diff --git a/src/libsystemd/sd-device/device-util.c b/src/libsystemd/sd-device/device-util.c index 123629c3560..3cfdf736c12 100644 --- a/src/libsystemd/sd-device/device-util.c +++ b/src/libsystemd/sd-device/device-util.c @@ -131,13 +131,14 @@ char** device_make_log_fields(sd_device *device) { return TAKE_PTR(strv); } -bool device_in_subsystem(sd_device *device, const char *subsystem) { - const char *s = NULL; - +bool device_in_subsystems(sd_device *device, char * const *subsystems) { assert(device); - (void) sd_device_get_subsystem(device, &s); - return streq_ptr(s, subsystem); + const char *s; + if (sd_device_get_subsystem(device, &s) < 0) + return strv_isempty(subsystems); + + return strv_contains(subsystems, s); } bool device_is_devtype(sd_device *device, const char *devtype) { diff --git a/src/libsystemd/sd-device/device-util.h b/src/libsystemd/sd-device/device-util.h index 070e564a52c..c09b8425fe9 100644 --- a/src/libsystemd/sd-device/device-util.h +++ b/src/libsystemd/sd-device/device-util.h @@ -104,7 +104,10 @@ int device_open_from_devnum(mode_t mode, dev_t devnum, int flags, char **ret_dev char** device_make_log_fields(sd_device *device); -bool device_in_subsystem(sd_device *device, const char *subsystem); +bool device_in_subsystems(sd_device *device, char * const *subsystems); +static inline bool device_in_subsystem(sd_device *device, const char *subsystem) { + return device_in_subsystems(device, STRV_MAKE(subsystem)); +} bool device_is_devtype(sd_device *device, const char *devtype); static inline bool device_property_can_set(const char *property) { diff --git a/src/libsystemd/sd-device/test-device-util.c b/src/libsystemd/sd-device/test-device-util.c index f7c9deb45cb..a80bd83386a 100644 --- a/src/libsystemd/sd-device/test-device-util.c +++ b/src/libsystemd/sd-device/test-device-util.c @@ -6,79 +6,96 @@ TEST(log_device_full) { _cleanup_(sd_device_unrefp) sd_device *dev = NULL; - int r; (void) sd_device_new_from_subsystem_sysname(&dev, "net", "lo"); for (int level = LOG_ERR; level <= LOG_DEBUG; level++) { log_device_full(dev, level, "test level=%d: %m", level); - r = log_device_full_errno(dev, level, EUCLEAN, "test level=%d errno=EUCLEAN: %m", level); - assert_se(r == -EUCLEAN); - - r = log_device_full_errno(dev, level, 0, "test level=%d errno=0: %m", level); - assert_se(r == 0); - - r = log_device_full_errno(dev, level, SYNTHETIC_ERRNO(ENODATA), "test level=%d errno=S(ENODATA).", level); - assert_se(r == -ENODATA); + ASSERT_EQ(log_device_full_errno(dev, level, EUCLEAN, "test level=%d errno=EUCLEAN: %m", level), -EUCLEAN); + ASSERT_EQ(log_device_full_errno(dev, level, 0, "test level=%d errno=0: %m", level), 0); + ASSERT_EQ(log_device_full_errno(dev, level, SYNTHETIC_ERRNO(ENODATA), "test level=%d errno=S(ENODATA).", level), -ENODATA); } } TEST(device_in_subsystem) { _cleanup_(sd_device_unrefp) sd_device *dev = NULL; - int r; - r = sd_device_new_from_subsystem_sysname(&dev, "net", "lo"); - if (r == -ENODEV) - return (void) log_tests_skipped("net/lo does not exist"); - assert_se(r >= 0); + if (sd_device_new_from_subsystem_sysname(&dev, "net", "lo") >= 0) { + ASSERT_TRUE(device_in_subsystem(dev, "net")); + ASSERT_FALSE(device_in_subsystem(dev, "disk")); + ASSERT_FALSE(device_in_subsystem(dev, "subsystem")); + ASSERT_FALSE(device_in_subsystem(dev, "")); + ASSERT_FALSE(device_in_subsystem(dev, NULL)); - assert_se(device_in_subsystem(dev, "net")); - assert_se(!device_in_subsystem(dev, "disk")); - assert_se(!device_in_subsystem(dev, "subsystem")); - assert_se(!device_in_subsystem(dev, "")); - assert_se(!device_in_subsystem(dev, NULL)); + ASSERT_TRUE(device_in_subsystems(dev, STRV_MAKE("net"))); + ASSERT_TRUE(device_in_subsystems(dev, STRV_MAKE("", "net"))); + ASSERT_TRUE(device_in_subsystems(dev, STRV_MAKE("net", "disk"))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE("disk", "subsystem"))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE("disk", ""))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE(""))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE(NULL))); + ASSERT_FALSE(device_in_subsystems(dev, NULL)); + + dev = sd_device_unref(dev); + } + + ASSERT_OK(sd_device_new_from_syspath(&dev, "/sys/class/net")); + ASSERT_FALSE(device_in_subsystem(dev, "net")); + ASSERT_FALSE(device_in_subsystem(dev, "disk")); + ASSERT_TRUE(device_in_subsystem(dev, "subsystem")); + ASSERT_FALSE(device_in_subsystem(dev, "")); + ASSERT_FALSE(device_in_subsystem(dev, NULL)); + + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE("net"))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE("", "net"))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE("net", "disk"))); + ASSERT_TRUE(device_in_subsystems(dev, STRV_MAKE("disk", "subsystem"))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE("disk", ""))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE(""))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE(NULL))); + ASSERT_FALSE(device_in_subsystems(dev, NULL)); dev = sd_device_unref(dev); - assert_se(sd_device_new_from_syspath(&dev, "/sys/class/net") >= 0); - assert_se(!device_in_subsystem(dev, "net")); - assert_se(!device_in_subsystem(dev, "disk")); - assert_se(device_in_subsystem(dev, "subsystem")); - assert_se(!device_in_subsystem(dev, "")); - assert_se(!device_in_subsystem(dev, NULL)); + ASSERT_OK(sd_device_new_from_syspath(&dev, "/sys/class")); + ASSERT_FALSE(device_in_subsystem(dev, "net")); + ASSERT_FALSE(device_in_subsystem(dev, "disk")); + ASSERT_FALSE(device_in_subsystem(dev, "subsystem")); + ASSERT_FALSE(device_in_subsystem(dev, "")); + ASSERT_TRUE(device_in_subsystem(dev, NULL)); - dev = sd_device_unref(dev); - - assert_se(sd_device_new_from_syspath(&dev, "/sys/class") >= 0); - assert_se(!device_in_subsystem(dev, "net")); - assert_se(!device_in_subsystem(dev, "disk")); - assert_se(!device_in_subsystem(dev, "subsystem")); - assert_se(!device_in_subsystem(dev, "")); - assert_se(device_in_subsystem(dev, NULL)); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE("net"))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE("", "net"))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE("net", "disk"))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE("disk", "subsystem"))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE("disk", ""))); + ASSERT_FALSE(device_in_subsystems(dev, STRV_MAKE(""))); + ASSERT_TRUE(device_in_subsystems(dev, STRV_MAKE(NULL))); + ASSERT_TRUE(device_in_subsystems(dev, NULL)); } TEST(device_is_devtype) { _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; - _cleanup_(sd_device_unrefp) sd_device *dev = NULL; - assert_se(sd_device_enumerator_new(&e) >= 0); - assert_se(sd_device_enumerator_add_match_subsystem(e, "disk", true) >= 0); + ASSERT_OK(sd_device_enumerator_new(&e)); + ASSERT_OK(sd_device_enumerator_add_match_subsystem(e, "disk", true)); FOREACH_DEVICE(e, d) { const char *t; - assert_se(sd_device_get_devtype(d, &t) >= 0); - assert_se(device_is_devtype(d, t)); - assert_se(!device_is_devtype(d, "hoge")); - assert_se(!device_is_devtype(d, "")); - assert_se(!device_is_devtype(d, NULL)); + ASSERT_OK(sd_device_get_devtype(d, &t)); + ASSERT_TRUE(device_is_devtype(d, t)); + ASSERT_FALSE(device_is_devtype(d, "hoge")); + ASSERT_FALSE(device_is_devtype(d, "")); + ASSERT_FALSE(device_is_devtype(d, NULL)); } - assert_se(sd_device_new_from_syspath(&dev, "/sys/class/net") >= 0); - assert_se(!device_is_devtype(dev, "hoge")); - assert_se(!device_is_devtype(dev, "")); - assert_se(device_is_devtype(dev, NULL)); + _cleanup_(sd_device_unrefp) sd_device *dev = NULL; + ASSERT_OK(sd_device_new_from_syspath(&dev, "/sys/class/net")); + ASSERT_FALSE(device_is_devtype(dev, "hoge")); + ASSERT_FALSE(device_is_devtype(dev, "")); + ASSERT_TRUE(device_is_devtype(dev, NULL)); } static int intro(void) { diff --git a/src/login/logind-seat.c b/src/login/logind-seat.c index 50c2b21b47e..d94207b22b2 100644 --- a/src/login/logind-seat.c +++ b/src/login/logind-seat.c @@ -8,12 +8,13 @@ #include "sd-messages.h" #include "alloc-util.h" -#include "devnode-acl.h" +#include "device-util.h" #include "errno-util.h" #include "fd-util.h" #include "fileio.h" #include "format-util.h" #include "fs-util.h" +#include "id128-util.h" #include "logind-seat-dbus.h" #include "logind-seat.h" #include "logind-session-dbus.h" @@ -73,6 +74,7 @@ Seat* seat_free(Seat *s) { hashmap_remove(s->manager->seats, s->id); + set_free(s->uevents); free(s->positions); free(s->state_file); free(s->id); @@ -202,19 +204,107 @@ int seat_preallocate_vts(Seat *s) { return r; } -int seat_apply_acls(Seat *s, Session *old_active) { +static void seat_triggered_uevents_done(Seat *s) { + assert(s); + + if (!set_isempty(s->uevents)) + return; + + Session *session = s->active; + + if (session) { + session_save(session); + user_save(session->user); + } + + if (session && session->started) { + session_send_changed(session, "Active", NULL); + session_device_resume_all(session); + } + + if (!session || session->started) + seat_send_changed(s, "ActiveSession", NULL); +} + +int manager_process_device_triggered_by_seat(Manager *m, sd_device *dev) { + assert(m); + assert(dev); + + sd_id128_t uuid; + if (sd_device_get_trigger_uuid(dev, &uuid) < 0) + return 0; + + Seat *s; + HASHMAP_FOREACH(s, m->seats) + if (set_contains(s->uevents, &uuid)) + break; + if (!s) + return 0; + + free(ASSERT_PTR(set_remove(s->uevents, &uuid))); + seat_triggered_uevents_done(s); + + const char *id; + if (sd_device_get_property_value(dev, "ID_SEAT", &id) < 0 || isempty(id)) + id = "seat0"; + + if (!streq(id, s->id)) { + log_device_debug(dev, "ID_SEAT is changed in the triggered uevent: \"%s\" -> \"%s\"", s->id, id); + return 0; + } + + return 1; /* The uevent is triggered by the relevant seat. */ +} + +static int seat_trigger_devices(Seat *s) { int r; assert(s); - r = devnode_acl_all(s->id, - false, - !!old_active, old_active ? old_active->user->user_record->uid : 0, - !!s->active, s->active ? s->active->user->user_record->uid : 0); + set_clear(s->uevents); + _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; + r = sd_device_enumerator_new(&e); if (r < 0) - return log_error_errno(r, "Failed to apply ACLs: %m"); + return r; + r = sd_device_enumerator_add_match_tag(e, "uaccess"); + if (r < 0) + return r; + + FOREACH_DEVICE(e, d) { + /* Verify that the tag is still in place. */ + if (sd_device_has_current_tag(d, "uaccess") <= 0) + continue; + + /* In case people mistag devices with nodes, we need to ignore this. */ + if (sd_device_get_devname(d, NULL) < 0) + continue; + + const char *id; + if (sd_device_get_property_value(d, "ID_SEAT", &id) < 0 || isempty(id)) + id = "seat0"; + + if (!streq(id, s->id)) + continue; + + sd_id128_t uuid; + r = sd_device_trigger_with_uuid(d, SD_DEVICE_CHANGE, &uuid); + if (r < 0) { + log_device_debug_errno(d, r, "Failed to trigger 'change' event, ignoring: %m"); + continue; + } + + _cleanup_free_ sd_id128_t *copy = newdup(sd_id128_t, &uuid, 1); + if (!copy) + return -ENOMEM; + + r = set_ensure_consume(&s->uevents, &id128_hash_ops_free, TAKE_PTR(copy)); + if (r < 0) + return r; + } + + seat_triggered_uevents_done(s); return 0; } @@ -232,7 +322,7 @@ int seat_set_active(Seat *s, Session *session) { * Therefore, if the active session has executed session_leave_vt , * A resume is required here. */ if (session == s->active) { - if (session) { + if (session && set_isempty(s->uevents)) { log_debug("Active session remains unchanged, resuming session devices."); session_device_resume_all(session); } @@ -245,32 +335,13 @@ int seat_set_active(Seat *s, Session *session) { seat_save(s); if (old_active) { + user_save(old_active->user); + session_save(old_active); session_device_pause_all(old_active); session_send_changed(old_active, "Active", NULL); } - (void) seat_apply_acls(s, old_active); - - if (session && session->started) { - session_send_changed(session, "Active", NULL); - session_device_resume_all(session); - } - - if (!session || session->started) - seat_send_changed(s, "ActiveSession", NULL); - - if (session) { - session_save(session); - user_save(session->user); - } - - if (old_active) { - session_save(old_active); - if (!session || session->user != old_active->user) - user_save(old_active->user); - } - - return 0; + return seat_trigger_devices(s); } static Session* seat_get_position(Seat *s, unsigned pos) { diff --git a/src/login/logind-seat.h b/src/login/logind-seat.h index 76a69e6517b..d328afa2815 100644 --- a/src/login/logind-seat.h +++ b/src/login/logind-seat.h @@ -3,6 +3,8 @@ typedef struct Seat Seat; +#include "sd-device.h" + #include "list.h" #include "logind-session.h" @@ -14,6 +16,8 @@ struct Seat { LIST_HEAD(Device, devices); + Set *uevents; + Session *active; Session *pending_switch; LIST_HEAD(Session, sessions); @@ -34,7 +38,8 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(Seat*, seat_free); int seat_save(Seat *s); int seat_load(Seat *s); -int seat_apply_acls(Seat *s, Session *old_active); +int manager_process_device_triggered_by_seat(Manager *m, sd_device *dev); + int seat_set_active(Seat *s, Session *session); int seat_switch_to(Seat *s, unsigned num); int seat_switch_to_next(Seat *s); diff --git a/src/login/logind.c b/src/login/logind.c index ef1952b0cca..d14132d790b 100644 --- a/src/login/logind.c +++ b/src/login/logind.c @@ -145,10 +145,7 @@ static Manager* manager_free(Manager *m) { safe_close(m->console_active_fd); - sd_device_monitor_unref(m->device_seat_monitor); sd_device_monitor_unref(m->device_monitor); - sd_device_monitor_unref(m->device_vcsa_monitor); - sd_device_monitor_unref(m->device_button_monitor); if (m->unlink_nologin) (void) unlink_or_warn("/run/nologin"); @@ -602,50 +599,6 @@ static int manager_enumerate_inhibitors(Manager *m) { return r; } -static int manager_dispatch_seat_udev(sd_device_monitor *monitor, sd_device *device, void *userdata) { - Manager *m = ASSERT_PTR(userdata); - - assert(device); - - manager_process_seat_device(m, device); - return 0; -} - -static int manager_dispatch_device_udev(sd_device_monitor *monitor, sd_device *device, void *userdata) { - Manager *m = ASSERT_PTR(userdata); - - assert(device); - - manager_process_seat_device(m, device); - return 0; -} - -static int manager_dispatch_vcsa_udev(sd_device_monitor *monitor, sd_device *device, void *userdata) { - Manager *m = ASSERT_PTR(userdata); - const char *name; - - assert(device); - - /* Whenever a VCSA device is removed try to reallocate our - * VTs, to make sure our auto VTs never go away. */ - - if (sd_device_get_sysname(device, &name) >= 0 && - startswith(name, "vcsa") && - device_for_action(device, SD_DEVICE_REMOVE)) - seat_preallocate_vts(m->seat0); - - return 0; -} - -static int manager_dispatch_button_udev(sd_device_monitor *monitor, sd_device *device, void *userdata) { - Manager *m = ASSERT_PTR(userdata); - - assert(device); - - manager_process_button_device(m, device); - return 0; -} - static int manager_dispatch_console(sd_event_source *s, int fd, uint32_t revents, void *userdata) { Manager *m = ASSERT_PTR(userdata); @@ -846,32 +799,38 @@ static int manager_connect_console(Manager *m) { return 0; } +static int manager_dispatch_device_udev(sd_device_monitor *monitor, sd_device *device, void *userdata) { + Manager *m = ASSERT_PTR(userdata); + + assert(device); + + /* If the event is triggered by us, do not try to start the relevant seat again. Otherwise, starting + * the seat may trigger uevents again again again... */ + if (manager_process_device_triggered_by_seat(m, device) <= 0 && + (device_in_subsystems(device, STRV_MAKE("input", "graphics", "drm")) || + sd_device_has_current_tag(device, "master-of-seat") > 0)) + (void) manager_process_seat_device(m, device); + + if (!manager_all_buttons_ignored(m) && + device_in_subsystem(device, "input") && + sd_device_has_current_tag(device, "power-switch") > 0) + (void) manager_process_button_device(m, device); + + /* Whenever a VCSA device is removed try to reallocate our VTs, to make sure our auto VTs never go away. */ + const char *name; + if (device_in_subsystem(device, "vc") && + sd_device_get_sysname(device, &name) >= 0 && startswith(name, "vcsa") && + device_for_action(device, SD_DEVICE_REMOVE)) + seat_preallocate_vts(m->seat0); + + return 0; +} + static int manager_connect_udev(Manager *m) { int r; assert(m); - assert(!m->device_seat_monitor); assert(!m->device_monitor); - assert(!m->device_vcsa_monitor); - assert(!m->device_button_monitor); - - r = sd_device_monitor_new(&m->device_seat_monitor); - if (r < 0) - return r; - - r = sd_device_monitor_filter_add_match_tag(m->device_seat_monitor, "master-of-seat"); - if (r < 0) - return r; - - r = sd_device_monitor_attach_event(m->device_seat_monitor, m->event); - if (r < 0) - return r; - - r = sd_device_monitor_start(m->device_seat_monitor, manager_dispatch_seat_udev, m); - if (r < 0) - return r; - - (void) sd_device_monitor_set_description(m->device_seat_monitor, "seat"); r = sd_device_monitor_new(&m->device_monitor); if (r < 0) @@ -889,6 +848,17 @@ static int manager_connect_udev(Manager *m) { if (r < 0) return r; + r = sd_device_monitor_filter_add_match_subsystem_devtype(m->device_monitor, "pci", NULL); + if (r < 0) + return r; + + /* Don't bother watching VCSA devices, if nobody cares */ + if (m->n_autovts > 0 && m->console_active_fd >= 0) { + r = sd_device_monitor_filter_add_match_subsystem_devtype(m->device_monitor, "vc", NULL); + if (r < 0) + return r; + } + r = sd_device_monitor_attach_event(m->device_monitor, m->event); if (r < 0) return r; @@ -897,55 +867,6 @@ static int manager_connect_udev(Manager *m) { if (r < 0) return r; - (void) sd_device_monitor_set_description(m->device_monitor, "input,graphics,drm"); - - /* Don't watch keys if nobody cares */ - if (!manager_all_buttons_ignored(m)) { - r = sd_device_monitor_new(&m->device_button_monitor); - if (r < 0) - return r; - - r = sd_device_monitor_filter_add_match_tag(m->device_button_monitor, "power-switch"); - if (r < 0) - return r; - - r = sd_device_monitor_filter_add_match_subsystem_devtype(m->device_button_monitor, "input", NULL); - if (r < 0) - return r; - - r = sd_device_monitor_attach_event(m->device_button_monitor, m->event); - if (r < 0) - return r; - - r = sd_device_monitor_start(m->device_button_monitor, manager_dispatch_button_udev, m); - if (r < 0) - return r; - - (void) sd_device_monitor_set_description(m->device_button_monitor, "button"); - } - - /* Don't bother watching VCSA devices, if nobody cares */ - if (m->n_autovts > 0 && m->console_active_fd >= 0) { - - r = sd_device_monitor_new(&m->device_vcsa_monitor); - if (r < 0) - return r; - - r = sd_device_monitor_filter_add_match_subsystem_devtype(m->device_vcsa_monitor, "vc", NULL); - if (r < 0) - return r; - - r = sd_device_monitor_attach_event(m->device_vcsa_monitor, m->event); - if (r < 0) - return r; - - r = sd_device_monitor_start(m->device_vcsa_monitor, manager_dispatch_vcsa_udev, m); - if (r < 0) - return r; - - (void) sd_device_monitor_set_description(m->device_vcsa_monitor, "vcsa"); - } - return 0; } diff --git a/src/login/logind.h b/src/login/logind.h index b19fbb7f3e0..99391f4c0e1 100644 --- a/src/login/logind.h +++ b/src/login/logind.h @@ -41,7 +41,7 @@ struct Manager { LIST_HEAD(Session, session_gc_queue); LIST_HEAD(User, user_gc_queue); - sd_device_monitor *device_seat_monitor, *device_monitor, *device_vcsa_monitor, *device_button_monitor; + sd_device_monitor *device_monitor; sd_event_source *console_active_event_source; diff --git a/src/shared/acl-util.c b/src/shared/acl-util.c index 7bfe02573a3..c9fdac2cda9 100644 --- a/src/shared/acl-util.c +++ b/src/shared/acl-util.c @@ -14,7 +14,7 @@ #if HAVE_ACL -int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *ret_entry) { +static int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *ret_entry) { acl_entry_t i; int r; diff --git a/src/shared/acl-util.h b/src/shared/acl-util.h index ef315c2f11d..8dedf2e9423 100644 --- a/src/shared/acl-util.h +++ b/src/shared/acl-util.h @@ -14,7 +14,6 @@ int fd_acl_make_writable_fallback(int fd); #include "macro.h" -int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry); int calc_acl_mask_if_needed(acl_t *acl_p); int add_base_acls_if_needed(acl_t *acl_p, const char *path); int acl_search_groups(const char* path, char ***ret_groups); diff --git a/src/shared/devnode-acl.c b/src/shared/devnode-acl.c deleted file mode 100644 index b239699e8ac..00000000000 --- a/src/shared/devnode-acl.c +++ /dev/null @@ -1,226 +0,0 @@ -/* SPDX-License-Identifier: LGPL-2.1-or-later */ - -#include - -#include "sd-device.h" - -#include "acl-util.h" -#include "alloc-util.h" -#include "device-util.h" -#include "devnode-acl.h" -#include "dirent-util.h" -#include "fd-util.h" -#include "format-util.h" -#include "fs-util.h" -#include "glyph-util.h" -#include "set.h" -#include "string-util.h" - -static int flush_acl(acl_t acl) { - acl_entry_t i; - int found; - bool changed = false; - - assert(acl); - - for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i); - found > 0; - found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) { - - acl_tag_t tag; - - if (acl_get_tag_type(i, &tag) < 0) - return -errno; - - if (tag != ACL_USER) - continue; - - if (acl_delete_entry(acl, i) < 0) - return -errno; - - changed = true; - } - - if (found < 0) - return -errno; - - return changed; -} - -int devnode_acl(const char *path, - bool flush, - bool del, uid_t old_uid, - bool add, uid_t new_uid) { - - _cleanup_(acl_freep) acl_t acl = NULL; - int r; - bool changed = false; - - assert(path); - - acl = acl_get_file(path, ACL_TYPE_ACCESS); - if (!acl) - return -errno; - - if (flush) { - - r = flush_acl(acl); - if (r < 0) - return r; - if (r > 0) - changed = true; - - } else if (del && old_uid > 0) { - acl_entry_t entry; - - r = acl_find_uid(acl, old_uid, &entry); - if (r < 0) - return r; - - if (r > 0) { - if (acl_delete_entry(acl, entry) < 0) - return -errno; - - changed = true; - } - } - - if (add && new_uid > 0) { - acl_entry_t entry; - acl_permset_t permset; - int rd, wt; - - r = acl_find_uid(acl, new_uid, &entry); - if (r < 0) - return r; - - if (r == 0) { - if (acl_create_entry(&acl, &entry) < 0) - return -errno; - - if (acl_set_tag_type(entry, ACL_USER) < 0 || - acl_set_qualifier(entry, &new_uid) < 0) - return -errno; - } - - if (acl_get_permset(entry, &permset) < 0) - return -errno; - - rd = acl_get_perm(permset, ACL_READ); - if (rd < 0) - return -errno; - - wt = acl_get_perm(permset, ACL_WRITE); - if (wt < 0) - return -errno; - - if (!rd || !wt) { - - if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) - return -errno; - - changed = true; - } - } - - if (!changed) - return 0; - - if (acl_calc_mask(&acl) < 0) - return -errno; - - if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) - return -errno; - - return 0; -} - -int devnode_acl_all(const char *seat, - bool flush, - bool del, uid_t old_uid, - bool add, uid_t new_uid) { - - _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; - _cleanup_set_free_ Set *nodes = NULL; - _cleanup_closedir_ DIR *dir = NULL; - char *n; - int r; - - r = sd_device_enumerator_new(&e); - if (r < 0) - return r; - - if (isempty(seat)) - seat = "seat0"; - - /* We can only match by one tag in libudev. We choose - * "uaccess" for that. If we could match for two tags here we - * could add the seat name as second match tag, but this would - * be hardly optimizable in libudev, and hence checking the - * second tag manually in our loop is a good solution. */ - r = sd_device_enumerator_add_match_tag(e, "uaccess"); - if (r < 0) - return r; - - FOREACH_DEVICE(e, d) { - const char *node, *sn; - - /* Make sure the tag is still in place */ - if (sd_device_has_current_tag(d, "uaccess") <= 0) - continue; - - if (sd_device_get_property_value(d, "ID_SEAT", &sn) < 0 || isempty(sn)) - sn = "seat0"; - - if (!streq(seat, sn)) - continue; - - /* In case people mistag devices with nodes, we need to ignore this */ - if (sd_device_get_devname(d, &node) < 0) - continue; - - log_device_debug(d, "Found udev node %s for seat %s", node, seat); - r = set_put_strdup_full(&nodes, &path_hash_ops_free, node); - if (r < 0) - return r; - } - - /* udev exports "dead" device nodes to allow module on-demand loading, - * these devices are not known to the kernel at this moment */ - dir = opendir("/run/udev/static_node-tags/uaccess"); - if (dir) { - FOREACH_DIRENT(de, dir, return -errno) { - r = readlinkat_malloc(dirfd(dir), de->d_name, &n); - if (r == -ENOENT) - continue; - if (r < 0) { - log_debug_errno(r, - "Unable to read symlink '/run/udev/static_node-tags/uaccess/%s', ignoring: %m", - de->d_name); - continue; - } - - log_debug("Found static node %s for seat %s", n, seat); - r = set_ensure_consume(&nodes, &path_hash_ops_free, n); - if (r < 0) - return r; - } - } - - r = 0; - SET_FOREACH(n, nodes) { - int k; - - log_debug("Changing ACLs at %s for seat %s (uid "UID_FMT"%s"UID_FMT"%s%s)", - n, seat, old_uid, special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), new_uid, - del ? " del" : "", add ? " add" : ""); - - k = devnode_acl(n, flush, del, old_uid, add, new_uid); - if (k == -ENOENT) - log_debug("Device %s disappeared while setting ACLs", n); - else - RET_GATHER(r, k); - } - - return r; -} diff --git a/src/shared/devnode-acl.h b/src/shared/devnode-acl.h deleted file mode 100644 index c88f3c0cf37..00000000000 --- a/src/shared/devnode-acl.h +++ /dev/null @@ -1,34 +0,0 @@ -/* SPDX-License-Identifier: LGPL-2.1-or-later */ -#pragma once - -#include -#include - -#if HAVE_ACL - -int devnode_acl(const char *path, - bool flush, - bool del, uid_t old_uid, - bool add, uid_t new_uid); - -int devnode_acl_all(const char *seat, - bool flush, - bool del, uid_t old_uid, - bool add, uid_t new_uid); -#else - -static inline int devnode_acl(const char *path, - bool flush, - bool del, uid_t old_uid, - bool add, uid_t new_uid) { - return 0; -} - -static inline int devnode_acl_all(const char *seat, - bool flush, - bool del, uid_t old_uid, - bool add, uid_t new_uid) { - return 0; -} - -#endif diff --git a/src/shared/meson.build b/src/shared/meson.build index 9403d33cd6a..d84943d8e8d 100644 --- a/src/shared/meson.build +++ b/src/shared/meson.build @@ -231,10 +231,6 @@ syscall_list_h = custom_target( '@INPUT@'], capture : true) -if conf.get('HAVE_ACL') == 1 - shared_sources += files('devnode-acl.c') -endif - if conf.get('ENABLE_UTMP') == 1 shared_sources += files('utmp-wtmp.c') endif diff --git a/src/udev/udev-builtin-uaccess.c b/src/udev/udev-builtin-uaccess.c index 7fbd91a5c24..1667befbb9c 100644 --- a/src/udev/udev-builtin-uaccess.c +++ b/src/udev/udev-builtin-uaccess.c @@ -5,12 +5,106 @@ #include "sd-login.h" +#include "acl-util.h" #include "device-util.h" -#include "devnode-acl.h" #include "errno-util.h" +#include "fd-util.h" #include "login-util.h" #include "udev-builtin.h" +static int devnode_acl(int fd, uid_t uid) { + bool changed = false, found = false; + int r; + + assert(fd >= 0); + + _cleanup_(acl_freep) acl_t acl = NULL; + acl = acl_get_fd(fd); + if (!acl) + return -errno; + + acl_entry_t entry; + for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); + r > 0; + r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) { + + acl_tag_t tag; + if (acl_get_tag_type(entry, &tag) < 0) + return -errno; + + if (tag != ACL_USER) + continue; + + if (uid > 0) { + uid_t *u = acl_get_qualifier(entry); + if (!u) + return -errno; + + if (*u == uid) { + acl_permset_t permset; + if (acl_get_permset(entry, &permset) < 0) + return -errno; + + int rd = acl_get_perm(permset, ACL_READ); + if (rd < 0) + return -errno; + + int wt = acl_get_perm(permset, ACL_WRITE); + if (wt < 0) + return -errno; + + if (!rd || !wt) { + if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) + return -errno; + + changed = true; + } + + found = true; + continue; + } + } + + if (acl_delete_entry(acl, entry) < 0) + return -errno; + + changed = true; + } + if (r < 0) + return -errno; + + if (!found && uid > 0) { + if (acl_create_entry(&acl, &entry) < 0) + return -errno; + + if (acl_set_tag_type(entry, ACL_USER) < 0) + return -errno; + + if (acl_set_qualifier(entry, &uid) < 0) + return -errno; + + acl_permset_t permset; + if (acl_get_permset(entry, &permset) < 0) + return -errno; + + if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) + return -errno; + + changed = true; + } + + if (!changed) + return 0; + + if (acl_calc_mask(&acl) < 0) + return -errno; + + if (acl_set_fd(fd, acl) < 0) + return -errno; + + return 0; +} + static int builtin_uaccess(UdevEvent *event, int argc, char *argv[]) { sd_device *dev = ASSERT_PTR(ASSERT_PTR(event)->dev); int r, k; @@ -26,10 +120,9 @@ static int builtin_uaccess(UdevEvent *event, int argc, char *argv[]) { if (!logind_running()) return 0; - const char *node; - r = sd_device_get_devname(dev, &node); - if (r < 0) - return log_device_error_errno(dev, r, "Failed to get device node: %m"); + _cleanup_close_ int fd = sd_device_open(dev, O_CLOEXEC|O_RDWR); + if (fd < 0) + return log_device_error_errno(dev, fd, "Failed to open device node: %m"); const char *seat; if (sd_device_get_property_value(dev, "ID_SEAT", &seat) < 0) @@ -47,10 +140,7 @@ static int builtin_uaccess(UdevEvent *event, int argc, char *argv[]) { goto reset; } - r = devnode_acl(node, - /* flush = */ true, - /* del = */ false, /* old_uid = */ 0, - /* add = */ true, /* new_uid = */ uid); + r = devnode_acl(fd, uid); if (r < 0) { log_device_full_errno(dev, r == -ENOENT ? LOG_DEBUG : LOG_ERR, r, "Failed to apply ACL: %m"); goto reset; @@ -60,10 +150,7 @@ static int builtin_uaccess(UdevEvent *event, int argc, char *argv[]) { reset: /* Better be safe than sorry and reset ACL */ - k = devnode_acl(node, - /* flush = */ true, - /* del = */ false, /* old_uid = */ 0, - /* add = */ false, /* new_uid = */ 0); + k = devnode_acl(fd, /* uid = */ 0); if (k < 0) RET_GATHER(r, log_device_full_errno(dev, k == -ENOENT ? LOG_DEBUG : LOG_ERR, k, "Failed to flush ACLs: %m"));