From: Yu Watanabe Date: Tue, 23 Sep 2025 00:56:09 +0000 (+0900) Subject: udev: move devnode_acl() back to libshared X-Git-Tag: v258.1~27 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1415e3a647a33a119bb9d4f336c865cd0bd39e66;p=thirdparty%2Fsystemd.git udev: move devnode_acl() back to libshared This effectively reverts 1abb592f2f886913492e4967cc96816c167177a9. No functional change, preparation for the next commit. (cherry picked from commit 41c4a69653f7ca48a449de172e73acd43eda81a4) --- diff --git a/src/shared/acl-util.c b/src/shared/acl-util.c index a057e8028ce..27f54153afb 100644 --- a/src/shared/acl-util.c +++ b/src/shared/acl-util.c @@ -6,12 +6,106 @@ #include "alloc-util.h" #include "errno-util.h" #include "extract-word.h" +#include "fd-util.h" #include "string-util.h" #include "strv.h" #include "user-util.h" #if HAVE_ACL +int devnode_acl(int fd, uid_t uid) { + bool changed = false, found = false; + int r; + + assert(fd >= 0); + + _cleanup_(acl_freep) acl_t acl = NULL; + acl = acl_get_file(FORMAT_PROC_FD_PATH(fd), ACL_TYPE_ACCESS); + if (!acl) + return -errno; + + acl_entry_t entry; + for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); + r > 0; + r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) { + + acl_tag_t tag; + if (acl_get_tag_type(entry, &tag) < 0) + return -errno; + + if (tag != ACL_USER) + continue; + + if (uid > 0) { + uid_t *u = acl_get_qualifier(entry); + if (!u) + return -errno; + + if (*u == uid) { + acl_permset_t permset; + if (acl_get_permset(entry, &permset) < 0) + return -errno; + + int rd = acl_get_perm(permset, ACL_READ); + if (rd < 0) + return -errno; + + int wt = acl_get_perm(permset, ACL_WRITE); + if (wt < 0) + return -errno; + + if (!rd || !wt) { + if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) + return -errno; + + changed = true; + } + + found = true; + continue; + } + } + + if (acl_delete_entry(acl, entry) < 0) + return -errno; + + changed = true; + } + if (r < 0) + return -errno; + + if (!found && uid > 0) { + if (acl_create_entry(&acl, &entry) < 0) + return -errno; + + if (acl_set_tag_type(entry, ACL_USER) < 0) + return -errno; + + if (acl_set_qualifier(entry, &uid) < 0) + return -errno; + + acl_permset_t permset; + if (acl_get_permset(entry, &permset) < 0) + return -errno; + + if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) + return -errno; + + changed = true; + } + + if (!changed) + return 0; + + if (acl_calc_mask(&acl) < 0) + return -errno; + + if (acl_set_file(FORMAT_PROC_FD_PATH(fd), ACL_TYPE_ACCESS, acl) < 0) + return -errno; + + return 0; +} + static int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *ret_entry) { acl_entry_t i; int r; diff --git a/src/shared/acl-util.h b/src/shared/acl-util.h index 2164017de3c..2817db975e1 100644 --- a/src/shared/acl-util.h +++ b/src/shared/acl-util.h @@ -10,6 +10,8 @@ int fd_acl_make_writable_fallback(int fd); #include /* IWYU pragma: export */ #include /* IWYU pragma: export */ +int devnode_acl(int fd, uid_t uid); + int calc_acl_mask_if_needed(acl_t *acl_p); int add_base_acls_if_needed(acl_t *acl_p, const char *path); int acl_search_groups(const char* path, char ***ret_groups); @@ -40,6 +42,10 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gid_t*, acl_free_gid_tp, NULL); #define ACL_WRITE 0x02 #define ACL_EXECUTE 0x01 +static inline int devnode_acl(int fd, uid_t uid) { + return -EOPNOTSUPP; +} + static inline int fd_add_uid_acl_permission(int fd, uid_t uid, unsigned mask) { return -EOPNOTSUPP; } diff --git a/src/udev/udev-builtin-uaccess.c b/src/udev/udev-builtin-uaccess.c index c382f957cfa..e73ec7c03d6 100644 --- a/src/udev/udev-builtin-uaccess.c +++ b/src/udev/udev-builtin-uaccess.c @@ -1,7 +1,4 @@ /* SPDX-License-Identifier: GPL-2.0-or-later */ -/* - * manage device node user ACL - */ #include "sd-login.h" @@ -12,99 +9,6 @@ #include "login-util.h" #include "udev-builtin.h" -static int devnode_acl(int fd, uid_t uid) { - bool changed = false, found = false; - int r; - - assert(fd >= 0); - - _cleanup_(acl_freep) acl_t acl = NULL; - acl = acl_get_file(FORMAT_PROC_FD_PATH(fd), ACL_TYPE_ACCESS); - if (!acl) - return -errno; - - acl_entry_t entry; - for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); - r > 0; - r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) { - - acl_tag_t tag; - if (acl_get_tag_type(entry, &tag) < 0) - return -errno; - - if (tag != ACL_USER) - continue; - - if (uid > 0) { - uid_t *u = acl_get_qualifier(entry); - if (!u) - return -errno; - - if (*u == uid) { - acl_permset_t permset; - if (acl_get_permset(entry, &permset) < 0) - return -errno; - - int rd = acl_get_perm(permset, ACL_READ); - if (rd < 0) - return -errno; - - int wt = acl_get_perm(permset, ACL_WRITE); - if (wt < 0) - return -errno; - - if (!rd || !wt) { - if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) - return -errno; - - changed = true; - } - - found = true; - continue; - } - } - - if (acl_delete_entry(acl, entry) < 0) - return -errno; - - changed = true; - } - if (r < 0) - return -errno; - - if (!found && uid > 0) { - if (acl_create_entry(&acl, &entry) < 0) - return -errno; - - if (acl_set_tag_type(entry, ACL_USER) < 0) - return -errno; - - if (acl_set_qualifier(entry, &uid) < 0) - return -errno; - - acl_permset_t permset; - if (acl_get_permset(entry, &permset) < 0) - return -errno; - - if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) - return -errno; - - changed = true; - } - - if (!changed) - return 0; - - if (acl_calc_mask(&acl) < 0) - return -errno; - - if (acl_set_file(FORMAT_PROC_FD_PATH(fd), ACL_TYPE_ACCESS, acl) < 0) - return -errno; - - return 0; -} - static int builtin_uaccess(UdevEvent *event, int argc, char *argv[]) { sd_device *dev = ASSERT_PTR(ASSERT_PTR(event)->dev); int r, k;