On Sat, Mar 19, 2016 at 05:12:11PM +0100, Martin Husemann wrote:
> > The ACL would be evaluated in addition to filesystem
> > permissions and would match attributes like class/vendor/product/serial/...
> > The driver and/or a sysctl setting could determine how an empty
> > ACL is handled, probably defaulting to the current behaviour.
>
> Whet is the entitled entitiy of the ACL? uid:gid tuples?
Something like
if device proplist attributes match some rule
user 1 is granted read / write / execute
user 2 is granted read / write / execute
user 3 is granted read / write / execute
...
group 1 is granted read / write / execute
group 2 is granted read / write / execute
group 3 is granted read / write / execute
...
other is granted read / write / execute
The effective permission would be a logical AND of the
filesystem permission and the access list.
The match rule would be something like
device-parent == uhub2
device-driver == umass
serialnumber == "12412341241234234"
The device proplist could be extended to provide things
like vendor/product/description to allow matching of
unknown devices.
> Is the console owner handled differently?
Nothing is done automatically. When you are considered the
console owner (e.g. by xdm TakeConsole) then a script
would just set the appropriate access list (instead of
chmod/chown the /dev/XXX nodes).
Greetings,
--
Michael van Elst
Internet: mlel...@serpens.de
"A potential Snark may lurk in every tree."
