From 22582bb2cbe85b40de5f561589e0468dac769515 Mon Sep 17 00:00:00 2001 From: Kay Sievers Date: Sun, 27 Jan 2013 21:46:36 +0100 Subject: [PATCH] udev: set default rules permissions only at "add" events --- rules/50-udev-default.rules | 42 +++++++++---------------------------- src/udev/udev-event.c | 5 +++-- src/udev/udev-node.c | 17 +++++---------- src/udev/udev.h | 2 +- 4 files changed, 19 insertions(+), 47 deletions(-) diff --git a/rules/50-udev-default.rules b/rules/50-udev-default.rules index fc52fd17f..5d8bde53c 100644 --- a/rules/50-udev-default.rules +++ b/rules/50-udev-default.rules @@ -1,51 +1,35 @@ # do not edit this file, it will be overwritten on update +ACTION!="add", GOTO="default_permissions_end" + SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666" SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666" SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620" SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty" - -# serial KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout" -# virtio serial / console ports -SUBSYSTEM=="virtio-ports", KERNEL=="vport*", ATTR{name}=="?*", SYMLINK+="virtio-ports/$attr{name}" - -# mem SUBSYSTEM=="mem", KERNEL=="mem|kmem|port", GROUP="kmem", MODE="0640" -# input -SUBSYSTEM=="input", ENV{ID_INPUT}=="", IMPORT{builtin}="input_id" SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640" SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640" SUBSYSTEM=="input", KERNEL=="js[0-9]*", MODE="0644" -# video4linux SUBSYSTEM=="video4linux", GROUP="video" - -# graphics SUBSYSTEM=="misc", KERNEL=="agpgart", GROUP="video" SUBSYSTEM=="graphics", GROUP="video" SUBSYSTEM=="drm", GROUP="video" +SUBSYSTEM=="dvb", GROUP="video" -# sound SUBSYSTEM=="sound", GROUP="audio", \ OPTIONS+="static_node=snd/seq", OPTIONS+="static_node=snd/timer" -# DVB (video) -SUBSYSTEM=="dvb", GROUP="video" +SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0664" -# FireWire (firewire-core driver: IIDC devices, AV/C devices) SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x00010*", GROUP="video" SUBSYSTEM=="firewire", ATTR{units}=="*0x00b09d:0x00010*", GROUP="video" SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", GROUP="video" SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", GROUP="video" -# 'libusb' device nodes -SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0664" -SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", IMPORT{builtin}="usb_id", IMPORT{builtin}="hwdb --subsystem=usb" - -# printer KERNEL=="parport[0-9]*", GROUP="lp" SUBSYSTEM=="printer", KERNEL=="lp*", GROUP="lp" SUBSYSTEM=="ppdev", GROUP="lp" @@ -53,23 +37,15 @@ KERNEL=="lp[0-9]*", GROUP="lp" KERNEL=="irlpt[0-9]*", GROUP="lp" SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ENV{ID_USB_INTERFACES}=="*:0701??:*", GROUP="lp" -# block SUBSYSTEM=="block", GROUP="disk" - -# floppy SUBSYSTEM=="block", KERNEL=="fd[0-9]", GROUP="floppy" - -# cdrom SUBSYSTEM=="block", KERNEL=="sr[0-9]*", GROUP="cdrom" SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", GROUP="cdrom" KERNEL=="sch[0-9]*", GROUP="cdrom" KERNEL=="pktcdvd[0-9]*", GROUP="cdrom" KERNEL=="pktcdvd", GROUP="cdrom" -# tape SUBSYSTEM=="scsi_generic|scsi_tape", SUBSYSTEMS=="scsi", ATTRS{type}=="1|8", GROUP="tape" - -# block-related SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="0", GROUP="disk" KERNEL=="qft[0-9]*|nqft[0-9]*|zqft[0-9]*|nzqft[0-9]*|rawqft[0-9]*|nrawqft[0-9]*", GROUP="disk" KERNEL=="rawctl", GROUP="disk" @@ -77,14 +53,16 @@ SUBSYSTEM=="raw", KERNEL=="raw[0-9]*", GROUP="disk" SUBSYSTEM=="aoe", GROUP="disk", MODE="0220" SUBSYSTEM=="aoe", KERNEL=="err", MODE="0440" -# network -KERNEL=="tun", MODE="0666", OPTIONS+="static_node=net/tun" KERNEL=="rfkill", MODE="0644" +KERNEL=="tun", MODE="0666", OPTIONS+="static_node=net/tun" -KERNEL=="fuse", ACTION=="add", MODE="0666", OPTIONS+="static_node=fuse" +KERNEL=="fuse", MODE="0666", OPTIONS+="static_node=fuse" +LABEL="default_permissions_end" SUBSYSTEM=="rtc", ATTR{hctosys}=="1", MODE="0644", SYMLINK+="rtc" +SUBSYSTEM=="virtio-ports", KERNEL=="vport*", ATTR{name}=="?*", SYMLINK+="virtio-ports/$attr{name}" +SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", IMPORT{builtin}="usb_id", IMPORT{builtin}="hwdb --subsystem=usb" +SUBSYSTEM=="input", ENV{ID_INPUT}=="", IMPORT{builtin}="input_id" SUBSYSTEM=="firmware", ACTION=="add", IMPORT{builtin}="firmware" - ENV{MODALIAS}!="", IMPORT{builtin}="hwdb --subsystem=$env{SUBSYSTEM}" diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c index 8c8b058df..ef9fc61c6 100644 --- a/src/udev/udev-event.c +++ b/src/udev/udev-event.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2003-2010 Kay Sievers + * Copyright (C) 2003-2013 Kay Sievers * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -861,7 +861,8 @@ int udev_event_execute_rules(struct udev_event *event, struct udev_rules *rules, } } - udev_node_add(dev, event->mode, event->uid, event->gid); + udev_node_add(dev, event->owner_set || event->group_set || event->mode_set, + event->mode, event->uid, event->gid); } /* preserve old, or get new initialization timestamp */ diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index 3eec14021..bce4cfe43 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2003-2010 Kay Sievers + * Copyright (C) 2003-2013 Kay Sievers * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -254,7 +254,7 @@ void udev_node_update_old_links(struct udev_device *dev, struct udev_device *dev } } -static int node_fixup(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid) +static int node_permissions_apply(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid) { const char *devnode = udev_device_get_devnode(dev); dev_t devnum = udev_device_get_devnum(dev); @@ -279,13 +279,7 @@ static int node_fixup(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid goto out; } - /* - * Set permissions and selinux file context only on add events. We always - * set it on bootup (coldplug) with "trigger --action=add" for all devices - * and for any newly added devices (hotplug). We don't want to change it - * later, in case something else has applied custom settings in the meantime. - */ - if (strcmp(udev_device_get_action(dev), "add") == 0) { + if (apply) { if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) { log_debug("set permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid); chmod(devnode, mode); @@ -293,7 +287,6 @@ static int node_fixup(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid } else { log_debug("preserve permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid); } - label_fix(devnode, true, false); } @@ -303,7 +296,7 @@ out: return err; } -void udev_node_add(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid) +void udev_node_add(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid) { struct udev *udev = udev_device_get_udev(dev); char filename[UTIL_PATH_SIZE]; @@ -312,7 +305,7 @@ void udev_node_add(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid) log_debug("handling device node '%s', devnum=%s, mode=%#o, uid=%d, gid=%d\n", udev_device_get_devnode(dev), udev_device_get_id_filename(dev), mode, uid, gid); - if (node_fixup(dev, mode, uid, gid) < 0) + if (node_permissions_apply(dev, apply, mode, uid, gid) < 0) return; /* always add /dev/{block,char}/$major:$minor */ diff --git a/src/udev/udev.h b/src/udev/udev.h index 72a7623e3..b54cb58fc 100644 --- a/src/udev/udev.h +++ b/src/udev/udev.h @@ -95,7 +95,7 @@ void udev_watch_end(struct udev *udev, struct udev_device *dev); struct udev_device *udev_watch_lookup(struct udev *udev, int wd); /* udev-node.c */ -void udev_node_add(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid); +void udev_node_add(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid); void udev_node_remove(struct udev_device *dev); void udev_node_update_old_links(struct udev_device *dev, struct udev_device *dev_old); -- 2.30.2