Re: [systemd-devel] User bus broke automatic multiseat
There is a discussion with gdm developers at https://bugzilla.gnome.org /show_bug.cgi?id=776203 , but they are not yet ready to implement this solution. В Пн, 16/01/2017 в 13:56 +, Simon McVittie пишет: > On Wed, 14 Dec 2016 at 23:23:55 +0300, Oleg Samarin wrote: > > The following change in systemd-226: > > > > systemd now supports the concept of user buses replacing > > session buses, if used with dbus-1.10 (and enabled via dbus > > --enable-user-session). It previously only supported this on > > kdbus-enabled systems, and this release expands this to > > 'dbus-daemon' systems > > > > totally broke the automatic multiseat with GDM: https://bugzilla.re > > dhat > > .com/show_bug.cgi?id=1404849 > > > > What configuration options can restore the the old session-bus > > behavior? > > Either don't configure dbus with --enable-user-session, or teach gdm > to create a per-display D-Bus bus for each of its X11 displays (or > Wayland equivalent). > > For the former solution, see the split between the dbus and > dbus-user-session packages in Debian. dbus is always configured > with --enable-user-session there, but we split out the user-session > parts > (basically /usr/lib/systemd/user) into dbus-user-session_*.deb so > that > it's opt-in. > > For the latter solution, the patch/script on the Red Hat bug you > referenced > are implementations of the right sort of idea. Please talk to the gdm > (GNOME) > developers about the best way to integrate that. > > S > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] User bus broke automatic multiseat
The following change in systemd-226: systemd now supports the concept of user buses replacing session buses, if used with dbus-1.10 (and enabled via dbus --enable-user-session). It previously only supported this on kdbus-enabled systems, and this release expands this to 'dbus-daemon' systems totally broke the automatic multiseat with GDM: https://bugzilla.redhat .com/show_bug.cgi?id=1404849 What configuration options can restore the the old session-bus behavior? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] 'udevadm settle' brakes lvm on top of imsm raid
Thanks, I made more debbuging with LVM and I realised, that lvm always uses the last device it has scanned. Scanning of devices is called by udev rules using lvm pvscan --cache device command. So the reason of using /dev/sdb2 instead of /dev/md126p2 is that udev runs lvm in the following order: 1. lvm pvscan --cash /dev/md126p2 2. lvm pvscan --cash /dev/sda2 3. lvm pvscan --cash /dev/sdb2 But there were no /dev/sda2 and /dev/sdb2 before running anaconda at all. [root@localhost ~]# ls -ld /dev/md* /dev/sd* drwxr-xr-x. 2 root root 120 May 29 03:43 /dev/md brw-rw. 1 root disk 9, 126 May 29 03:43 /dev/md126 brw-rw. 1 root disk 259, 0 May 29 03:43 /dev/md126p1 brw-rw. 1 root disk 259, 1 May 29 03:43 /dev/md126p2 brw-rw. 1 root disk 9, 127 May 29 03:43 /dev/md127 brw-rw. 1 root disk 8, 0 May 29 03:43 /dev/sda brw-rw. 1 root disk 8, 16 May 29 03:43 /dev/sdb brw-rw. 1 root disk 8, 32 May 29 03:43 /dev/sdc brw-rw. 1 root disk 8, 33 May 29 03:43 /dev/sdc1 brw-rw. 1 root disk 8, 34 May 29 03:43 /dev/sdc2 brw-rw. 1 root disk 8, 48 May 29 03:43 /dev/sdd brw-rw. 1 root disk 8, 49 May 29 03:43 /dev/sdd1 brw-rw. 1 root disk 8, 50 May 29 03:43 /dev/sdd2 brw-rw. 1 root disk 8, 64 May 29 03:43 /dev/sde They appear only after launching anaconda: [root@localhost ~]# ls -ld /dev/md* /dev/sd* drwxr-xr-x. 2 root root 120 May 29 03:47 /dev/md brw-rw. 1 root disk 9, 126 May 29 03:47 /dev/md126 brw-rw. 1 root disk 259, 2 May 29 03:47 /dev/md126p1 brw-rw. 1 root disk 259, 3 May 29 03:47 /dev/md126p2 brw-rw. 1 root disk 9, 127 May 29 03:46 /dev/md127 brw-rw. 1 root disk 8, 0 May 29 03:47 /dev/sda brw-rw. 1 root disk 8, 1 May 29 03:47 /dev/sda1 brw-rw. 1 root disk 8, 2 May 29 03:47 /dev/sda2 brw-rw. 1 root disk 8, 16 May 29 03:47 /dev/sdb brw-rw. 1 root disk 8, 17 May 29 03:47 /dev/sdb1 brw-rw. 1 root disk 8, 18 May 29 03:47 /dev/sdb2 brw-rw. 1 root disk 8, 32 May 29 03:46 /dev/sdc brw-rw. 1 root disk 8, 33 May 29 03:46 /dev/sdc1 brw-rw. 1 root disk 8, 34 May 29 03:46 /dev/sdc2 brw-rw. 1 root disk 8, 48 May 29 03:47 /dev/sdd brw-rw. 1 root disk 8, 49 May 29 03:47 /dev/sdd1 brw-rw. 1 root disk 8, 50 May 29 03:47 /dev/sdd2 brw-rw. 1 root disk 8, 64 May 29 03:47 /dev/sde So the root problem is not in lvm. The root problem is why devices /sd[ab]? appear? They shoud not exist because of /dev/sd[ab] are parts of /dev/md126 raid. I'm not insist that 'udevadm --settle' is the reason. But where should I make future research? 2015-05-28 13:06 GMT+03:00 Lennart Poettering lenn...@poettering.net: On Thu, 28.05.15 11:10, Oleg Samarin (osamari...@gmail.com) wrote: Hi! I have an imsm raid-1 device /dev/md126 assembled of /dev/sda and /dev/sdb. I have a lvm group on top of /dev/md126p2 with some logical volumes. All this work fine with Fedora 21. I'm trying to fresh install Fedora 22 in some of lvm logical volume. I boot with Fedora USB live media and run Install to hard disk. But anaconda does not see any existing lvm volumes so I can not choose them as a destination. Please ask LVM people for help on this, the systemd mailing list is really not the right forum for this. Thanks, Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] logind: support of shared devices
After adding the simple udev rule: -- KERNEL==seq, SUBSYSTEM==sound, TAG+=shared -- /dev/snd/seq becomes accessible from all seats. Could you resolve this patch upstream or propose another way of granting access to /dev/snd/seq on activating sessions? Why not remove the uaccess TAG from the device and set your own permissions? Like: TAG-=uaccess, MODE=whatever, GROUP=something This way, logind will never touch the device and your statically set access-rules will be applied. If you now set the group to your user-group, only your user will have access to the device, regardless of the seat it's on. 1. uaccess tag is added by another udev rule, and I do not know, what will happen if there are two rules in contradiction 2. By default /dev/seq/snd belongs to the audio group. Changing it may be unsafe fore some applcations. 3. Static access rules do not regard on whether the session is active or not. I want that the access would be granted only to users that have active sessions. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] logind: support of shared devices
Hello! The default systemd behavior is to grant/revoke access on devices attached to a seat when the user activates/deactivates a session on the seat. But sometimes it needs the user has an access to some device when he/she activates a session with ANY seat. For example, I have two seats: seat0 with ordinary monitor/keyboard/mouse/usb hub/usb sound card and seat1 that is using as a music workstation: it has some midi keyboards and sound cards connected. Usually I run midi applications on seat1, but sometimes I run them on seat1. All midi applications require the access to /dev/snd/seq kernel device. So it should be granted when a user activates a session on any seat. My approach to make this is to introduce a special UDEV tag 'shared' that tells logind that this device is attached to all seats and logind has to grant access to all sessions on all seats I've made a patch to systemd/logind that processes the 'shared' tag. After adding the simple udev rule: -- KERNEL==seq, SUBSYSTEM==sound, TAG+=shared -- /dev/snd/seq becomes accessible from all seats. Could you resolve this patch upstream or propose another way of granting access to /dev/snd/seq on activating sessions? From: Oleg Samarin osamari...@gmail.com Subject: [PATCH] logind: support of shared devices Supporting of acls on devices shared between all seats (like /dev/snd/seq): A user gets permitions on it when he activates a session on any seat. He/she losses the permitions when no his/her active sessions more exist diff -Naur systemd-217.old/src/login/logind-acl.c systemd-217.new/src/login/logind-acl.c --- systemd-217.old/src/login/logind-acl.c 2014-10-07 17:59:01.469576000 +0400 +++ systemd-217.new/src/login/logind-acl.c 2014-12-17 08:46:05.897064691 +0300 @@ -173,26 +173,56 @@ return r; } +int devset_all_acl( + Set *nodes, bool flush, + const char *seat, + bool del, uid_t old_uid, + bool add, uid_t new_uid +) { +int r = 0; + char *n; +Iterator i; + +SET_FOREACH(n, nodes, i) { +int k; + +log_debug(Changing ACLs at %s for seat %s (uid UID_FMT→UID_FMT%s%s), + n, seat, old_uid, new_uid, + del ? del : , add ? add : ); + +k = devnode_acl(n, flush, del, old_uid, add, new_uid); +if (k == -ENOENT) +log_debug(Device %s disappeared while setting ACLs, n); +else if (k 0 r == 0) +r = k; +} + return r; +} + int devnode_acl_all(struct udev *udev, const char *seat, bool flush, -bool del, uid_t old_uid, +bool del, bool del_shared, uid_t old_uid, bool add, uid_t new_uid) { _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL; struct udev_list_entry *item = NULL, *first = NULL; _cleanup_set_free_free_ Set *nodes = NULL; +_cleanup_set_free_free_ Set *nodes_shared = NULL; _cleanup_closedir_ DIR *dir = NULL; struct dirent *dent; Iterator i; char *n; -int r; +int r, r1; assert(udev); nodes = set_new(string_hash_ops); if (!nodes) return -ENOMEM; +nodes_shared = set_new(string_hash_ops); +if (!nodes_shared) +return -ENOMEM; e = udev_enumerate_new(udev); if (!e) @@ -222,17 +252,25 @@ udev_list_entry_foreach(item, first) { _cleanup_udev_device_unref_ struct udev_device *d = NULL; const char *node, *sn; +bool is_shared; d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item)); if (!d) return -ENOMEM; -sn = udev_device_get_property_value(d, ID_SEAT); -if (isempty(sn)) -sn = seat0; - -if (!streq(seat, sn)) -continue; +/* all devices with shared tag are accessible with all seats */ +is_shared = udev_device_has_tag(d, shared); + +if (is_shared) +sn = shared; +else { + sn = udev_device_get_property_value(d, ID_SEAT); + if (isempty(sn)) + sn = seat0; + + if (!streq(seat, sn)) + continue; + } node = udev_device_get_devnode(d); /* In case people mistag devices with nodes, we need to ignore this */ @@ -244,7 +282,10 @@ return -ENOMEM; log_debug(Found udev node %s for seat %s, n, seat); -r = set_consume(nodes, n); +if (is_shared) + r = set_consume(nodes_shared, n); + else + r = set_consume(nodes, n
[systemd-devel] GDM session is not activated
I have two-seat configuration on my PC. The problem is that when I log in to GDM session on seat0, it rests being not active, and I can not activate it with 'loginctl activate' command. [oleg@oleg2 ~]$ loginctl SESSIONUID USER SEAT c1 42 gdm seat0 c2 42 gdm seat1 2 1001 oleg seat0 3 sessions listed. [oleg@oleg2 ~]$ loginctl show-session 2 Id=2 Timestamp=Чт 2014-05-22 23:11:42 MSK TimestampMonotonic=78374663 VTNr=0 Display=:0 Remote=no Service=gdm-password Scope=session-2.scope Leader=3491 Audit=2 Type=x11 Class=user Active=no State=online IdleHint=no IdleSinceHint=0 IdleSinceHintMonotonic=0 Name=oleg [oleg@oleg2 ~]$ loginctl activate 2 Failed to issue method call: Operation not supported [oleg@oleg2 ~]$ Seems the reason of this behavior is VTNr=0, and since http://lists.freedesktop.org/archives/systemd-devel/2013-September/013261.html logind does not more allow to activate sessions with VTNr=0 What is wrong here? Which module is responsible for setting VTNr? X-server runs with -vt1 switch: /usr/bin/Xorg :0 -background none -verbose -auth /run/gdm/auth-for-gdm-DZPMtr/database -seat seat0 vt1 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 1/2] logind: Capability of making seats without framebuffer devices
В Пт., 04/01/2013 в 00:40 +0100, Lennart Poettering пишет: On Thu, 27.12.12 22:54, Oleg Samarin (osamari...@gmail.com) wrote: В Пн., 24/12/2012 в 13:08 +0100, Lennart Poettering пишет: On Thu, 20.12.12 22:08, Oleg Samarin (osamari...@gmail.com) wrote: Could you please split these patches up? The seat-master bit looks straightforward to me, and I'd merge that quickly, the ONE_SEAT thing I don't really get. The first part of my patch is here: Hmm, I can't apply this patch. Could you generate it with git format-patch please? Thanks! Lennart Reformatted patch is here From f0df8afac271845f377e7b859141b3e3c03d61cb Mon Sep 17 00:00:00 2001 From: Oleg Samarin osamari...@gmail.com Date: Sat, 5 Jan 2013 20:33:37 +0400 Subject: [PATCH 1/2] logind: Capability of making seats without framebuffer devices file logind.c: The seat is now activated by any device with udev tag seat-master file 71-seat.rules.in: All framebuffer devices have this tag --- src/login/71-seat.rules.in | 2 +- src/login/logind.c | 12 ++-- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/src/login/71-seat.rules.in b/src/login/71-seat.rules.in index f554d7f..4f1a9a5 100644 --- a/src/login/71-seat.rules.in +++ b/src/login/71-seat.rules.in @@ -10,7 +10,7 @@ ACTION==remove, GOTO=seat_end TAG==uaccess, SUBSYSTEM!=sound, TAG+=seat SUBSYSTEM==sound, KERNEL==card*, TAG+=seat SUBSYSTEM==input, KERNEL==input*, TAG+=seat -SUBSYSTEM==graphics, KERNEL==fb[0-9]*, TAG+=seat +SUBSYSTEM==graphics, KERNEL==fb[0-9]*, TAG+=seat, TAG+=seat-master SUBSYSTEM==usb, ATTR{bDeviceClass}==09, TAG+=seat # 'Plugable' USB hub, sound, network, graphics adapter diff --git a/src/login/logind.c b/src/login/logind.c index 6438631..6776229 100644 --- a/src/login/logind.c +++ b/src/login/logind.c @@ -459,11 +459,7 @@ int manager_enumerate_devices(Manager *m) { goto finish; } -r = udev_enumerate_add_match_subsystem(e, graphics); -if (r 0) -goto finish; - -r = udev_enumerate_add_match_tag(e, seat); +r = udev_enumerate_add_match_tag(e, seat-master); if (r 0) goto finish; @@ -1295,11 +1291,7 @@ static int manager_connect_udev(Manager *m) { if (!m-udev_seat_monitor) return -ENOMEM; -r = udev_monitor_filter_add_match_tag(m-udev_seat_monitor, seat); -if (r 0) -return r; - -r = udev_monitor_filter_add_match_subsystem_devtype(m-udev_seat_monitor, graphics, NULL); +r = udev_monitor_filter_add_match_tag(m-udev_seat_monitor, seat-master); if (r 0) return r; -- 1.7.11.7 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 2/2] logind: user access to shared devices
reformatted patch is here From eade2b14853eb56917fcf3ec8c7cfc2af0affdcb Mon Sep 17 00:00:00 2001 From: Oleg Samarin osamari...@gmail.com Date: Sat, 5 Jan 2013 20:57:56 +0400 Subject: [PATCH 2/2] logind: user access to shared devices Supporting of acls on devices shared between all seats (like /dev/snd/seq): A user gets permitions on it when he activates a session on any seat. He/she losses the permitions when no his/her active sessions more exist --- src/login/71-seat.rules.in | 1 + src/login/73-seat-late.rules.in | 3 +++ src/login/logind-acl.c | 26 +- src/login/logind-acl.h | 2 +- src/login/logind-seat.c | 5 - 5 files changed, 26 insertions(+), 11 deletions(-) diff --git a/src/login/71-seat.rules.in b/src/login/71-seat.rules.in index 4f1a9a5..7256d06 100644 --- a/src/login/71-seat.rules.in +++ b/src/login/71-seat.rules.in @@ -42,6 +42,7 @@ SUBSYSTEM==usb, ATTR{idVendor}==17e9, ATTR{idProduct}==401a, ATTR{product} TAG==seat, ENV{ID_PATH}==, IMPORT{builtin}=path_id TAG==seat, ENV{ID_FOR_SEAT}==, ENV{ID_PATH_TAG}!=, ENV{ID_FOR_SEAT}=$env{SUBSYSTEM}-$env{ID_PATH_TAG} +TAG==seat, ENV{ONE_SEAT}=1 SUBSYSTEM==input, ATTR{name}==Wiebetech LLC Wiebetech, RUN+=@rootbindir@/loginctl lock-sessions diff --git a/src/login/73-seat-late.rules.in b/src/login/73-seat-late.rules.in index 901df75..f8e 100644 --- a/src/login/73-seat-late.rules.in +++ b/src/login/73-seat-late.rules.in @@ -14,4 +14,7 @@ ENV{ID_SEAT}!=, TAG+=$env{ID_SEAT} TAG==uaccess, ENV{MAJOR}!=, RUN{builtin}+=uaccess +ENV{ONE_SEAT}==, IMPORT{parent}=ONE_SEAT +TAG==uaccess, ENV{ONE_SEAT}!=1, ENV{ID_SEAT}==, TAG+=shared + LABEL=seat_late_end diff --git a/src/login/logind-acl.c b/src/login/logind-acl.c index cb045a9..4b2988a 100644 --- a/src/login/logind-acl.c +++ b/src/login/logind-acl.c @@ -174,7 +174,7 @@ finish: int devnode_acl_all(struct udev *udev, const char *seat, bool flush, -bool del, uid_t old_uid, +bool del, bool del_shared, uid_t old_uid, bool add, uid_t new_uid) { struct udev_list_entry *item = NULL, *first = NULL; @@ -208,6 +208,7 @@ int devnode_acl_all(struct udev *udev, udev_list_entry_foreach(item, first) { struct udev_device *d; const char *node, *sn; +bool is_shared; d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item)); if (!d) { @@ -215,13 +216,20 @@ int devnode_acl_all(struct udev *udev, goto finish; } -sn = udev_device_get_property_value(d, ID_SEAT); -if (isempty(sn)) -sn = seat0; - -if (!streq(seat, sn)) { -udev_device_unref(d); -continue; +/* all devices with shared tag are accessible with all seats */ +is_shared = udev_device_has_tag(d, shared); + +if (is_shared) +sn = shared; +else { +sn = udev_device_get_property_value(d, ID_SEAT); +if (isempty(sn)) +sn = seat0; + +if (!streq(seat, sn)) { +udev_device_unref(d); +continue; +} } node = udev_device_get_devnode(d); @@ -233,7 +241,7 @@ int devnode_acl_all(struct udev *udev, log_debug(Fixing up %s for seat %s..., node, sn); -r = devnode_acl(node, flush, del, old_uid, add, new_uid); +r = devnode_acl(node, flush, is_shared ? del_shared : del, old_uid, add, new_uid); udev_device_unref(d); if (r 0) diff --git a/src/login/logind-acl.h b/src/login/logind-acl.h index ec09843..fe1183c 100644 --- a/src/login/logind-acl.h +++ b/src/login/logind-acl.h @@ -35,7 +35,7 @@ int devnode_acl(const char *path, int devnode_acl_all(struct udev *udev, const char *seat, bool flush, -bool del, uid_t old_uid, +bool del, bool del_shared, uid_t old_uid, bool add, uid_t new_uid); #else diff --git a/src/login/logind-seat.c b/src/login/logind-seat.c index 470d08b..a51f5bb 100644 --- a/src/login/logind-seat.c +++ b/src/login/logind-seat.c @@ -225,7 +225,10 @@ int seat_apply_acls(Seat *s, Session *old_active) { r = devnode_acl_all(s-manager-udev, s-id, false, -!!old_active, old_active ? old_active-user-uid : 0, +!!old_active, +// delete acl on shared devices only if no other active sessions
[systemd-devel] [PATCH 1/2] logind: Capability of making seats without framebuffer devices
В Пн., 24/12/2012 в 13:08 +0100, Lennart Poettering пишет: On Thu, 20.12.12 22:08, Oleg Samarin (osamari...@gmail.com) wrote: Could you please split these patches up? The seat-master bit looks straightforward to me, and I'd merge that quickly, the ONE_SEAT thing I don't really get. The first part of my patch is here: From: Oleg Samarin osamari...@gmail.com Subject: [PATCH] logind: Capability of making seats without framebuffer devices file logind.c: The seat is now activated by any device with udev tag seat-master file 71-seat.rules.in: All framebuffer devices have this tag file multi-seat-x.c: if the seat does not have a framebuffer device, runs X as a proxy, adding -sharevts only if the seat has a framebuffer device, makes a special config for X (like it did before) diff -Naur /home/oleg/tmp/systemd.old/src/login/71-seat.rules.in /home/oleg/tmp/systemd.fb/src/login/71-seat.rules.in --- /home/oleg/tmp/systemd.old/src/login/71-seat.rules.in 2012-11-21 05:19:20.0 +0400 +++ /home/oleg/tmp/systemd.fb/src/login/71-seat.rules.in 2012-12-27 22:44:56.129552678 +0400 @@ -10,7 +10,7 @@ TAG==uaccess, SUBSYSTEM!=sound, TAG+=seat SUBSYSTEM==sound, KERNEL==card*, TAG+=seat SUBSYSTEM==input, KERNEL==input*, TAG+=seat -SUBSYSTEM==graphics, KERNEL==fb[0-9]*, TAG+=seat +SUBSYSTEM==graphics, KERNEL==fb[0-9]*, TAG+=seat, TAG+=seat-master SUBSYSTEM==usb, ATTR{bDeviceClass}==09, TAG+=seat # 'Plugable' USB hub, sound, network, graphics adapter diff -Naur /home/oleg/tmp/systemd.old/src/login/logind.c /home/oleg/tmp/systemd.fb/src/login/logind.c --- /home/oleg/tmp/systemd.old/src/login/logind.c 2012-11-21 05:19:20.0 +0400 +++ /home/oleg/tmp/systemd.fb/src/login/logind.c 2012-12-27 22:39:17.192654294 +0400 @@ -450,11 +450,7 @@ goto finish; } -r = udev_enumerate_add_match_subsystem(e, graphics); -if (r 0) -goto finish; - -r = udev_enumerate_add_match_tag(e, seat); +r = udev_enumerate_add_match_tag(e, seat-master); if (r 0) goto finish; @@ -1286,11 +1282,7 @@ if (!m-udev_seat_monitor) return -ENOMEM; -r = udev_monitor_filter_add_match_tag(m-udev_seat_monitor, seat); -if (r 0) -return r; - -r = udev_monitor_filter_add_match_subsystem_devtype(m-udev_seat_monitor, graphics, NULL); +r = udev_monitor_filter_add_match_tag(m-udev_seat_monitor, seat-master); if (r 0) return r; ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 1/2] logind: user access to shared devices
Supporting of acls on devices shared between all seats (like /dev/snd/seq): A user gets permitions on it when he activates a session on any seat. He/she losses the permitions when no his/her active sessions more exist В Пн., 24/12/2012 в 13:08 +0100, Lennart Poettering пишет: boolean udev props usually use 1 instead of Y as positive value. +// all devices with shared tag are accessible with all seats +is_shared = udev_device_has_tag(d, shared); Corrected We do not use C++ style // comments. Only use /* C style comments */ please, even if C99 is fine with // too.. Corrected Please do not use { } for single line if blocks. This is not PHP ;-) Corrected I don't grok the the ONE_SEAT thing. Could you create a split out patch for that and explain in more detail what this about? ONE_SEAT: I'd set shared tag for all devices that have uaccess tag and neither the device itself nor some of its parent has seat tag, ie it cannot be attached to a seat. There are two such devices on my system: /dev/snd/seq and /dev/snd/timer. They are treated as accessible from all seats. I coudn't create a simplier udev rule for this approach, but make two rules: the first rule sets ONE_SEAT attribute for all devices with seat tag and all their descensors. And the second rule sets shared tag for all devices with uaccess tag and without ONE_SEAT attribute. If you know how to achieve this without ONE_SEAT, I'd like to implement it. Oleg. From: Oleg Samarin osamari...@gmail.com Subject: [PATCH] logind: user access to shared devices Supporting of acls on devices shared between all seats (like /dev/snd/seq): A user gets permitions on it when he activates a session on any seat. He/she losses the permitions when no his/her active sessions more exist diff -Naur /home/oleg/tmp/systemd.fb/src/login/71-seat.rules.in /home/oleg/tmp/systemd.new/src/login/71-seat.rules.in --- /home/oleg/tmp/systemd.fb/src/login/71-seat.rules.in 2012-12-27 22:44:56.129552678 +0400 +++ /home/oleg/tmp/systemd.new/src/login/71-seat.rules.in 2012-12-27 22:56:28.725187447 +0400 @@ -42,6 +42,7 @@ TAG==seat, ENV{ID_PATH}==, IMPORT{builtin}=path_id TAG==seat, ENV{ID_FOR_SEAT}==, ENV{ID_PATH_TAG}!=, ENV{ID_FOR_SEAT}=$env{SUBSYSTEM}-$env{ID_PATH_TAG} +TAG==seat, ENV{ONE_SEAT}=1 SUBSYSTEM==input, ATTR{name}==Wiebetech LLC Wiebetech, RUN+=@rootbindir@/loginctl lock-sessions diff -Naur /home/oleg/tmp/systemd.fb/src/login/73-seat-late.rules.in /home/oleg/tmp/systemd.new/src/login/73-seat-late.rules.in --- /home/oleg/tmp/systemd.fb/src/login/73-seat-late.rules.in 2012-12-27 22:34:17.318277147 +0400 +++ /home/oleg/tmp/systemd.new/src/login/73-seat-late.rules.in 2012-12-27 22:56:54.515875520 +0400 @@ -14,4 +14,7 @@ TAG==uaccess, ENV{MAJOR}!=, RUN{builtin}+=uaccess +ENV{ONE_SEAT}==, IMPORT{parent}=ONE_SEAT +TAG==uaccess, ENV{ONE_SEAT}!=1, ENV{ID_SEAT}==, TAG+=shared + LABEL=seat_late_end diff -Naur /home/oleg/tmp/systemd.fb/src/login/logind-acl.c /home/oleg/tmp/systemd.new/src/login/logind-acl.c --- /home/oleg/tmp/systemd.fb/src/login/logind-acl.c 2012-12-27 22:34:17.318277147 +0400 +++ /home/oleg/tmp/systemd.new/src/login/logind-acl.c 2012-12-27 22:59:25.160050145 +0400 @@ -174,7 +174,7 @@ int devnode_acl_all(struct udev *udev, const char *seat, bool flush, -bool del, uid_t old_uid, +bool del, bool del_shared, uid_t old_uid, bool add, uid_t new_uid) { struct udev_list_entry *item = NULL, *first = NULL; @@ -208,6 +208,7 @@ udev_list_entry_foreach(item, first) { struct udev_device *d; const char *node, *sn; +bool is_shared; d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item)); if (!d) { @@ -215,13 +216,20 @@ goto finish; } -sn = udev_device_get_property_value(d, ID_SEAT); -if (isempty(sn)) -sn = seat0; - -if (!streq(seat, sn)) { -udev_device_unref(d); -continue; +/* all devices with shared tag are accessible with all seats */ +is_shared = udev_device_has_tag(d, shared); + +if (is_shared) +sn = shared; +else { +sn = udev_device_get_property_value(d, ID_SEAT); +if (isempty(sn)) +sn = seat0; + +if (!streq(seat, sn)) { +udev_device_unref(d); +continue; +} } node = udev_device_get_devnode(d); @@ -233,7 +241,7 @@ log_debug(Fixing up %s for seat %s..., node, sn); -r = devnode_acl(node, flush
[systemd-devel] [PATCH] logind-multi-seat issues
i1. Capability of making seats without framebuffer devices logind.c: The seat is now activated by any device with udev tag seat-master 71-seat.rules.in: All framebuffer devices have this tag multi-seat-x.c: if the seat does not have a framebuffer device, runs X as a proxy, adding -sharevts only if the seat has a framebuffer device, makes a special config for X (like it did before) i2. Supporting of acls on devices shared between all seats (like /dev/snd/seq) These devices have shared udev tag in addition to uaccess A user gets permitions on it when he activates a session on any seat. He/she losses the permitions when no his/her active sessions more exist 71-seat.rules.in: sets ONE_SEAT env var to Y for all devices with seat tag 73-seat-late.rules.in: inherits ONE_SEAT env from the parent device. sets shared tag to all devices with uaccess tag with neither ONE_SEAT nor ID_SEAT env logind-acl.c: changes acl on shared devices regardless to their seats logind-seat.c: when a user removes an active sessions, checks are other active sessions of this user (on other seats) exists diff -Naur systemd.old/src/login/71-seat.rules.in systemd.new/src/login/ 71-seat.rules.in --- systemd.old/src/login/71-seat.rules.in2012-12-14 22:51:19.361720536 +0400 +++ systemd.new/src/login/71-seat.rules.in2012-12-14 23:07:14.116893094 +0400 @@ -11,6 +11,7 @@ SUBSYSTEM==sound, KERNEL==card*, TAG+=seat SUBSYSTEM==input, KERNEL==input*, TAG+=seat SUBSYSTEM==graphics, KERNEL==fb[0-9]*, TAG+=seat +SUBSYSTEM==graphics, KERNEL==fb[0-9]*, TAG+=seat-master SUBSYSTEM==usb, ATTR{bDeviceClass}==09, TAG+=seat # 'Plugable' USB hub, sound, network, graphics adapter @@ -42,6 +43,7 @@ TAG==seat, ENV{ID_PATH}==, IMPORT{builtin}=path_id TAG==seat, ENV{ID_FOR_SEAT}==, ENV{ID_PATH_TAG}!=, ENV{ID_FOR_SEAT}=$env{SUBSYSTEM}-$env{ID_PATH_TAG} +TAG==seat, ENV{ONE_SEAT}=Y SUBSYSTEM==input, ATTR{name}==Wiebetech LLC Wiebetech, RUN+=@rootbindir@/loginctl lock-sessions diff -Naur systemd.old/src/login/73-seat-late.rules.insystemd.new/src/login/ 73-seat-late.rules.in --- systemd.old/src/login/73-seat-late.rules.in2012-12-14 22:51:19.361720536 +0400 +++ systemd.new/src/login/73-seat-late.rules.in2012-12-14 23:08:22.548039895 +0400 @@ -14,4 +14,7 @@ TAG==uaccess, ENV{MAJOR}!=, RUN{builtin}+=uaccess +ENV{ONE_SEAT}==, IMPORT{parent}=ONE_SEAT +TAG==uaccess, ENV{ONE_SEAT}!=Y, ENV{ID_SEAT}==, TAG+=shared + LABEL=seat_late_end diff -Naur systemd.old/src/login/logind-acl.c systemd.new/src/login/logind-acl.c --- systemd.old/src/login/logind-acl.c2012-12-14 22:51:19.361720536 +0400 +++ systemd.new/src/login/logind-acl.c2012-12-14 23:10:59.457079493 +0400 @@ -174,7 +174,7 @@ int devnode_acl_all(struct udev *udev, const char *seat, bool flush, -bool del, uid_t old_uid, +bool del, bool del_shared, uid_t old_uid, bool add, uid_t new_uid) { struct udev_list_entry *item = NULL, *first = NULL; @@ -208,6 +208,7 @@ udev_list_entry_foreach(item, first) { struct udev_device *d; const char *node, *sn; +bool is_shared; d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item)); if (!d) { @@ -215,13 +216,20 @@ goto finish; } -sn = udev_device_get_property_value(d, ID_SEAT); -if (isempty(sn)) -sn = seat0; - -if (!streq(seat, sn)) { -udev_device_unref(d); -continue; +// all devices with shared tag are accessible with all seats +is_shared = udev_device_has_tag(d, shared); + +if (is_shared) { +sn = shared; +} else { +sn = udev_device_get_property_value(d, ID_SEAT); +if (isempty(sn)) +sn = seat0; + +if (!streq(seat, sn)) { +udev_device_unref(d); +continue; +} } node = udev_device_get_devnode(d); @@ -233,7 +241,7 @@ log_debug(Fixing up %s for seat %s..., node, sn); -r = devnode_acl(node, flush, del, old_uid, add, new_uid); +r = devnode_acl(node, flush, is_shared ? del_shared : del, old_uid, add, new_uid); udev_device_unref(d); if (r 0) diff -Naur systemd.old/src/login/logind-acl.h systemd.new/src/login/logind-acl.h --- systemd.old/src/login/logind-acl.h2012-12-14 22:51:19.361720536 +0400 +++ systemd.new/src/login/logind-acl.h2012-12-14 23:11:39.936573058 +0400 @@ -35,7 +35,7 @@ int devnode_acl_all(struct udev *udev, const char *seat,
[systemd-devel] [PATCH] logind: some multi-seat issues
i1. Capability of making seats without framebuffer devices logind.c: The seat is now activated by any device with udev tag seat-master 71-seat.rules.in: All framebuffer devices have this tag multi-seat-x.c: if the seat does not have a framebuffer device, runs X as a proxy, adding -sharevts only if the seat has a framebuffer device, makes a special config for X (like it did before) i2. Supporting of acls on devices shared between all seats (like /dev/snd/seq) These devices have shared udev tag in addition to uaccess A user gets permitions on it when he activates a session on any seat. He/she losses the permitions when no his/her active sessions more exist 71-seat.rules.in: sets ONE_SEAT env var to Y for all devices with seat tag 73-seat-late.rules.in: inherits ONE_SEAT env from the parent device. sets shared tag to all devices with uaccess tag with neither ONE_SEAT nor ID_SEAT env logind-acl.c: changes acl on shared devices regardless to their seats logind-seat.c: when a user removes an active sessions, checks are other active sessions of this user (on other seats) exists -- src/login/71-seat.rules.in-- index f554d7f..b9921e5 100644 @@ -11,6 +11,7 @@ TAG==uaccess, SUBSYSTEM!=sound, TAG+=seat SUBSYSTEM==sound, KERNEL==card*, TAG+=seat SUBSYSTEM==input, KERNEL==input*, TAG+=seat SUBSYSTEM==graphics, KERNEL==fb[0-9]*, TAG+=seat +SUBSYSTEM==graphics, KERNEL==fb[0-9]*, TAG+=seat-master SUBSYSTEM==usb, ATTR{bDeviceClass}==09, TAG+=seat # 'Plugable' USB hub, sound, network, graphics adapter @@ -43,6 +44,8 @@ SUBSYSTEM==usb, ATTR{idVendor}==17e9, ATTR{idProduct}==401a, ATTR{product} TAG==seat, ENV{ID_PATH}==, IMPORT{builtin}=path_id TAG==seat, ENV{ID_FOR_SEAT}==, ENV{ID_PATH_TAG}!=, ENV{ID_FOR_SEAT}=$env{SUBSYSTEM}-$env{ID_PATH_TAG} +TAG==seat, ENV{ONE_SEAT}=Y + SUBSYSTEM==input, ATTR{name}==Wiebetech LLC Wiebetech, RUN+=@rootbindir@/loginctl lock-sessions LABEL=seat_end --- src/login/73-seat-late.rules.in--- index 901df75..f043fca 100644 @@ -14,4 +14,7 @@ ENV{ID_SEAT}!=, TAG+=$env{ID_SEAT} TAG==uaccess, ENV{MAJOR}!=, RUN{builtin}+=uaccess +ENV{ONE_SEAT}==, IMPORT{parent}=ONE_SEAT +TAG==uaccess, ENV{ONE_SEAT}!=Y, ENV{ID_SEAT}==, TAG+=shared + LABEL=seat_late_end src/login/logind-acl.c index cb045a9..fb4893a 100644 @@ -174,7 +174,7 @@ finish: int devnode_acl_all(struct udev *udev, const char *seat, bool flush, -bool del, uid_t old_uid, +bool del, bool del_shared, uid_t old_uid, bool add, uid_t new_uid) { struct udev_list_entry *item = NULL, *first = NULL; @@ -208,6 +208,7 @@ int devnode_acl_all(struct udev *udev, udev_list_entry_foreach(item, first) { struct udev_device *d; const char *node, *sn; +bool is_shared; d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item)); if (!d) { @@ -215,13 +216,20 @@ int devnode_acl_all(struct udev *udev, goto finish; } -sn = udev_device_get_property_value(d, ID_SEAT); -if (isempty(sn)) -sn = seat0; +// all devices with shared tag are accessible with all seats +is_shared = udev_device_has_tag(d, shared); -if (!streq(seat, sn)) { -udev_device_unref(d); -continue; +if (is_shared) { +sn = shared; +} else { +sn = udev_device_get_property_value(d, ID_SEAT); +if (isempty(sn)) +sn = seat0; + +if (!streq(seat, sn)) { +udev_device_unref(d); +continue; +} } node = udev_device_get_devnode(d); @@ -233,7 +241,7 @@ int devnode_acl_all(struct udev *udev, log_debug(Fixing up %s for seat %s..., node, sn); -r = devnode_acl(node, flush, del, old_uid, add, new_uid); +r = devnode_acl(node, flush, is_shared ? del_shared : del, old_uid, add, new_uid); udev_device_unref(d); if (r 0) src/login/logind-acl.h index ec09843..fe1183c 100644 @@ -35,7 +35,7 @@ int devnode_acl(const char *path, int devnode_acl_all(struct udev *udev, const char *seat, bool flush, -bool del, uid_t old_uid, +bool del, bool del_shared, uid_t old_uid, bool add, uid_t new_uid); #else ---
Re: [systemd-devel] logind: multiseat without framebuffer graphic cards
Please rebase to current git! We merge new stuff like this only into the git version. I'm sorry. The previous patch was for F17. Here is one for the git version. As mentioned, for F19 we want to get rid of that. systemd-multi-seat-x was only intended to be a temporary work-around until X learned to use -seat for enumerating video devices. In F18 the code of s-m-s-x is already much shorter. I saw it after I had download the git version. But s-m-s-x in F18 is still overriding a xorg.conf file so seems any static configuration will be impossible. May be to learn it not to override conf in some cases? 2. Make 'loginctl seat-status' to display which device is a seat-master This would be useful, i.e. show a little asterisk or so next to the master devices of a seat. 4. Now the case is not resolved if two or more seat-master devices exist in the same seat and one of them becomes unplugged. Seems according the login.c, manager_process_seat_device function will destroy the seat, but this behavior does not look like a correct. The same issue exists with framebuffer devices. Hmm, so, the rule should definitely be that as long as at least one master device is around logind should keep the seat around. Yes, it should exactly. These two issues (2 and 4) require logind to keep bool isMaster in struct Device and make manager_process_seat_device to traverse the seat device list. I could make these changes. Unfortunally, I am not familiar with dbus so I've haven't yet realised how 'loginctl seat-status' works, so (2) would demands more time for me. Newer X subscribes to udev, and can properly deal with graphics cards appearing and going away, and will merge them appropriately. But logind should keep the seat as active and shoudn't send SeatRemoved signals until no master devices left . 3. Make 'loginctl attach' capable of adding a device as a seat-master. For example I don't think this is really necessary or even a good idea. A master device should just mean that some device is sufficient for a seat to exist. But that's property of a device/driver, not so much configuration of the user, hence I think there is no point in adding high-level commands for this. May be. The workaround (for closed source video) - to patch 72-seat-*.rules manually - is possible, but does not look like a nice. Changing the all manner of initialising video (with udev instead of with X) does not seem feasible the next XX years. 5. An issue is not related to framebuffer but to user access privileges: users cann't access /dev/snd/seq device in a multi-seat environment. This sounds as if it should be tagged with uaccess, so that it is managed by dynamic ACLs as sessoins become active and inactive. udevadm shows it is tagged with uaccess, but there is no ID_SEAT property P: /devices/virtual/sound/seq N: snd/seq E: DEVNAME=/dev/snd/seq E: DEVPATH=/devices/virtual/sound/seq E: MAJOR=116 E: MINOR=1 E: SUBSYSTEM=sound E: TAGS=:uaccess: E: USEC_INITIALIZED=5155039 But this virtual device shoud be shared between all seats and should be accessible from all active sessions. Does logind/pam can handle this approach? Some others multiseat-related issues detected (I'm not shure that systemd is responsable for them) : 6. When the user press Ctrl+Alt+fN on the seat1, it switchs tty on the seat0. 7. When seat0 is switched into the text mode (ex. after Ctrl+Alt+F2), all keys typed on seat1 is displayed on Seat0. It seems as a serious security vulnerability, because seat0 user can see the login password of seat1 typed at GDM login. The workaround is to start 'X -seat0 -sharevts', but it disables vt-switching on seat0 completelly. Oleg. From: Oleg Samarin osamari...@gmail.com Subject: [PATCH] logind: multi-seat without framebuffer devices The seat is now activated by any device with udev tag seat-master All framebuffer devices have this tag multi-seat-x : if the seat does not have a framebuffer device, runs X as a proxy, adding -sharevts only if the seat has a framebuffer device, makes a special config for X (like it did before) diff -Naur systemd.old/src/login/71-seat.rules.in systemd.new/src/login/71-seat.rules.in --- systemd.old/src/login/71-seat.rules.in 2012-11-25 17:51:38.0 +0400 +++ systemd.new/src/login/71-seat.rules.in 2012-11-25 18:56:07.0 +0400 @@ -11,6 +11,7 @@ SUBSYSTEM==sound, KERNEL==card*, TAG+=seat SUBSYSTEM==input, KERNEL==input*, TAG+=seat SUBSYSTEM==graphics, KERNEL==fb[0-9]*, TAG+=seat +SUBSYSTEM==graphics, KERNEL==fb[0-9]*, TAG+=seat-master SUBSYSTEM==usb, ATTR{bDeviceClass}==09, TAG+=seat # 'Plugable' USB hub, sound, network, graphics adapter diff -Naur systemd.old/src/login/logind.c systemd.new/src/login/logind.c --- systemd.old/src/login/logind.c 2012-11-25 17:51:38.0 +0400 +++ systemd.new/src/login/logind.c 2012-11-25 18:58:07.0 +0400 @@ -450,11 +450,7 @@ goto finish; } -r
Re: [systemd-devel] logind: multiseat without framebuffer graphic cards
But nigther user of seat0 nor user of seat1 can access it even another user is not working with it, even no user is logged on anothe seat. I made more testing and found, that /dev/snd/seq is accessible for any user, logged in on the seat0, but not to one logged on the seat1. After reading login_acl.c, seems, the reason is the /dev/snd/seq device has 'uaccess' tag, but do not have 'ID_SEAT' property. So logind assumes this device belongs to seat0. I think logind should treat such device as shared and accessible with all seats. My idea is to treat all devices with 'uaccess' tag but without 'seat' tag as shared. Lennart, what is your opinion on this? If nobody is opposite, this Saturday I could try to fix it in login_acl and to prepare a patch. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] logind: multiseat without framebuffer graphic cards
В Ср., 21/11/2012 в 20:23 +0100, Lennart Poettering пишет: I think there are other ways thinkable, where we don't have to add explicit nvidia-compatibility switches. For example, instead of explicitly watching for fb devices to show up before we consider a seat to be around, we could instead look for devices that are tagged with a special tag (tag as in udev's TAG= construct) -- we'd then tag all fb devices out-of-the-box this way, and people who want to use the nvidia binary driver can attach that tag to some kernel device the nvidia driver exposes, but I wouldn't have to care about that, and systemd upstream wouldn't need to know what people do locally. And maybe you could even convince Nvidia to ship the udev rule that attaches this tag in their drivers. By doing things this way we'd not introduce the race that your patch would introduce, but we'd not hardcode anything directly to fb devices. Note that in systemd we generally try to fix this things properly, and not work-around things. Now, your global swicth didn't appear as a proper fix to me, due to the race issues. But the solution with a udev tag otoh sounds like a worthwile fix that makes logind cleaner -- and which as a side-effect allows you to integrate things with your nvidia driver. Does that make some sense? OK. So we need two changes: (1). Introduce a new udev tag that means master device for the seat. Support it with logind.c. Add an udev rule that sets this tag for all framebuffer device (2). multi-seat-x should not trigger an error if there is no framebufer device exist on the seat. It is a temporary stuff until X can get device from -seat, so it may look for a specially named config file or just start X without any addition parameters (or with -sharevts only) This saturday I will be capable of creating some patch for (1). My questions: 1. Which tag name would be better? construct? seatmaster? Something else? 2. What should be right behavior if there are two or more seat masters in a seat? Create a seat if any of them exists and remove the seat if there are no more seat-masters on the seat? Oleg. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel