1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2011 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
26 #include "alloc-util.h"
27 #include "dirent-util.h"
30 #include "formats-util.h"
31 #include "logind-acl.h"
33 #include "string-util.h"
34 #include "udev-util.h"
37 static int flush_acl(acl_t acl) {
44 for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
46 found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
50 if (acl_get_tag_type(i, &tag) < 0)
56 if (acl_delete_entry(acl, i) < 0)
68 int devnode_acl(const char *path,
70 bool del, uid_t old_uid,
71 bool add, uid_t new_uid) {
79 acl = acl_get_file(path, ACL_TYPE_ACCESS);
91 } else if (del && old_uid > 0) {
94 r = acl_find_uid(acl, old_uid, &entry);
99 if (acl_delete_entry(acl, entry) < 0) {
108 if (add && new_uid > 0) {
110 acl_permset_t permset;
113 r = acl_find_uid(acl, new_uid, &entry);
118 if (acl_create_entry(&acl, &entry) < 0) {
123 if (acl_set_tag_type(entry, ACL_USER) < 0 ||
124 acl_set_qualifier(entry, &new_uid) < 0) {
130 if (acl_get_permset(entry, &permset) < 0) {
135 rd = acl_get_perm(permset, ACL_READ);
141 wt = acl_get_perm(permset, ACL_WRITE);
149 if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) {
161 if (acl_calc_mask(&acl) < 0) {
166 if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
179 int devnode_acl_all(struct udev *udev,
182 bool del, uid_t old_uid,
183 bool add, uid_t new_uid) {
185 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
186 struct udev_list_entry *item = NULL, *first = NULL;
187 _cleanup_set_free_free_ Set *nodes = NULL;
188 _cleanup_closedir_ DIR *dir = NULL;
196 nodes = set_new(&string_hash_ops);
200 e = udev_enumerate_new(udev);
207 /* We can only match by one tag in libudev. We choose
208 * "uaccess" for that. If we could match for two tags here we
209 * could add the seat name as second match tag, but this would
210 * be hardly optimizable in libudev, and hence checking the
211 * second tag manually in our loop is a good solution. */
212 r = udev_enumerate_add_match_tag(e, "uaccess");
216 r = udev_enumerate_add_match_is_initialized(e);
220 r = udev_enumerate_scan_devices(e);
224 first = udev_enumerate_get_list_entry(e);
225 udev_list_entry_foreach(item, first) {
226 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
227 const char *node, *sn;
229 d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
233 sn = udev_device_get_property_value(d, "ID_SEAT");
237 if (!streq(seat, sn))
240 node = udev_device_get_devnode(d);
241 /* In case people mistag devices with nodes, we need to ignore this */
249 log_debug("Found udev node %s for seat %s", n, seat);
250 r = set_consume(nodes, n);
255 /* udev exports "dead" device nodes to allow module on-demand loading,
256 * these devices are not known to the kernel at this moment */
257 dir = opendir("/run/udev/static_node-tags/uaccess");
259 FOREACH_DIRENT(dent, dir, return -errno) {
260 _cleanup_free_ char *unescaped_devname = NULL;
262 if (cunescape(dent->d_name, UNESCAPE_RELAX, &unescaped_devname) < 0)
265 n = strappend("/dev/", unescaped_devname);
269 log_debug("Found static node %s for seat %s", n, seat);
270 r = set_consume(nodes, n);
279 SET_FOREACH(n, nodes, i) {
282 log_debug("Changing ACLs at %s for seat %s (uid "UID_FMT"→"UID_FMT"%s%s)",
283 n, seat, old_uid, new_uid,
284 del ? " del" : "", add ? " add" : "");
286 k = devnode_acl(n, flush, del, old_uid, add, new_uid);
288 log_debug("Device %s disappeared while setting ACLs", n);
289 else if (k < 0 && r == 0)