udev: set default rules permissions only at "add" events

rules/50-udev-default.rules

@@ -1,51 +1,35 @@
 # do not edit this file, it will be overwritten on update
 
+ACTION!="add", GOTO="default_permissions_end"
+
 SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666"
 SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666"
 SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620"
 SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty"
-
-# serial
 KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout"
 
-# virtio serial / console ports
-SUBSYSTEM=="virtio-ports", KERNEL=="vport*", ATTR{name}=="?*", SYMLINK+="virtio-ports/$attr{name}"
-
-# mem
 SUBSYSTEM=="mem", KERNEL=="mem|kmem|port", GROUP="kmem", MODE="0640"
 
-# input
-SUBSYSTEM=="input", ENV{ID_INPUT}=="", IMPORT{builtin}="input_id"
 SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640"
 SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640"
 SUBSYSTEM=="input", KERNEL=="js[0-9]*", MODE="0644"
 
-# video4linux
 SUBSYSTEM=="video4linux", GROUP="video"
-
-# graphics
 SUBSYSTEM=="misc", KERNEL=="agpgart", GROUP="video"
 SUBSYSTEM=="graphics", GROUP="video"
 SUBSYSTEM=="drm", GROUP="video"
+SUBSYSTEM=="dvb", GROUP="video"
 
-# sound
 SUBSYSTEM=="sound", GROUP="audio", \
   OPTIONS+="static_node=snd/seq", OPTIONS+="static_node=snd/timer"
 
-# DVB (video)
-SUBSYSTEM=="dvb", GROUP="video"
+SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0664"
 
-# FireWire (firewire-core driver: IIDC devices, AV/C devices)
 SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x00010*", GROUP="video"
 SUBSYSTEM=="firewire", ATTR{units}=="*0x00b09d:0x00010*", GROUP="video"
 SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", GROUP="video"
 SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", GROUP="video"
 
-# 'libusb' device nodes
-SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0664"
-SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", IMPORT{builtin}="usb_id", IMPORT{builtin}="hwdb --subsystem=usb"
-
-# printer
 KERNEL=="parport[0-9]*", GROUP="lp"
 SUBSYSTEM=="printer", KERNEL=="lp*", GROUP="lp"
 SUBSYSTEM=="ppdev", GROUP="lp"
@@ -53,23 +37,15 @@ KERNEL=="lp[0-9]*", GROUP="lp"
 KERNEL=="irlpt[0-9]*", GROUP="lp"
 SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ENV{ID_USB_INTERFACES}=="*:0701??:*", GROUP="lp"
 
-# block
 SUBSYSTEM=="block", GROUP="disk"
-
-# floppy
 SUBSYSTEM=="block", KERNEL=="fd[0-9]", GROUP="floppy"
-
-# cdrom
 SUBSYSTEM=="block", KERNEL=="sr[0-9]*", GROUP="cdrom"
 SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", GROUP="cdrom"
 KERNEL=="sch[0-9]*", GROUP="cdrom"
 KERNEL=="pktcdvd[0-9]*", GROUP="cdrom"
 KERNEL=="pktcdvd", GROUP="cdrom"
 
-# tape
 SUBSYSTEM=="scsi_generic|scsi_tape", SUBSYSTEMS=="scsi", ATTRS{type}=="1|8", GROUP="tape"
-
-# block-related
 SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="0", GROUP="disk"
 KERNEL=="qft[0-9]*|nqft[0-9]*|zqft[0-9]*|nzqft[0-9]*|rawqft[0-9]*|nrawqft[0-9]*", GROUP="disk"
 KERNEL=="rawctl", GROUP="disk"
@@ -77,14 +53,16 @@ SUBSYSTEM=="raw", KERNEL=="raw[0-9]*", GROUP="disk"
 SUBSYSTEM=="aoe", GROUP="disk", MODE="0220"
 SUBSYSTEM=="aoe", KERNEL=="err", MODE="0440"
 
-# network
-KERNEL=="tun", MODE="0666", OPTIONS+="static_node=net/tun"
 KERNEL=="rfkill", MODE="0644"
+KERNEL=="tun", MODE="0666", OPTIONS+="static_node=net/tun"
 
-KERNEL=="fuse", ACTION=="add", MODE="0666", OPTIONS+="static_node=fuse"
+KERNEL=="fuse", MODE="0666", OPTIONS+="static_node=fuse"
 
+LABEL="default_permissions_end"
 SUBSYSTEM=="rtc", ATTR{hctosys}=="1", MODE="0644", SYMLINK+="rtc"
+SUBSYSTEM=="virtio-ports", KERNEL=="vport*", ATTR{name}=="?*", SYMLINK+="virtio-ports/$attr{name}"
 
+SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", IMPORT{builtin}="usb_id", IMPORT{builtin}="hwdb --subsystem=usb"
+SUBSYSTEM=="input", ENV{ID_INPUT}=="", IMPORT{builtin}="input_id"
 SUBSYSTEM=="firmware", ACTION=="add", IMPORT{builtin}="firmware"
-
 ENV{MODALIAS}!="", IMPORT{builtin}="hwdb --subsystem=$env{SUBSYSTEM}"

src/udev/udev-event.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2003-2010 Kay Sievers <kay@vrfy.org>
+ * Copyright (C) 2003-2013 Kay Sievers <kay@vrfy.org>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -861,7 +861,8 @@ int udev_event_execute_rules(struct udev_event *event, struct udev_rules *rules,
                                 }
                         }
 
-                        udev_node_add(dev, event->mode, event->uid, event->gid);
+                        udev_node_add(dev, event->owner_set || event->group_set || event->mode_set,
+                                      event->mode, event->uid, event->gid);
                 }
 
                 /* preserve old, or get new initialization timestamp */

src/udev/udev-node.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2003-2010 Kay Sievers <kay@vrfy.org>
+ * Copyright (C) 2003-2013 Kay Sievers <kay@vrfy.org>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -254,7 +254,7 @@ void udev_node_update_old_links(struct udev_device *dev, struct udev_device *dev
         }
 }
 
-static int node_fixup(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid)
+static int node_permissions_apply(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid)
 {
         const char *devnode = udev_device_get_devnode(dev);
         dev_t devnum = udev_device_get_devnum(dev);
@@ -279,13 +279,7 @@ static int node_fixup(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid
                 goto out;
         }
 
-        /*
-         * Set permissions and selinux file context only on add events. We always
-         * set it on bootup (coldplug) with "trigger --action=add" for all devices
-         * and for any newly added devices (hotplug). We don't want to change it
-         * later, in case something else has applied custom settings in the meantime.
-         */
-        if (strcmp(udev_device_get_action(dev), "add") == 0) {
+        if (apply) {
                 if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) {
                         log_debug("set permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
                         chmod(devnode, mode);
@@ -293,7 +287,6 @@ static int node_fixup(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid
                 } else {
                         log_debug("preserve permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
                 }
-
                 label_fix(devnode, true, false);
         }
 
@@ -303,7 +296,7 @@ out:
         return err;
 }
 
-void udev_node_add(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid)
+void udev_node_add(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid)
 {
         struct udev *udev = udev_device_get_udev(dev);
         char filename[UTIL_PATH_SIZE];
@@ -312,7 +305,7 @@ void udev_node_add(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid)
         log_debug("handling device node '%s', devnum=%s, mode=%#o, uid=%d, gid=%d\n",
                   udev_device_get_devnode(dev), udev_device_get_id_filename(dev), mode, uid, gid);
 
-        if (node_fixup(dev, mode, uid, gid) < 0)
+        if (node_permissions_apply(dev, apply, mode, uid, gid) < 0)
                 return;
 
         /* always add /dev/{block,char}/$major:$minor */

src/udev/udev.h

@@ -95,7 +95,7 @@ void udev_watch_end(struct udev *udev, struct udev_device *dev);
 struct udev_device *udev_watch_lookup(struct udev *udev, int wd);
 
 /* udev-node.c */
-void udev_node_add(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid);
+void udev_node_add(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid);
 void udev_node_remove(struct udev_device *dev);
 void udev_node_update_old_links(struct udev_device *dev, struct udev_device *dev_old);