1
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4
This file is part of systemd.
6
Copyright 2011 Lennart Poettering
8
systemd is free software; you can redistribute it and/or modify it
9
under the terms of the GNU General Public License as published by
10
the Free Software Foundation; either version 2 of the License, or
11
(at your option) any later version.
13
systemd is distributed in the hope that it will be useful, but
14
WITHOUT ANY WARRANTY; without even the implied warranty of
15
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16
General Public License for more details.
18
You should have received a copy of the GNU General Public License
19
along with systemd; If not, see <http://www.gnu.org/licenses/>.
24
#include <acl/libacl.h>
28
#include "logind-acl.h"
31
static int find_acl(acl_t acl, uid_t uid, acl_entry_t *entry) {
38
for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
40
found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
46
if (acl_get_tag_type(i, &tag) < 0)
52
u = acl_get_qualifier(i);
71
static int flush_acl(acl_t acl) {
78
for (found = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
80
found = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
84
if (acl_get_tag_type(i, &tag) < 0)
90
if (acl_delete_entry(acl, i) < 0)
102
int devnode_acl(const char *path,
104
bool del, uid_t old_uid,
105
bool add, uid_t new_uid) {
109
bool changed = false;
113
acl = acl_get_file(path, ACL_TYPE_ACCESS);
125
} else if (del && old_uid > 0) {
128
r = find_acl(acl, old_uid, &entry);
133
if (acl_delete_entry(acl, entry) < 0) {
142
if (add && new_uid > 0) {
144
acl_permset_t permset;
147
r = find_acl(acl, new_uid, &entry);
152
if (acl_create_entry(&acl, &entry) < 0) {
157
if (acl_set_tag_type(entry, ACL_USER) < 0 ||
158
acl_set_qualifier(entry, &new_uid) < 0) {
164
if (acl_get_permset(entry, &permset) < 0) {
169
rd = acl_get_perm(permset, ACL_READ);
175
wt = acl_get_perm(permset, ACL_WRITE);
183
if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) {
195
if (acl_calc_mask(&acl) < 0) {
200
if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) {
213
int devnode_acl_all(struct udev *udev,
216
bool del, uid_t old_uid,
217
bool add, uid_t new_uid) {
219
struct udev_list_entry *item = NULL, *first = NULL;
220
struct udev_enumerate *e;
228
e = udev_enumerate_new(udev);
232
/* We can only match by one tag in libudev. We choose
233
* "uaccess" for that. If we could match for two tags here we
234
* could add the seat name as second match tag, but this would
235
* be hardly optimizable in libudev, and hence checking the
236
* second tag manually in our loop is a good solution. */
238
r = udev_enumerate_add_match_tag(e, "uaccess");
242
r = udev_enumerate_scan_devices(e);
246
first = udev_enumerate_get_list_entry(e);
247
udev_list_entry_foreach(item, first) {
248
struct udev_device *d;
249
const char *node, *sn;
251
d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
257
sn = udev_device_get_property_value(d, "ID_SEAT");
261
if (!streq(seat, sn)) {
262
udev_device_unref(d);
266
node = udev_device_get_devnode(d);
268
/* In case people mistag devices with nodes, we need to ignore this */
269
udev_device_unref(d);
273
log_debug("Fixing up %s for seat %s...", node, sn);
275
r = devnode_acl(node, flush, del, old_uid, add, new_uid);
276
udev_device_unref(d);
284
udev_enumerate_unref(e);