[systemd-devel] [PATCH] support statically configured acls
Kay Sievers
kay at vrfy.org
Sun Mar 24 16:00:21 PDT 2013
On Sat, Mar 23, 2013 at 1:57 PM, Kay Sievers <kay at vrfy.org> wrote:
> On Sat, Mar 23, 2013 at 12:16 AM, Lennart Poettering
> <lennart at poettering.net> wrote:
>> On Tue, 19.03.13 17:36, Ludwig Nussel (ludwig.nussel at suse.de) wrote:
>>
>>> useful to get ACLs on files, sockets etc not known to udev
>>
>> Can't say I like this one. Sounds like an awful lot of code to me to
>> support evil closed source drivers.
>>
>> Kay, what do you say?
>>
>> If we could find a simpler way (for example, a list setting in
>> logind.conf) and emphasize that this is for any file, for example
>> sockets/fifos, this might be more palatable to me, but I still don't
>> like it.
>
> If possible, I would avoid another setting.
>
> We should rather look into making the "dead" device nodes exported by
> the kernel in:
> /lib/modules/$(uname -r)/modules.devname
> work with ACLs.
>
> This does not only solve the problems with proprietary modules, they
> would just ship their device node info in the module itself. But would
> also apply the ACL to things like:
> /dev/snd/seq
> where ordinary users cannot trigger the on-demand module-load. The ACL
> will only be applied after the module is loaded.
>
> It's all not that trivial, but solvable I guess. The config for the
> ACLs and the permissions is stored in udev rules, and we would need to
> export that somehow to the uaccess code.
This seems to apply the ACL to /dev/snd/seq:
http://people.freedesktop.org/~kay/0001-udev-export-dead-device-nodes-to-run-udev-devnode-ua.patch
Kay
More information about the systemd-devel
mailing list