From 48a849ee17fb25e0001bfcc0f28a4aa633d016a1 Mon Sep 17 00:00:00 2001
From: Kay Sievers <kay@vrfy.org>
Date: Fri, 4 Jan 2013 16:15:46 +0100
Subject: [PATCH] udev: set device node permissions only at "add" events

---
 TODO                 |  2 --
 src/udev/udev-node.c | 29 +++++++++++++++--------------
 2 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/TODO b/TODO
index 8ebb951c2..35d96ecb8 100644
--- a/TODO
+++ b/TODO
@@ -29,8 +29,6 @@ Features:
 
 * exec: when deinitializating a tty device fix the perms and group, too, not only when initializing. Set access mode/gid to 0620/tty.
 
-* udev: only reset mode/gid of /dev/tty1 and friends on ACTION=add, not ACTION=changed
-
 * DeviceAllow/DeviceDeny: disallow everything by default, but whitelist /dev/zero, /dev/null and friends
 
 * service: watchdog logic: for testing purposes allow ping, but do not require pong
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
index 777430370..1e378adf2 100644
--- a/src/udev/udev-node.c
+++ b/src/udev/udev-node.c
@@ -279,22 +279,23 @@ static int node_fixup(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid
                 goto out;
         }
 
-        if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) {
-                log_debug("set permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
-                chmod(devnode, mode);
-                chown(devnode, uid, gid);
-        } else {
-                log_debug("preserve permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
-        }
-
         /*
-         * Set initial selinux file context only on add events.
-         * We set the proper context on bootup (triger) or for newly
-         * added devices, but we don't change it later, in case
-         * something else has set a custom context in the meantime.
+         * Set permissions and selinux file context only on add events. We always
+         * set it on bootup (coldplug) with "trigger --action=add" for all devices
+         * and for any newly added devices (hotplug). We don't want to change it
+         * later, in case something else has applied custom settings in the meantime.
          */
-        if (strcmp(udev_device_get_action(dev), "add") == 0)
-            label_fix(devnode, true, false);
+        if (strcmp(udev_device_get_action(dev), "add") == 0) {
+                if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) {
+                        log_debug("set permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
+                        chmod(devnode, mode);
+                        chown(devnode, uid, gid);
+                } else {
+                        log_debug("preserve permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
+                }
+
+                label_fix(devnode, true, false);
+        }
 
         /* always update timestamp when we re-use the node, like on media change events */
         utimensat(AT_FDCWD, devnode, NULL, 0);
-- 
2.30.2