[systemd-devel] [PATCH] support statically configured acls
Kay Sievers
kay at vrfy.org
Sat Mar 23 05:57:00 PDT 2013
On Sat, Mar 23, 2013 at 12:16 AM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Tue, 19.03.13 17:36, Ludwig Nussel (ludwig.nussel at suse.de) wrote:
>
>> useful to get ACLs on files, sockets etc not known to udev
>
> Can't say I like this one. Sounds like an awful lot of code to me to
> support evil closed source drivers.
>
> Kay, what do you say?
>
> If we could find a simpler way (for example, a list setting in
> logind.conf) and emphasize that this is for any file, for example
> sockets/fifos, this might be more palatable to me, but I still don't
> like it.
If possible, I would avoid another setting.
We should rather look into making the "dead" device nodes exported by
the kernel in:
/lib/modules/$(uname -r)/modules.devname
work with ACLs.
This does not only solve the problems with proprietary modules, they
would just ship their device node info in the module itself. But would
also apply the ACL to things like:
/dev/snd/seq
where ordinary users cannot trigger the on-demand module-load. The ACL
will only be applied after the module is loaded.
It's all not that trivial, but solvable I guess. The config for the
ACLs and the permissions is stored in udev rules, and we would need to
export that somehow to the uaccess code.
Kay
More information about the systemd-devel
mailing list