diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2019-06-29 15:08:11 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2019-06-29 16:10:49 +0200 |
commit | 3708c0f455931c8cb5fed149923e5a995c2e3fbf (patch) | |
tree | a0d87248e84cf400c81c66309c2e4546bc9f6d56 /src/udev | |
parent | ab3a7372d21bd41ac6d4ec574bf2ed5c63ae9a2f (diff) | |
download | systemd-3708c0f455931c8cb5fed149923e5a995c2e3fbf.tar.gz |
udev: don't force device ownership and mode on every event
This partially reverts 25de7aa7b90c23d33ea50ada1e50c5834a414237. I don't think the
change was intended there.
The problem I'm trying to solve: for /dev/kvm we get first an ADD uevent, and
then CHANGE whenever something connects or disconnects to the character device.
The rules in 50-default-udev.rules set UID, GID, and MODE on ADD, but not on
CHANGE. When the change event happens, we would reset the ownership and
permissions.
This happens because node_permissions_apply() would (after 25de7aa7b90c23d33)
set uid=gid=0 if they weren't set by the rules.
So let's only pass uid/gid/mode to node_permissions_apply() if appropriately
configured. Also let node_permissions_apply() do the skip of uid/gid/mode if
not set, and rename "always_apply" to more closely reflect its meaning.
Diffstat (limited to 'src/udev')
-rw-r--r-- | src/udev/udev-event.c | 28 | ||||
-rw-r--r-- | src/udev/udev-node.c | 22 |
2 files changed, 23 insertions, 27 deletions
diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c index 025a37bc26..dbdb9065dc 100644 --- a/src/udev/udev-event.c +++ b/src/udev/udev-event.c @@ -819,7 +819,6 @@ static int rename_netif(UdevEvent *event) { static int update_devnode(UdevEvent *event) { sd_device *dev = event->dev; - bool apply; int r; r = sd_device_get_devnum(dev, NULL); @@ -834,17 +833,13 @@ static int update_devnode(UdevEvent *event) { if (!uid_is_valid(event->uid)) { r = device_get_devnode_uid(dev, &event->uid); - if (r == -ENOENT) - event->uid = 0; - else if (r < 0) + if (r < 0 && r != -ENOENT) return log_device_error_errno(dev, r, "Failed to get devnode UID: %m"); } if (!gid_is_valid(event->gid)) { r = device_get_devnode_gid(dev, &event->gid); - if (r == -ENOENT) - event->gid = 0; - else if (r < 0) + if (r < 0 && r != -ENOENT) return log_device_error_errno(dev, r, "Failed to get devnode GID: %m"); } @@ -852,21 +847,14 @@ static int update_devnode(UdevEvent *event) { r = device_get_devnode_mode(dev, &event->mode); if (r < 0 && r != -ENOENT) return log_device_error_errno(dev, r, "Failed to get devnode mode: %m"); - if (r == -ENOENT) { - if (event->gid > 0) - /* default 0660 if a group is assigned */ - event->mode = 0660; - else - /* default 0600 */ - event->mode = 0600; - } } + if (event->mode == MODE_INVALID && gid_is_valid(event->gid) && event->gid > 0) + /* If group is set, but mode is not set, "upgrade" mode for the group. */ + event->mode = 0660; + + bool apply_mac = device_for_action(dev, DEVICE_ACTION_ADD); - apply = device_for_action(dev, DEVICE_ACTION_ADD) || - uid_is_valid(event->uid) || - gid_is_valid(event->gid) || - event->mode != MODE_INVALID; - return udev_node_add(dev, apply, event->mode, event->uid, event->gid, event->seclabel_list); + return udev_node_add(dev, apply_mac, event->mode, event->uid, event->gid, event->seclabel_list); } static void event_execute_rules_on_remove( diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index 01cd2f408a..7e3447f7fa 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -26,6 +26,7 @@ #include "string-util.h" #include "strxcpyx.h" #include "udev-node.h" +#include "user-util.h" static int node_symlink(sd_device *dev, const char *node, const char *slink) { _cleanup_free_ char *slink_dirname = NULL, *target = NULL; @@ -270,13 +271,14 @@ int udev_node_update_old_links(sd_device *dev, sd_device *dev_old) { return 0; } -static int node_permissions_apply(sd_device *dev, bool apply, +static int node_permissions_apply(sd_device *dev, bool apply_mac, mode_t mode, uid_t uid, gid_t gid, OrderedHashmap *seclabel_list) { const char *devnode, *subsystem, *id_filename = NULL; struct stat stats; dev_t devnum; - int r = 0; + bool apply_mode, apply_uid, apply_gid; + int r; assert(dev); @@ -299,21 +301,27 @@ static int node_permissions_apply(sd_device *dev, bool apply, if (lstat(devnode, &stats) < 0) return log_device_debug_errno(dev, errno, "cannot stat() node %s: %m", devnode); - if (((stats.st_mode & S_IFMT) != (mode & S_IFMT)) || (stats.st_rdev != devnum)) - return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EEXIST), "Found node '%s' with non-matching devnum %s, skip handling", + if ((mode != MODE_INVALID && (stats.st_mode & S_IFMT) != (mode & S_IFMT)) || stats.st_rdev != devnum) + return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EEXIST), + "Found node '%s' with non-matching devnum %s, skip handling", devnode, id_filename); - if (apply) { + apply_mode = mode != MODE_INVALID && (stats.st_mode & 0777) != (mode & 0777); + apply_uid = uid_is_valid(uid) && stats.st_uid != uid; + apply_gid = gid_is_valid(gid) && stats.st_gid != gid; + + if (apply_mode || apply_uid || apply_gid || apply_mac) { bool selinux = false, smack = false; const char *name, *label; Iterator i; - if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) { + if (apply_mode || apply_uid || apply_gid) { log_device_debug(dev, "Setting permissions %s, %#o, uid=%u, gid=%u", devnode, mode, uid, gid); r = chmod_and_chown(devnode, mode, uid, gid); if (r < 0) - log_device_warning_errno(dev, r, "Failed to set owner/mode of %s to uid=" UID_FMT ", gid=" GID_FMT ", mode=%#o: %m", devnode, uid, gid, mode); + log_device_warning_errno(dev, r, "Failed to set owner/mode of %s to uid=" UID_FMT ", gid=" GID_FMT ", mode=%#o: %m", + devnode, uid, gid, mode); } else log_device_debug(dev, "Preserve permissions of %s, %#o, uid=%u, gid=%u", devnode, mode, uid, gid); |