1
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4
This file is part of systemd.
6
Copyright 2011 Lennart Poettering
8
systemd is free software; you can redistribute it and/or modify it
9
under the terms of the GNU General Public License as published by
10
the Free Software Foundation; either version 2 of the License, or
11
(at your option) any later version.
13
systemd is distributed in the hope that it will be useful, but
14
WITHOUT ANY WARRANTY; without even the implied warranty of
15
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16
General Public License for more details.
18
You should have received a copy of the GNU General Public License
19
along with systemd; If not, see <http://www.gnu.org/licenses/>.
24
#include <acl/libacl.h>
28
#include "logind-acl.h"
32
static int flush_acl(acl_t acl) {
39
for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
41
found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
45
if (acl_get_tag_type(i, &tag) < 0)
51
if (acl_delete_entry(acl, i) < 0)
63
int devnode_acl(const char *path,
65
bool del, uid_t old_uid,
66
bool add, uid_t new_uid) {
74
acl = acl_get_file(path, ACL_TYPE_ACCESS);
86
} else if (del && old_uid > 0) {
89
r = acl_find_uid(acl, old_uid, &entry);
94
if (acl_delete_entry(acl, entry) < 0) {
103
if (add && new_uid > 0) {
105
acl_permset_t permset;
108
r = acl_find_uid(acl, new_uid, &entry);
113
if (acl_create_entry(&acl, &entry) < 0) {
118
if (acl_set_tag_type(entry, ACL_USER) < 0 ||
119
acl_set_qualifier(entry, &new_uid) < 0) {
125
if (acl_get_permset(entry, &permset) < 0) {
130
rd = acl_get_perm(permset, ACL_READ);
136
wt = acl_get_perm(permset, ACL_WRITE);
144
if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) {
156
if (acl_calc_mask(&acl) < 0) {
161
if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
174
int devnode_acl_all(struct udev *udev,
177
bool del, uid_t old_uid,
178
bool add, uid_t new_uid) {
180
struct udev_list_entry *item = NULL, *first = NULL;
181
struct udev_enumerate *e;
189
e = udev_enumerate_new(udev);
193
/* We can only match by one tag in libudev. We choose
194
* "uaccess" for that. If we could match for two tags here we
195
* could add the seat name as second match tag, but this would
196
* be hardly optimizable in libudev, and hence checking the
197
* second tag manually in our loop is a good solution. */
199
r = udev_enumerate_add_match_tag(e, "uaccess");
203
r = udev_enumerate_scan_devices(e);
207
first = udev_enumerate_get_list_entry(e);
208
udev_list_entry_foreach(item, first) {
209
struct udev_device *d;
210
const char *node, *sn;
212
d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
218
sn = udev_device_get_property_value(d, "ID_SEAT");
222
if (!streq(seat, sn)) {
223
udev_device_unref(d);
227
node = udev_device_get_devnode(d);
229
/* In case people mistag devices with nodes, we need to ignore this */
230
udev_device_unref(d);
234
log_debug("Fixing up %s for seat %s...", node, sn);
236
r = devnode_acl(node, flush, del, old_uid, add, new_uid);
237
udev_device_unref(d);
245
udev_enumerate_unref(e);