[systemd-devel] [PATCH] support statically configured acls

[Lennart Poettering]

On Tue, 19.03.13 17:36, Ludwig Nussel (ludwig.nussel at suse.de) wrote:

> useful to get ACLs on files, sockets etc not known to udev

Can't say I like this one. Sounds like an awful lot of code to me to
support evil closed source drivers.

Kay, what do you say?

If we could find a simpler way (for example, a list setting in
logind.conf) and emphasize that this is for any file, for example
sockets/fifos, this might be more palatable to me, but I still don't
like it.

> ---
>  src/login/logind-acl.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 59 insertions(+)
> 
> diff --git a/src/login/logind-acl.c b/src/login/logind-acl.c
> index cb045a9..a44ecdc 100644
> --- a/src/login/logind-acl.c
> +++ b/src/login/logind-acl.c
> @@ -28,6 +28,18 @@
>  #include "logind-acl.h"
>  #include "util.h"
>  #include "acl-util.h"
> +#include "strv.h"
> +#include "conf-files.h"
> +
> +static const char conf_file_dirs[] =
> +        "/etc/systemd/acls.d\0"
> +        "/run/systemd/acls.d\0"
> +        "/usr/local/lib/systemd/acls.d\0"
> +        "/usr/lib/systemd/acls.d\0"
> +#ifdef HAVE_SPLIT_USR
> +        "/lib/systemd/acls.d\0"
> +#endif
> +	;
>  
>  static int flush_acl(acl_t acl) {
>          acl_entry_t i;
> @@ -171,6 +183,51 @@ finish:
>          return r;
>  }
>  
> +static int apply_static_file_acls(
> +		const char *seat,
> +		bool flush,
> +                bool del, uid_t old_uid,
> +                bool add, uid_t new_uid) {
> +	_cleanup_strv_free_ char **files = NULL;
> +	int r;
> +	char **fn;
> +
> +	r = conf_files_list_nulstr(&files, ".conf", NULL, conf_file_dirs);
> +	if (r < 0) {
> +		log_error("Failed to enumerate acl.d files: %s", strerror(-r));
> +		goto finish;
> +	}
> +
> +	STRV_FOREACH(fn, files) {
> +		_cleanup_fclose_ FILE* fp = NULL;
> +		char line[LINE_MAX];
> +
> +		r = search_and_fopen_nulstr(*fn, "re", conf_file_dirs, &fp);
> +		if (r < 0)
> +			continue;
> +
> +		FOREACH_LINE(line, fp, return -errno) {
> +			int k;
> +			char* l = strstrip(line);
> +			const char* sn = seat; // TODO: allow to specify seat in second column?
> +
> +			if (*l == '#' || *l == 0)
> +				continue;
> +
> +			log_debug("Fixing up static entry %s for seat %s...", l, sn);
> +
> +			k = devnode_acl(l, flush, del, old_uid, add, new_uid);
> +			if (k < 0) {
> +				log_error("Failed to set acl on %s: %s", l, strerror(-k));
> +			}
> +		}
> +
> +	}
> +
> +finish:
> +	return r;
> +}
> +
>  int devnode_acl_all(struct udev *udev,
>                      const char *seat,
>                      bool flush,
> @@ -240,6 +297,8 @@ int devnode_acl_all(struct udev *udev,
>                          goto finish;
>          }
>  
> +	apply_static_file_acls(seat, flush, del, old_uid, add, new_uid);
> +
>  finish:
>          if (e)
>                  udev_enumerate_unref(e);


Lennart

-- 
Lennart Poettering - Red Hat, Inc.