1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2011 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
26 #include <acl/libacl.h>
31 #include "logind-acl.h"
33 static int flush_acl(acl_t acl) {
40 for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
42 found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
46 if (acl_get_tag_type(i, &tag) < 0)
52 if (acl_delete_entry(acl, i) < 0)
64 int devnode_acl(const char *path,
66 bool del, uid_t old_uid,
67 bool add, uid_t new_uid) {
75 acl = acl_get_file(path, ACL_TYPE_ACCESS);
87 } else if (del && old_uid > 0) {
90 r = acl_find_uid(acl, old_uid, &entry);
95 if (acl_delete_entry(acl, entry) < 0) {
104 if (add && new_uid > 0) {
106 acl_permset_t permset;
109 r = acl_find_uid(acl, new_uid, &entry);
114 if (acl_create_entry(&acl, &entry) < 0) {
119 if (acl_set_tag_type(entry, ACL_USER) < 0 ||
120 acl_set_qualifier(entry, &new_uid) < 0) {
126 if (acl_get_permset(entry, &permset) < 0) {
131 rd = acl_get_perm(permset, ACL_READ);
137 wt = acl_get_perm(permset, ACL_WRITE);
145 if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) {
157 if (acl_calc_mask(&acl) < 0) {
162 if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
175 int devnode_acl_all(struct udev *udev,
178 bool del, uid_t old_uid,
179 bool add, uid_t new_uid) {
181 struct udev_list_entry *item = NULL, *first = NULL;
182 struct udev_enumerate *e;
186 _cleanup_closedir_ DIR *dir = NULL;
192 nodes = set_new(string_hash_func, string_compare_func);
196 e = udev_enumerate_new(udev);
205 /* We can only match by one tag in libudev. We choose
206 * "uaccess" for that. If we could match for two tags here we
207 * could add the seat name as second match tag, but this would
208 * be hardly optimizable in libudev, and hence checking the
209 * second tag manually in our loop is a good solution. */
210 r = udev_enumerate_add_match_tag(e, "uaccess");
214 r = udev_enumerate_scan_devices(e);
218 first = udev_enumerate_get_list_entry(e);
219 udev_list_entry_foreach(item, first) {
220 struct udev_device *d;
221 const char *node, *sn;
223 d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
229 sn = udev_device_get_property_value(d, "ID_SEAT");
233 if (!streq(seat, sn)) {
234 udev_device_unref(d);
238 node = udev_device_get_devnode(d);
240 /* In case people mistag devices with nodes, we need to ignore this */
241 udev_device_unref(d);
246 udev_device_unref(d);
250 log_debug("Found udev node %s for seat %s", n, seat);
251 r = set_put(nodes, n);
256 /* udev exports "dead" device nodes to allow module on-demand loading,
257 * these devices are not known to the kernel at this moment */
258 dir = opendir("/run/udev/static_node-tags/uaccess");
260 FOREACH_DIRENT(dent, dir, r = -errno; goto finish) {
261 _cleanup_free_ char *unescaped_devname = NULL;
263 unescaped_devname = cunescape(dent->d_name);
264 if (unescaped_devname == NULL) {
269 n = strappend("/dev/", unescaped_devname);
275 log_debug("Found static node %s for seat %s", n, seat);
276 r = set_put(nodes, n);
277 if (r < 0 && r != -EEXIST)
284 SET_FOREACH(n, nodes, i) {
285 log_debug("Fixing up ACLs at %s for seat %s", n, seat);
286 r = devnode_acl(n, flush, del, old_uid, add, new_uid);
290 udev_enumerate_unref(e);
291 set_free_free(nodes);