[systemd-devel] [PATCH] support statically configured acls

Ludwig Nussel ludwig.nussel at suse.de
Wed Mar 27 04:06:35 PDT 2013

Kay Sievers wrote:
> On Sat, Mar 23, 2013 at 1:57 PM, Kay Sievers <kay at vrfy.org> wrote:
>> On Sat, Mar 23, 2013 at 12:16 AM, Lennart Poettering
>> <lennart at poettering.net> wrote:
>>> On Tue, 19.03.13 17:36, Ludwig Nussel (ludwig.nussel at suse.de) wrote:
>>>> useful to get ACLs on files, sockets etc not known to udev
>>> Can't say I like this one. Sounds like an awful lot of code to me to
>>> support evil closed source drivers.
>>> Kay, what do you say?
>>> If we could find a simpler way (for example, a list setting in
>>> logind.conf) and emphasize that this is for any file, for example
>>> sockets/fifos, this might be more palatable to me, but I still don't
>>> like it.
>> If possible, I would avoid another setting.
>> We should rather look into making the "dead" device nodes exported by
>> the kernel in:
>>    /lib/modules/$(uname -r)/modules.devname
>> work with ACLs.
>> This does not only solve the problems with proprietary modules, they
>> would just ship their device node info in the module itself. But would
>> also apply the ACL to things like:
>>    /dev/snd/seq
>> where ordinary users cannot trigger the on-demand module-load. The ACL
>> will only be applied after the module is loaded.
>> It's all not that trivial, but solvable I guess. The config for the
>> ACLs and the permissions is stored in udev rules, and we would need to
>> export that somehow to the uaccess code.
> This seems to apply the ACL to /dev/snd/seq:
>    http://people.freedesktop.org/~kay/0001-udev-export-dead-device-nodes-to-run-udev-devnode-ua.patch

Works fine AFAICT and with some creative tricks can be (ab)used get ACLs on
arbitrary device nodes.


  (o_   Ludwig Nussel
  V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)

More information about the systemd-devel mailing list