From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 13 Dec 2018 17:35:06 +0000 (+0100)
Subject: logind: only apply ACLs for device currently tagged with "uaccess"
X-Git-Tag: v247-rc1~314^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fccb48b286dcfc07f86d3e376829086294dfd978;p=thirdparty%2Fsystemd.git

logind: only apply ACLs for device currently tagged with "uaccess"

This is about security, hence let's be particularly careful here: only
devices currenlty tagged with "uaccess" will get ACL management, and
it's not sufficient if they once were (though that is used for
filtering).
---

diff --git a/src/login/logind-acl.c b/src/login/logind-acl.c
index 76af208af1a..5b75d8f3621 100644
--- a/src/login/logind-acl.c
+++ b/src/login/logind-acl.c
@@ -195,6 +195,10 @@ int devnode_acl_all(const char *seat,
         FOREACH_DEVICE(e, d) {
                 const char *node, *sn;
 
+                /* Make sure the tag is still in place */
+                if (sd_device_has_current_tag(d, "uaccess") <= 0)
+                        continue;
+
                 if (sd_device_get_property_value(d, "ID_SEAT", &sn) < 0 || isempty(sn))
                         sn = "seat0";