shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-21 02:50:18 +03:00
Code

remove udev-acl

Browse Source 
Udev-acl will be part of a future ConsoleKit release. On systemd systems,
advanced ConsoleKit and udev-acl functionality are natively provided by
systemd.
This commit is contained in:
Kay Sievers 2012-03-07 16:34:56 +01:00
parent f6ba1a468c
commit b618e9957b
6 changed files with 7 additions and 540 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Makefile.am
View File

@ -28,7 +28,6 @@ AM_LDFLAGS = \
DISTCHECK_CONFIGURE_FLAGS = \
--enable-debug \
--enable-rule_generator \
--enable-udev_acl \
--enable-floppy \
--enable-edd \
--with-selinux \
@ -676,23 +675,6 @@ dist_udevrules_DATA += \
src/extras/rule_generator/75-persistent-net-generator.rules
endif
if ENABLE_UDEV_ACL
# ------------------------------------------------------------------------------
# udev_acl - apply ACLs for users with local forground sessions
# ------------------------------------------------------------------------------
src_udev_acl_SOURCES = src/extras/udev-acl/udev-acl.c
src_udev_acl_CPPFLAGS = $(AM_CPPFLAGS) $(GLIB_CFLAGS)
src_udev_acl_LDADD = src/libudev-private.la -lacl $(GLIB_LIBS)
dist_udevrules_DATA += src/extras/udev-acl/70-udev-acl.rules
pkglibexec_PROGRAMS += src/udev-acl
udevacl-install-hook:
mkdir -p $(DESTDIR)$(prefix)/lib/ConsoleKit/run-seat.d
ln -sf $(libexecdir)/udev/udev-acl $(DESTDIR)$(prefix)/lib/ConsoleKit/run-seat.d/udev-acl.ck
INSTALL_EXEC_HOOKS += udevacl-install-hook
endif
if ENABLE_FLOPPY
# ------------------------------------------------------------------------------
# create_floppy_devices - historical floppy kernel device nodes (/dev/fd0h1440, ...)

7
NEWS
View File

@ -1,3 +1,10 @@
udev 181
========
The udev-acl tool is no longer provided, it will be part of a future
ConsoleKit release. On systemd systems, advanced ConsoleKit and udev-acl
functionality are provided by systemd.
udev 181
========
Require kmod version 5.

15
configure.ac
View File

@ -176,20 +176,6 @@ AC_ARG_ENABLE([rule_generator],
[], [enable_rule_generator=no])
AM_CONDITIONAL([ENABLE_RULE_GENERATOR], [test "x$enable_rule_generator" = "xyes"])
# ------------------------------------------------------------------------------
# udev_acl - apply ACLs for users with local forground sessions
# ------------------------------------------------------------------------------
AC_ARG_ENABLE([udev_acl],
AS_HELP_STRING([--enable-udev_acl], [enable local user acl permissions support @<:@default=disabled@:>@]),
[], [enable_udev_acl=no])
AS_IF([test "x$enable_udev_acl" = "xyes"], [
AC_CHECK_LIB([acl], [acl_init], [:], AC_MSG_ERROR([libacl not found]))
AC_CHECK_HEADER([acl/libacl.h], [:], AC_MSG_ERROR([libacl header not found]))
PKG_CHECK_MODULES([GLIB], [glib-2.0 >= 2.22.0 gobject-2.0 >= 2.22.0])
])
AM_CONDITIONAL([ENABLE_UDEV_ACL], [test "x$enable_udev_acl" = "xyes"])
# ------------------------------------------------------------------------------
# create_floppy_devices - historical floppy kernel device nodes (/dev/fd0h1440, ...)
# ------------------------------------------------------------------------------
@ -260,7 +246,6 @@ AC_MSG_RESULT([
keymap: ${enable_keymap}
mtd_probe: ${enable_mtd_probe}
rule_generator: ${enable_rule_generator}
udev_acl: ${enable_udev_acl}
floppy: ${enable_floppy}
edd: ${enable_edd}
])

1
src/extras/udev-acl/.gitignore vendored
View File

@ -1 +0,0 @@
udev-acl

76
src/extras/udev-acl/70-udev-acl.rules
View File

@ -1,76 +0,0 @@
# do not edit this file, it will be overwritten on update
# Do not use TAG+="udev-acl" outside of this file. This variable is private to
# udev-acl of this udev release and may be replaced at any time.
ENV{MAJOR}=="", GOTO="acl_end"
ACTION=="remove", GOTO="acl_apply"
# systemd replaces udev-acl entirely, skip if active
TEST=="/sys/fs/cgroup/systemd", TAG=="uaccess", GOTO="acl_end"
# PTP/MTP protocol devices, cameras, portable media players
SUBSYSTEM=="usb", ENV{ID_USB_INTERFACES}=="*:060101:*", TAG+="udev-acl"
# digicams with proprietary protocol
ENV{ID_GPHOTO2}=="*?", TAG+="udev-acl"
# SCSI and USB scanners
ENV{libsane_matched}=="yes", TAG+="udev-acl"
# HPLIP devices (necessary for ink level check and HP tool maintenance)
ENV{ID_HPLIP}=="1", TAG+="udev-acl"
# optical drives
SUBSYSTEM=="block", ENV{ID_CDROM}=="1", TAG+="udev-acl"
SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", TAG+="udev-acl"
# sound devices
SUBSYSTEM=="sound", TAG+="udev-acl"
# ffado is an userspace driver for firewire sound cards
SUBSYSTEM=="firewire", ENV{ID_FFADO}=="1", TAG+="udev-acl"
# webcams, frame grabber, TV cards
SUBSYSTEM=="video4linux", TAG+="udev-acl"
SUBSYSTEM=="dvb", TAG+="udev-acl"
# IIDC devices: industrial cameras and some webcams
SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x00010*", TAG+="udev-acl"
SUBSYSTEM=="firewire", ATTR{units}=="*0x00b09d:0x00010*", TAG+="udev-acl"
# AV/C devices: camcorders, set-top boxes, TV sets, audio devices, and more
SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", TAG+="udev-acl"
SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="udev-acl"
# DRI video devices
SUBSYSTEM=="drm", KERNEL=="card*", TAG+="udev-acl"
# KVM
SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="udev-acl"
# smart-card readers
ENV{ID_SMARTCARD_READER}=="*?", TAG+="udev-acl"
# PDA devices
ENV{ID_PDA}=="*?", TAG+="udev-acl"
# Programmable remote control
ENV{ID_REMOTE_CONTROL}=="1", TAG+="udev-acl"
# joysticks
SUBSYSTEM=="input", ENV{ID_INPUT_JOYSTICK}=="?*", TAG+="udev-acl"
# color measurement devices
ENV{COLOR_MEASUREMENT_DEVICE}=="*?", TAG+="udev-acl"
# DDC/CI device, usually high-end monitors such as the DreamColor
ENV{DDC_DEVICE}=="*?", TAG+="udev-acl"
# media player raw devices (for user-mode drivers, Android SDK, etc.)
SUBSYSTEM=="usb", ENV{ID_MEDIA_PLAYER}=="?*", TAG+="udev-acl"
# apply ACL for all locally logged in users
LABEL="acl_apply", TAG=="udev-acl", TEST=="/var/run/ConsoleKit/database", \
RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"
LABEL="acl_end"

430
src/extras/udev-acl/udev-acl.c
View File

@ -1,430 +0,0 @@
/*
* Copyright (C) 2009 Kay Sievers <kay.sievers@vrfy.org>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details:
*/
#include <acl/libacl.h>
#include <sys/stat.h>
#include <errno.h>
#include <getopt.h>
#include <glib.h>
#include <inttypes.h>
#include <libudev.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
static int debug;
enum{
ACTION_NONE = 0,
ACTION_REMOVE,
ACTION_ADD,
ACTION_CHANGE
};
static int set_facl(const char* filename, uid_t uid, int add)
{
int get;
acl_t acl;
acl_entry_t entry = NULL;
acl_entry_t e;
acl_permset_t permset;
int ret;
/* don't touch ACLs for root */
if (uid == 0)
return 0;
/* read current record */
acl = acl_get_file(filename, ACL_TYPE_ACCESS);
if (!acl)
return -1;
/* locate ACL_USER entry for uid */
get = acl_get_entry(acl, ACL_FIRST_ENTRY, &e);
while (get == 1) {
acl_tag_t t;
acl_get_tag_type(e, &t);
if (t == ACL_USER) {
uid_t *u;
u = (uid_t*)acl_get_qualifier(e);
if (u == NULL) {
ret = -1;
goto out;
}
if (*u == uid) {
entry = e;
acl_free(u);
break;
}
acl_free(u);
}
get = acl_get_entry(acl, ACL_NEXT_ENTRY, &e);
}
/* remove ACL_USER entry for uid */
if (!add) {
if (entry == NULL) {
ret = 0;
goto out;
}
acl_delete_entry(acl, entry);
goto update;
}
/* create ACL_USER entry for uid */
if (entry == NULL) {
ret = acl_create_entry(&acl, &entry);
if (ret != 0)
goto out;
acl_set_tag_type(entry, ACL_USER);
acl_set_qualifier(entry, &uid);
}
/* add permissions for uid */
acl_get_permset(entry, &permset);
acl_add_perm(permset, ACL_READ|ACL_WRITE);
update:
/* update record */
if (debug)
printf("%c%u %s\n", add ? '+' : '-', uid, filename);
acl_calc_mask(&acl);
ret = acl_set_file(filename, ACL_TYPE_ACCESS, acl);
if (ret != 0)
goto out;
out:
acl_free(acl);
return ret;
}
/* check if a given uid is listed */
static int uid_in_list(GSList *list, uid_t uid)
{
GSList *l;
for (l = list; l != NULL; l = g_slist_next(l))
if (uid == GPOINTER_TO_UINT(l->data))
return 1;
return 0;
}
/* return list of current uids of local active sessions */
static GSList *uids_with_local_active_session(const char *own_id)
{
GSList *list = NULL;
GKeyFile *keyfile;
keyfile = g_key_file_new();
if (g_key_file_load_from_file(keyfile, "/var/run/ConsoleKit/database", 0, NULL)) {
gchar **groups;
groups = g_key_file_get_groups(keyfile, NULL);
if (groups != NULL) {
int i;
for (i = 0; groups[i] != NULL; i++) {
uid_t u;
if (!g_str_has_prefix(groups[i], "Session "))
continue;
if (own_id != NULL &&g_str_has_suffix(groups[i], own_id))
continue;
if (!g_key_file_get_boolean(keyfile, groups[i], "is_local", NULL))
continue;
if (!g_key_file_get_boolean(keyfile, groups[i], "is_active", NULL))
continue;
u = g_key_file_get_integer(keyfile, groups[i], "uid", NULL);
if (u > 0 && !uid_in_list(list, u))
list = g_slist_prepend(list, GUINT_TO_POINTER(u));
}
g_strfreev(groups);
}
}
g_key_file_free(keyfile);
return list;
}
/* ConsoleKit calls us with special variables */
static int consolekit_called(const char *ck_action, uid_t *uid, uid_t *uid2, const char **remove_session_id, int *action)
{
int a = ACTION_NONE;
uid_t u = 0;
uid_t u2 = 0;
const char *s;
const char *s2;
const char *old_session = NULL;
if (ck_action == NULL || strcmp(ck_action, "seat_active_session_changed") != 0)
return -1;
/* We can have one of: remove, add, change, no-change */
s = getenv("CK_SEAT_OLD_SESSION_ID");
s2 = getenv("CK_SEAT_SESSION_ID");
if (s == NULL && s2 == NULL) {
return -1;
} else if (s2 == NULL) {
a = ACTION_REMOVE;
} else if (s == NULL) {
a = ACTION_ADD;
} else {
a = ACTION_CHANGE;
}
switch (a) {
case ACTION_ADD:
s = getenv("CK_SEAT_SESSION_USER_UID");
if (s == NULL)
return -1;
u = strtoul(s, NULL, 10);
s = getenv("CK_SEAT_SESSION_IS_LOCAL");
if (s == NULL)
return -1;
if (strcmp(s, "true") != 0)
return 0;
break;
case ACTION_REMOVE:
s = getenv("CK_SEAT_OLD_SESSION_USER_UID");
if (s == NULL)
return -1;
u = strtoul(s, NULL, 10);
s = getenv("CK_SEAT_OLD_SESSION_IS_LOCAL");
if (s == NULL)
return -1;
if (strcmp(s, "true") != 0)
return 0;
old_session = getenv("CK_SEAT_OLD_SESSION_ID");
if (old_session == NULL)
return -1;
break;
case ACTION_CHANGE:
s = getenv("CK_SEAT_OLD_SESSION_USER_UID");
if (s == NULL)
return -1;
u = strtoul(s, NULL, 10);
s = getenv("CK_SEAT_SESSION_USER_UID");
if (s == NULL)
return -1;
u2 = strtoul(s, NULL, 10);
s = getenv("CK_SEAT_OLD_SESSION_IS_LOCAL");
s2 = getenv("CK_SEAT_SESSION_IS_LOCAL");
if (s == NULL || s2 == NULL)
return -1;
/* don't process non-local session changes */
if (strcmp(s, "true") != 0 && strcmp(s2, "true") != 0)
return 0;
if (strcmp(s, "true") == 0 && strcmp(s, "true") == 0) {
/* process the change */
if (u == u2) {
/* special case: we noop if we are
* changing between local sessions for
* the same uid */
a = ACTION_NONE;
}
old_session = getenv("CK_SEAT_OLD_SESSION_ID");
if (old_session == NULL)
return -1;
} else if (strcmp(s, "true") == 0) {
/* only process the removal */
a = ACTION_REMOVE;
old_session = getenv("CK_SEAT_OLD_SESSION_ID");
if (old_session == NULL)
return -1;
} else if (strcmp(s2, "true") == 0) {
/* only process the addition */
a = ACTION_ADD;
u = u2;
}
break;
}
*remove_session_id = old_session;
*uid = u;
*uid2 = u2;
*action = a;
return 0;
}
/* add or remove a ACL for a given uid from all matching devices */
static void apply_acl_to_devices(uid_t uid, int add)
{
struct udev *udev;
struct udev_enumerate *enumerate;
struct udev_list_entry *list_entry;
/* iterate over all devices tagged with ACL_SET */
udev = udev_new();
enumerate = udev_enumerate_new(udev);
udev_enumerate_add_match_tag(enumerate, "udev-acl");
udev_enumerate_scan_devices(enumerate);
udev_list_entry_foreach(list_entry, udev_enumerate_get_list_entry(enumerate)) {
struct udev_device *device;
const char *node;
device = udev_device_new_from_syspath(udev_enumerate_get_udev(enumerate),
udev_list_entry_get_name(list_entry));
if (device == NULL)
continue;
node = udev_device_get_devnode(device);
if (node == NULL) {
udev_device_unref(device);
continue;
}
set_facl(node, uid, add);
udev_device_unref(device);
}
udev_enumerate_unref(enumerate);
udev_unref(udev);
}
static void
remove_uid (uid_t uid, const char *remove_session_id)
{
/*
* Remove ACL for given uid from all matching devices
* when there is currently no local active session.
*/
GSList *list;
list = uids_with_local_active_session(remove_session_id);
if (!uid_in_list(list, uid))
apply_acl_to_devices(uid, 0);
g_slist_free(list);
}
int main (int argc, char* argv[])
{
static const struct option options[] = {
{ "action", required_argument, NULL, 'a' },
{ "device", required_argument, NULL, 'D' },
{ "user", required_argument, NULL, 'u' },
{ "debug", no_argument, NULL, 'd' },
{ "help", no_argument, NULL, 'h' },
{}
};
int action = -1;
const char *device = NULL;
bool uid_given = false;
uid_t uid = 0;
uid_t uid2 = 0;
const char* remove_session_id = NULL;
int rc = 0;
/* valgrind is more important to us than a slice allocator */
g_slice_set_config (G_SLICE_CONFIG_ALWAYS_MALLOC, 1);
while (1) {
int option;
option = getopt_long(argc, argv, "+a:D:u:dh", options, NULL);
if (option == -1)
break;
switch (option) {
case 'a':
if (strcmp(optarg, "remove") == 0)
action = ACTION_REMOVE;
else
action = ACTION_ADD;
break;
case 'D':
device = optarg;
break;
case 'u':
uid_given = true;
uid = strtoul(optarg, NULL, 10);
break;
case 'd':
debug = 1;
break;
case 'h':
printf("Usage: udev-acl --action=ACTION [--device=DEVICEFILE] [--user=UID]\n\n");
goto out;
}
}
if (action < 0 && device == NULL && !uid_given)
if (!consolekit_called(argv[optind], &uid, &uid2, &remove_session_id, &action))
uid_given = true;
if (action < 0) {
fprintf(stderr, "missing action\n\n");
rc = 2;
goto out;
}
if (device != NULL && uid_given) {
fprintf(stderr, "only one option, --device=DEVICEFILE or --user=UID expected\n\n");
rc = 3;
goto out;
}
if (uid_given) {
switch (action) {
case ACTION_ADD:
/* Add ACL for given uid to all matching devices. */
apply_acl_to_devices(uid, 1);
break;
case ACTION_REMOVE:
remove_uid(uid, remove_session_id);
break;
case ACTION_CHANGE:
remove_uid(uid, remove_session_id);
apply_acl_to_devices(uid2, 1);
break;
case ACTION_NONE:
goto out;
break;
default:
g_assert_not_reached();
break;
}
} else if (device != NULL) {
/*
* Add ACLs for all current session uids to a given device.
*
* Or remove ACLs for uids which do not have any current local
* active session. Remove is not really interesting, because in
* most cases the device node is removed anyway.
*/
GSList *list;
GSList *l;
list = uids_with_local_active_session(NULL);
for (l = list; l != NULL; l = g_slist_next(l)) {
uid_t u;
u = GPOINTER_TO_UINT(l->data);
if (action == ACTION_ADD || !uid_in_list(list, u))
set_facl(device, u, action == ACTION_ADD);
}
g_slist_free(list);
} else {
fprintf(stderr, "--device=DEVICEFILE or --user=UID expected\n\n");
rc = 3;
}
out:
return rc;
}