Supporting of acls on devices shared between all seats (like /dev/snd/seq):
A user gets permitions on it when he activates a session on any seat.
He/she losses the permitions when no his/her active sessions more exist
В Пн., 24/12/2012 в 13:08 +0100, Lennart Poettering пишет:
> boolean udev props usually use "1" instead of "Y" as positive value.
>
>
> > + // all devices with shared tag are accessible with all
> > seats
> > + is_shared = udev_device_has_tag(d, "shared");
>
Corrected
> We do not use C++ style // comments. Only use /* C style comments */
> please, even if C99 is fine with // too..
Corrected
> Please do not use { } for single line if blocks. This is not PHP ;-)
Corrected
> I don't grok the the ONE_SEAT thing. Could you create a split out patch
> for that and explain in more detail what this about?
ONE_SEAT: I'd set "shared" tag for all devices that have "uaccess" tag
and neither the device itself nor some of its parent has "seat" tag, ie
it cannot be attached to a seat. There are two such
devices on my system: /dev/snd/seq and /dev/snd/timer. They are treated as
accessible
from all seats.
I coudn't create a simplier udev rule for this approach, but make two
rules: the first rule sets ONE_SEAT attribute for all devices with
"seat" tag and all their descensors. And the second rule sets "shared"
tag for all devices with "uaccess" tag and without ONE_SEAT attribute.
If you know how to achieve this without ONE_SEAT, I'd like to implement
it.
Oleg.
From: Oleg Samarin <[email protected]>
Subject: [PATCH] logind: user access to shared devices
Supporting of acls on devices shared between all seats (like /dev/snd/seq):
A user gets permitions on it when he activates a session on any seat.
He/she losses the permitions when no his/her active sessions more exist
diff -Naur /home/oleg/tmp/systemd.fb/src/login/71-seat.rules.in /home/oleg/tmp/systemd.new/src/login/71-seat.rules.in
--- /home/oleg/tmp/systemd.fb/src/login/71-seat.rules.in 2012-12-27 22:44:56.129552678 +0400
+++ /home/oleg/tmp/systemd.new/src/login/71-seat.rules.in 2012-12-27 22:56:28.725187447 +0400
@@ -42,6 +42,7 @@
TAG=="seat", ENV{ID_PATH}=="", IMPORT{builtin}="path_id"
TAG=="seat", ENV{ID_FOR_SEAT}=="", ENV{ID_PATH_TAG}!="", ENV{ID_FOR_SEAT}="$env{SUBSYSTEM}-$env{ID_PATH_TAG}"
+TAG=="seat", ENV{ONE_SEAT}="1"
SUBSYSTEM=="input", ATTR{name}=="Wiebetech LLC Wiebetech", RUN+="@rootbindir@/loginctl lock-sessions"
diff -Naur /home/oleg/tmp/systemd.fb/src/login/73-seat-late.rules.in /home/oleg/tmp/systemd.new/src/login/73-seat-late.rules.in
--- /home/oleg/tmp/systemd.fb/src/login/73-seat-late.rules.in 2012-12-27 22:34:17.318277147 +0400
+++ /home/oleg/tmp/systemd.new/src/login/73-seat-late.rules.in 2012-12-27 22:56:54.515875520 +0400
@@ -14,4 +14,7 @@
TAG=="uaccess", ENV{MAJOR}!="", RUN{builtin}+="uaccess"
+ENV{ONE_SEAT}=="", IMPORT{parent}="ONE_SEAT"
+TAG=="uaccess", ENV{ONE_SEAT}!="1", ENV{ID_SEAT}=="", TAG+="shared"
+
LABEL="seat_late_end"
diff -Naur /home/oleg/tmp/systemd.fb/src/login/logind-acl.c /home/oleg/tmp/systemd.new/src/login/logind-acl.c
--- /home/oleg/tmp/systemd.fb/src/login/logind-acl.c 2012-12-27 22:34:17.318277147 +0400
+++ /home/oleg/tmp/systemd.new/src/login/logind-acl.c 2012-12-27 22:59:25.160050145 +0400
@@ -174,7 +174,7 @@
int devnode_acl_all(struct udev *udev,
const char *seat,
bool flush,
- bool del, uid_t old_uid,
+ bool del, bool del_shared, uid_t old_uid,
bool add, uid_t new_uid) {
struct udev_list_entry *item = NULL, *first = NULL;
@@ -208,6 +208,7 @@
udev_list_entry_foreach(item, first) {
struct udev_device *d;
const char *node, *sn;
+ bool is_shared;
d = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
if (!d) {
@@ -215,13 +216,20 @@
goto finish;
}
- sn = udev_device_get_property_value(d, "ID_SEAT");
- if (isempty(sn))
- sn = "seat0";
-
- if (!streq(seat, sn)) {
- udev_device_unref(d);
- continue;
+ /* all devices with shared tag are accessible with all seats */
+ is_shared = udev_device_has_tag(d, "shared");
+
+ if (is_shared)
+ sn = "shared";
+ else {
+ sn = udev_device_get_property_value(d, "ID_SEAT");
+ if (isempty(sn))
+ sn = "seat0";
+
+ if (!streq(seat, sn)) {
+ udev_device_unref(d);
+ continue;
+ }
}
node = udev_device_get_devnode(d);
@@ -233,7 +241,7 @@
log_debug("Fixing up %s for seat %s...", node, sn);
- r = devnode_acl(node, flush, del, old_uid, add, new_uid);
+ r = devnode_acl(node, flush, is_shared ? del_shared : del, old_uid, add, new_uid);
udev_device_unref(d);
if (r < 0)
diff -Naur /home/oleg/tmp/systemd.fb/src/login/logind-acl.h /home/oleg/tmp/systemd.new/src/login/logind-acl.h
--- /home/oleg/tmp/systemd.fb/src/login/logind-acl.h 2012-12-27 22:34:17.318277147 +0400
+++ /home/oleg/tmp/systemd.new/src/login/logind-acl.h 2012-12-27 22:36:47.165467794 +0400
@@ -35,7 +35,7 @@
int devnode_acl_all(struct udev *udev,
const char *seat,
bool flush,
- bool del, uid_t old_uid,
+ bool del, bool del_shared, uid_t old_uid,
bool add, uid_t new_uid);
#else
diff -Naur /home/oleg/tmp/systemd.fb/src/login/logind-seat.c /home/oleg/tmp/systemd.new/src/login/logind-seat.c
--- /home/oleg/tmp/systemd.fb/src/login/logind-seat.c 2012-12-27 22:34:17.318277147 +0400
+++ /home/oleg/tmp/systemd.new/src/login/logind-seat.c 2012-12-27 22:36:47.166467784 +0400
@@ -225,7 +225,10 @@
r = devnode_acl_all(s->manager->udev,
s->id,
false,
- !!old_active, old_active ? old_active->user->uid : 0,
+ !!old_active,
+ // delete acl on shared devices only if no other active sessions
+ old_active && user_get_state(old_active->user) != USER_ACTIVE,
+ old_active ? old_active->user->uid : 0,
!!s->active, s->active ? s->active->user->uid : 0);
if (r < 0)
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
