Kay Sievers wrote:
On Sat, Mar 23, 2013 at 1:57 PM, Kay Sievers <[email protected]> wrote:
On Sat, Mar 23, 2013 at 12:16 AM, Lennart Poettering
<[email protected]> wrote:
On Tue, 19.03.13 17:36, Ludwig Nussel ([email protected]) wrote:
useful to get ACLs on files, sockets etc not known to udev
Can't say I like this one. Sounds like an awful lot of code to me to
support evil closed source drivers.
Kay, what do you say?
If we could find a simpler way (for example, a list setting in
logind.conf) and emphasize that this is for any file, for example
sockets/fifos, this might be more palatable to me, but I still don't
like it.
If possible, I would avoid another setting.
We should rather look into making the "dead" device nodes exported by
the kernel in:
/lib/modules/$(uname -r)/modules.devname
work with ACLs.
This does not only solve the problems with proprietary modules, they
would just ship their device node info in the module itself. But would
also apply the ACL to things like:
/dev/snd/seq
where ordinary users cannot trigger the on-demand module-load. The ACL
will only be applied after the module is loaded.
It's all not that trivial, but solvable I guess. The config for the
ACLs and the permissions is stored in udev rules, and we would need to
export that somehow to the uaccess code.
This seems to apply the ACL to /dev/snd/seq:
http://people.freedesktop.org/~kay/0001-udev-export-dead-device-nodes-to-run-udev-devnode-ua.patch
Works fine AFAICT and with some creative tricks can be (ab)used get ACLs on
arbitrary device nodes.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB
16746 (AG Nürnberg)
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
