1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2011 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
26 #include <acl/libacl.h>
31 #include "logind-acl.h"
32 #include "udev-util.h"
34 static int flush_acl(acl_t acl) {
41 for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
43 found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
47 if (acl_get_tag_type(i, &tag) < 0)
53 if (acl_delete_entry(acl, i) < 0)
65 int devnode_acl(const char *path,
67 bool del, uid_t old_uid,
68 bool add, uid_t new_uid) {
76 acl = acl_get_file(path, ACL_TYPE_ACCESS);
88 } else if (del && old_uid > 0) {
91 r = acl_find_uid(acl, old_uid, &entry);
96 if (acl_delete_entry(acl, entry) < 0) {
105 if (add && new_uid > 0) {
107 acl_permset_t permset;
110 r = acl_find_uid(acl, new_uid, &entry);
115 if (acl_create_entry(&acl, &entry) < 0) {
120 if (acl_set_tag_type(entry, ACL_USER) < 0 ||
121 acl_set_qualifier(entry, &new_uid) < 0) {
127 if (acl_get_permset(entry, &permset) < 0) {
132 rd = acl_get_perm(permset, ACL_READ);
138 wt = acl_get_perm(permset, ACL_WRITE);
146 if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) {
158 if (acl_calc_mask(&acl) < 0) {
163 if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
176 int devnode_acl_all(struct udev *udev,
179 bool del, uid_t old_uid,
180 bool add, uid_t new_uid) {
182 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
183 struct udev_list_entry *item = NULL, *first = NULL;
184 _cleanup_set_free_free_ Set *nodes = NULL;
185 _cleanup_closedir_ DIR *dir = NULL;
193 nodes = set_new(string_hash_func, string_compare_func);
197 e = udev_enumerate_new(udev);
204 /* We can only match by one tag in libudev. We choose
205 * "uaccess" for that. If we could match for two tags here we
206 * could add the seat name as second match tag, but this would
207 * be hardly optimizable in libudev, and hence checking the
208 * second tag manually in our loop is a good solution. */
209 r = udev_enumerate_add_match_tag(e, "uaccess");
213 r = udev_enumerate_add_match_is_initialized(e);
217 r = udev_enumerate_scan_devices(e);
221 first = udev_enumerate_get_list_entry(e);
222 udev_list_entry_foreach(item, first) {
223 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
224 const char *node, *sn;
226 d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
230 sn = udev_device_get_property_value(d, "ID_SEAT");
234 if (!streq(seat, sn))
237 node = udev_device_get_devnode(d);
238 /* In case people mistag devices with nodes, we need to ignore this */
246 log_debug("Found udev node %s for seat %s", n, seat);
247 r = set_consume(nodes, n);
252 /* udev exports "dead" device nodes to allow module on-demand loading,
253 * these devices are not known to the kernel at this moment */
254 dir = opendir("/run/udev/static_node-tags/uaccess");
256 FOREACH_DIRENT(dent, dir, return -errno) {
257 _cleanup_free_ char *unescaped_devname = NULL;
259 unescaped_devname = cunescape(dent->d_name);
260 if (!unescaped_devname)
263 n = strappend("/dev/", unescaped_devname);
267 log_debug("Found static node %s for seat %s", n, seat);
268 r = set_consume(nodes, n);
277 SET_FOREACH(n, nodes, i) {
280 log_debug("Fixing up ACLs at %s for seat %s", n, seat);
281 k = devnode_acl(n, flush, del, old_uid, add, new_uid);