[systemd-devel] [PATCH] support statically configured acls

Kay Sievers kay at vrfy.org
Sun Mar 24 16:00:21 PDT 2013

On Sat, Mar 23, 2013 at 1:57 PM, Kay Sievers <kay at vrfy.org> wrote:
> On Sat, Mar 23, 2013 at 12:16 AM, Lennart Poettering
> <lennart at poettering.net> wrote:
>> On Tue, 19.03.13 17:36, Ludwig Nussel (ludwig.nussel at suse.de) wrote:
>>> useful to get ACLs on files, sockets etc not known to udev
>> Can't say I like this one. Sounds like an awful lot of code to me to
>> support evil closed source drivers.
>> Kay, what do you say?
>> If we could find a simpler way (for example, a list setting in
>> logind.conf) and emphasize that this is for any file, for example
>> sockets/fifos, this might be more palatable to me, but I still don't
>> like it.
> If possible, I would avoid another setting.
> We should rather look into making the "dead" device nodes exported by
> the kernel in:
>   /lib/modules/$(uname -r)/modules.devname
> work with ACLs.
> This does not only solve the problems with proprietary modules, they
> would just ship their device node info in the module itself. But would
> also apply the ACL to things like:
>   /dev/snd/seq
> where ordinary users cannot trigger the on-demand module-load. The ACL
> will only be applied after the module is loaded.
> It's all not that trivial, but solvable I guess. The config for the
> ACLs and the permissions is stored in udev rules, and we would need to
> export that somehow to the uaccess code.

This seems to apply the ACL to /dev/snd/seq:


More information about the systemd-devel mailing list