1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2011 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 #include <acl/libacl.h>
28 #include "logind-acl.h"
32 static int flush_acl(acl_t acl) {
39 for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
41 found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
45 if (acl_get_tag_type(i, &tag) < 0)
51 if (acl_delete_entry(acl, i) < 0)
63 int devnode_acl(const char *path,
65 bool del, uid_t old_uid,
66 bool add, uid_t new_uid) {
74 acl = acl_get_file(path, ACL_TYPE_ACCESS);
86 } else if (del && old_uid > 0) {
89 r = acl_find_uid(acl, old_uid, &entry);
94 if (acl_delete_entry(acl, entry) < 0) {
103 if (add && new_uid > 0) {
105 acl_permset_t permset;
108 r = acl_find_uid(acl, new_uid, &entry);
113 if (acl_create_entry(&acl, &entry) < 0) {
118 if (acl_set_tag_type(entry, ACL_USER) < 0 ||
119 acl_set_qualifier(entry, &new_uid) < 0) {
125 if (acl_get_permset(entry, &permset) < 0) {
130 rd = acl_get_perm(permset, ACL_READ);
136 wt = acl_get_perm(permset, ACL_WRITE);
144 if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) {
156 if (acl_calc_mask(&acl) < 0) {
161 if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
174 int devnode_acl_all(struct udev *udev,
177 bool del, uid_t old_uid,
178 bool add, uid_t new_uid) {
180 struct udev_list_entry *item = NULL, *first = NULL;
181 struct udev_enumerate *e;
189 e = udev_enumerate_new(udev);
193 /* We can only match by one tag in libudev. We choose
194 * "uaccess" for that. If we could match for two tags here we
195 * could add the seat name as second match tag, but this would
196 * be hardly optimizable in libudev, and hence checking the
197 * second tag manually in our loop is a good solution. */
199 r = udev_enumerate_add_match_tag(e, "uaccess");
203 r = udev_enumerate_scan_devices(e);
207 first = udev_enumerate_get_list_entry(e);
208 udev_list_entry_foreach(item, first) {
209 struct udev_device *d;
210 const char *node, *sn;
212 d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
218 sn = udev_device_get_property_value(d, "ID_SEAT");
222 if (!streq(seat, sn)) {
223 udev_device_unref(d);
227 node = udev_device_get_devnode(d);
229 /* In case people mistag devices with nodes, we need to ignore this */
230 udev_device_unref(d);
234 log_debug("Fixing up %s for seat %s...", node, sn);
236 r = devnode_acl(node, flush, del, old_uid, add, new_uid);
237 udev_device_unref(d);
245 udev_enumerate_unref(e);