mirror of
https://github.com/systemd/systemd
synced 2026-03-13 08:34:47 +01:00
Compare commits
No commits in common. "5276ef1548d6cda3ba22270a7a153334c1815e33" and "8fe50c025b36da43c1e95343d3cc08dd757b1cad" have entirely different histories.
5276ef1548
...
8fe50c025b
@ -1246,8 +1246,6 @@ node /org/freedesktop/login1/session/1 {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
|
||||
readonly s RemoteUser = '...';
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
|
||||
readonly b ExtraDeviceAccess = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
|
||||
readonly s Service = '...';
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
|
||||
readonly s Desktop = '...';
|
||||
@ -1350,8 +1348,6 @@ node /org/freedesktop/login1/session/1 {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="RemoteUser"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ExtraDeviceAccess"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Service"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Desktop"/>
|
||||
@ -1541,10 +1537,6 @@ node /org/freedesktop/login1/session/1 {
|
||||
<para><varname>RemoteHost</varname> and <varname>RemoteUser</varname> encode the remote host and user
|
||||
if this is a remote session, or an empty string otherwise.</para>
|
||||
|
||||
<para><varname>ExtraDeviceAccess</varname> encodes whether the session is granted access to additional
|
||||
hardware devices, typically useful for for graphical, remote session. If true, the session is granted
|
||||
access to all devices tagged with <literal>xaccess</literal> in udev.</para>
|
||||
|
||||
<para><varname>Service</varname> encodes the PAM service name that registered the session.</para>
|
||||
|
||||
<para><varname>Desktop</varname> describes the desktop environment running in the session (if
|
||||
@ -1679,7 +1671,6 @@ node /org/freedesktop/login1/session/1 {
|
||||
<para><function>SetTTY()</function> was added in version 254.</para>
|
||||
<para><function>SetClass()</function> was added in version 256.</para>
|
||||
<para><varname>LeaderPIDFDId</varname> was added in version 258.</para>
|
||||
<para><varname>ExtraDeviceAccess</varname> was added in version 260.</para>
|
||||
</refsect2>
|
||||
</refsect1>
|
||||
|
||||
|
||||
@ -404,17 +404,6 @@
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v258"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>$XDG_SESSION_EXTRA_DEVICE_ACCESS</varname></term>
|
||||
|
||||
<listitem><para>Whether or not the session shall be granted additional hardware device access,
|
||||
typically useful for graphical, remote session. If true, the session is granted access to all
|
||||
devices tagged with <literal>xaccess</literal> in udev. Typically, rendering device nodes of
|
||||
the GPU are tagged like this.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v260"/></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>If not set, <command>pam_systemd</command> will initialize
|
||||
|
||||
@ -182,25 +182,6 @@
|
||||
<xi:include href="version-info.xml" xpointer="v235"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Tag <literal>uaccess</literal></term>
|
||||
|
||||
<listitem><para>When set, access to this device is tied to an active seat.
|
||||
As the session on the seat becomes active or inactive, access to the device
|
||||
is updated accordingly.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Tag <literal>xaccess</literal></term>
|
||||
|
||||
<listitem><para>When set, access to this device is granted to sessions
|
||||
created with <literal>ExtraDeviceAccess</literal>. This is typically useful
|
||||
for graphical, remote sessions. As the <literal>ExtraDeviceAccess</literal>
|
||||
sessions open and close, access to the device is updated accordingly.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v260"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Property <varname>ID_SEAT</varname></term>
|
||||
|
||||
|
||||
@ -34,7 +34,6 @@
|
||||
<refname>sd_session_get_remote_host</refname>
|
||||
<refname>sd_session_get_remote_user</refname>
|
||||
<refname>sd_session_get_leader</refname>
|
||||
<refname>sd_session_has_extra_device_access</refname>
|
||||
<refpurpose>Determine state of a specific session</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
@ -141,11 +140,6 @@
|
||||
<paramdef>const char *<parameter>session</parameter></paramdef>
|
||||
<paramdef>unsigned int *<parameter>vt</parameter></paramdef>
|
||||
</funcprototype>
|
||||
|
||||
<funcprototype>
|
||||
<funcdef>int <function>sd_session_has_extra_device_access</function></funcdef>
|
||||
<paramdef>const char *<parameter>session</parameter></paramdef>
|
||||
</funcprototype>
|
||||
</funcsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
@ -280,12 +274,6 @@
|
||||
session identifier. This function will return an error if the seat
|
||||
does not support VTs.</para>
|
||||
|
||||
<para><function>sd_session_has_extra_device_access()</function> may
|
||||
be used to determine whether the session is granted access to
|
||||
additional hardware devices, typically useful for for graphical,
|
||||
remote session. If true, the session is granted access to all
|
||||
devices tagged with <literal>xaccess</literal> in udev.</para>
|
||||
|
||||
<para>If the <varname>session</varname> parameter of any of these
|
||||
functions is passed as <constant>NULL</constant>, the operation is
|
||||
executed for the session the calling process is a member of, if
|
||||
@ -296,10 +284,9 @@
|
||||
<title>Return Value</title>
|
||||
|
||||
<para>If the test succeeds,
|
||||
<function>sd_session_is_active()</function>,
|
||||
<function>sd_session_is_remote()</function>, and
|
||||
<function>sd_session_has_extra_device_access()</function>
|
||||
return a positive integer; if it fails, 0. On success,
|
||||
<function>sd_session_is_active()</function> and
|
||||
<function>sd_session_is_remote()</function> return a
|
||||
positive integer; if it fails, 0. On success,
|
||||
<function>sd_session_get_state()</function>,
|
||||
<function>sd_session_get_uid()</function>,
|
||||
<function>sd_session_get_username()</function>,
|
||||
@ -366,7 +353,6 @@
|
||||
<para><function>sd_session_get_username()</function>,
|
||||
<function>sd_session_get_start_time()</function>, and
|
||||
<function>sd_session_get_leader()</function> were added in version 254.</para>
|
||||
<para><function>sd_session_has_extra_device_access()</function> was added in version 260.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
||||
@ -46,7 +46,7 @@ SUBSYSTEM=="firewire", TEST=="units", ENV{IEEE1394_UNIT_FUNCTION_VIDEO}=="1", TA
|
||||
SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess"
|
||||
{% if GROUP_RENDER_UACCESS %}
|
||||
# DRI render nodes
|
||||
SUBSYSTEM=="drm", KERNEL=="renderD*", TAG+="uaccess", TAG+="xaccess"
|
||||
SUBSYSTEM=="drm", KERNEL=="renderD*", TAG+="uaccess"
|
||||
{% endif %}
|
||||
{% if DEV_KVM_UACCESS %}
|
||||
# KVM
|
||||
|
||||
@ -14,7 +14,7 @@ ENV{ID_SEAT}=="", IMPORT{parent}="ID_SEAT"
|
||||
|
||||
ENV{ID_SEAT}!="", TAG+="$env{ID_SEAT}"
|
||||
{% if HAVE_ACL %}
|
||||
TAG=="uaccess|xaccess", ENV{MAJOR}!="", RUN{builtin}+="uaccess"
|
||||
TAG=="uaccess", ENV{MAJOR}!="", RUN{builtin}+="uaccess"
|
||||
{% endif %}
|
||||
|
||||
LABEL="seat_late_end"
|
||||
|
||||
@ -697,7 +697,6 @@ int manager_default_environment(Manager *m) {
|
||||
"XDG_SESSION_CLASS",
|
||||
"XDG_SESSION_TYPE",
|
||||
"XDG_SESSION_DESKTOP",
|
||||
"XDG_SESSION_EXTRA_DEVICE_ACCESS",
|
||||
"XDG_SEAT",
|
||||
"XDG_VTNR");
|
||||
}
|
||||
|
||||
@ -1085,8 +1085,3 @@ global:
|
||||
sd_event_get_exit_on_idle;
|
||||
sd_varlink_is_connected;
|
||||
} LIBSYSTEMD_258;
|
||||
|
||||
LIBSYSTEMD_260 {
|
||||
global:
|
||||
sd_session_has_extra_device_access;
|
||||
} LIBSYSTEMD_259;
|
||||
|
||||
@ -677,25 +677,6 @@ _public_ int sd_session_is_remote(const char *session) {
|
||||
return parse_boolean(s);
|
||||
}
|
||||
|
||||
_public_ int sd_session_has_extra_device_access(const char *session) {
|
||||
_cleanup_free_ char *p = NULL, *s = NULL;
|
||||
int r;
|
||||
|
||||
r = file_of_session(session, &p);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = parse_env_file(/* f= */ NULL, p, "EXTRA_DEVICE_ACCESS", &s);
|
||||
if (r == -ENOENT)
|
||||
return -ENXIO;
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (isempty(s))
|
||||
return -ENODATA;
|
||||
|
||||
return parse_boolean(s);
|
||||
}
|
||||
|
||||
_public_ int sd_session_get_state(const char *session, char **ret_state) {
|
||||
_cleanup_free_ char *p = NULL, *s = NULL;
|
||||
int r;
|
||||
|
||||
@ -898,7 +898,6 @@ int manager_create_session(
|
||||
bool remote,
|
||||
const char *remote_user,
|
||||
const char *remote_host,
|
||||
bool extra_device_access,
|
||||
Session **ret_session) {
|
||||
|
||||
bool mangle_class = false;
|
||||
@ -1005,7 +1004,6 @@ int manager_create_session(
|
||||
|
||||
session->original_type = session->type = type;
|
||||
session->remote = remote;
|
||||
session->extra_device_access = extra_device_access;
|
||||
session->vtnr = vtnr;
|
||||
session->class = class;
|
||||
|
||||
@ -1229,7 +1227,6 @@ static int manager_create_session_by_bus(
|
||||
remote,
|
||||
remote_user,
|
||||
remote_host,
|
||||
/* extra_device_access= */ false,
|
||||
&session);
|
||||
if (r == -EBUSY)
|
||||
return sd_bus_error_set(error, BUS_ERROR_SESSION_BUSY, "Already running in a session or user slice");
|
||||
|
||||
@ -57,7 +57,6 @@ int manager_create_session(
|
||||
bool remote,
|
||||
const char *remote_user,
|
||||
const char *remote_host,
|
||||
bool extra_device_access,
|
||||
Session **ret_session);
|
||||
|
||||
extern const BusObjectImplementation manager_object;
|
||||
|
||||
@ -35,7 +35,6 @@
|
||||
#include "tmpfile-util.h"
|
||||
#include "udev-util.h"
|
||||
#include "user-record.h"
|
||||
#include "user-util.h"
|
||||
|
||||
int seat_new(Manager *m, const char *id, Seat **ret) {
|
||||
_cleanup_(seat_freep) Seat *s = NULL;
|
||||
@ -331,15 +330,14 @@ static int seat_trigger_devices(Seat *s) {
|
||||
static int static_node_acl(Seat *s) {
|
||||
#if HAVE_ACL
|
||||
int r, ret = 0;
|
||||
_cleanup_set_free_ Set *uids = NULL;
|
||||
uid_t uid;
|
||||
|
||||
assert(s);
|
||||
|
||||
if (s->active) {
|
||||
r = set_ensure_put(&uids, NULL, UID_TO_PTR(s->active->user->user_record->uid));
|
||||
if (r < 0)
|
||||
return log_oom();
|
||||
}
|
||||
if (s->active)
|
||||
uid = s->active->user->user_record->uid;
|
||||
else
|
||||
uid = 0;
|
||||
|
||||
_cleanup_closedir_ DIR *dir = opendir("/run/udev/static_node-tags/uaccess/");
|
||||
if (!dir) {
|
||||
@ -379,7 +377,7 @@ static int static_node_acl(Seat *s) {
|
||||
if (!ERRNO_IS_NEG_DEVICE_ABSENT_OR_EMPTY(r))
|
||||
log_debug_errno(r, "Failed to check if '/run/udev/static_node-tags/uaccess/%s' points to a static device node, ignoring: %m", de->d_name);
|
||||
|
||||
r = devnode_acl(fd, uids);
|
||||
r = devnode_acl(fd, uid);
|
||||
if (r >= 0 || r == -ENOENT)
|
||||
continue;
|
||||
|
||||
@ -387,11 +385,11 @@ static int static_node_acl(Seat *s) {
|
||||
_cleanup_free_ char *node = NULL;
|
||||
(void) fd_get_path(fd, &node);
|
||||
|
||||
if (!set_isempty(uids)) {
|
||||
if (uid != 0) {
|
||||
RET_GATHER(ret, log_debug_errno(r, "Failed to apply ACL on '%s': %m", node ?: de->d_name));
|
||||
|
||||
/* Better be safe than sorry and reset ACL */
|
||||
r = devnode_acl(fd, /* uids= */ NULL);
|
||||
r = devnode_acl(fd, /* uid= */ 0);
|
||||
if (r >= 0 || r == -ENOENT)
|
||||
continue;
|
||||
}
|
||||
|
||||
@ -985,7 +985,6 @@ static const sd_bus_vtable session_vtable[] = {
|
||||
SD_BUS_PROPERTY("Remote", "b", bus_property_get_bool, offsetof(Session, remote), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("RemoteHost", "s", NULL, offsetof(Session, remote_host), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("RemoteUser", "s", NULL, offsetof(Session, remote_user), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("ExtraDeviceAccess", "b", bus_property_get_bool, offsetof(Session, extra_device_access), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("Service", "s", NULL, offsetof(Session, service), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("Desktop", "s", NULL, offsetof(Session, desktop), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("Scope", "s", NULL, offsetof(Session, scope), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
|
||||
@ -9,7 +9,6 @@
|
||||
#include <unistd.h>
|
||||
|
||||
#include "sd-bus.h"
|
||||
#include "sd-device.h"
|
||||
#include "sd-event.h"
|
||||
#include "sd-messages.h"
|
||||
#include "sd-varlink.h"
|
||||
@ -19,7 +18,6 @@
|
||||
#include "bus-error.h"
|
||||
#include "bus-util.h"
|
||||
#include "daemon-util.h"
|
||||
#include "device-util.h"
|
||||
#include "devnum-util.h"
|
||||
#include "env-file.h"
|
||||
#include "errno-util.h"
|
||||
@ -278,46 +276,6 @@ static void session_save_devices(Session *s, FILE *f) {
|
||||
}
|
||||
}
|
||||
|
||||
static int trigger_xaccess(void) {
|
||||
int r;
|
||||
|
||||
_cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL;
|
||||
r = sd_device_enumerator_new(&e);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = sd_device_enumerator_add_match_tag(e, "xaccess");
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
FOREACH_DEVICE(e, d) {
|
||||
/* Verify that the tag is still in place. */
|
||||
r = sd_device_has_current_tag(d, "xaccess");
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r == 0)
|
||||
continue;
|
||||
|
||||
/* In case people mistag devices without nodes, we need to ignore this. */
|
||||
r = sd_device_get_devname(d, NULL);
|
||||
if (r == -ENOENT)
|
||||
continue;
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
sd_id128_t uuid;
|
||||
r = sd_device_trigger_with_uuid(d, SD_DEVICE_CHANGE, &uuid);
|
||||
if (r < 0) {
|
||||
log_device_debug_errno(d, r, "Failed to trigger 'change' event, ignoring: %m");
|
||||
continue;
|
||||
}
|
||||
|
||||
log_device_debug(d, "Triggered synthetic event (ACTION=change, UUID=%s).", SD_ID128_TO_UUID_STRING(uuid));
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int session_save(Session *s) {
|
||||
int r;
|
||||
|
||||
@ -349,14 +307,12 @@ int session_save(Session *s) {
|
||||
"IS_DISPLAY=%s\n"
|
||||
"STATE=%s\n"
|
||||
"REMOTE=%s\n"
|
||||
"EXTRA_DEVICE_ACCESS=%s\n"
|
||||
"LEADER_FD_SAVED=%s\n",
|
||||
s->user->user_record->uid,
|
||||
one_zero(session_is_active(s)),
|
||||
one_zero(s->user->display == s),
|
||||
session_state_to_string(session_get_state(s)),
|
||||
one_zero(s->remote),
|
||||
one_zero(s->extra_device_access),
|
||||
one_zero(s->leader_fd_saved));
|
||||
|
||||
env_file_fputs_assignment(f, "USER=", s->user->user_record->user_name);
|
||||
@ -497,7 +453,6 @@ static int session_load_leader(Session *s, uint64_t pidfdid) {
|
||||
|
||||
int session_load(Session *s) {
|
||||
_cleanup_free_ char *remote = NULL,
|
||||
*extra_device_access = NULL,
|
||||
*seat = NULL,
|
||||
*tty_validity = NULL,
|
||||
*vtnr = NULL,
|
||||
@ -524,7 +479,6 @@ int session_load(Session *s) {
|
||||
|
||||
r = parse_env_file(NULL, s->state_file,
|
||||
"REMOTE", &remote,
|
||||
"EXTRA_DEVICE_ACCESS", &extra_device_access,
|
||||
"SCOPE", &s->scope,
|
||||
"SCOPE_JOB", &s->scope_job,
|
||||
"FIFO", &fifo_path,
|
||||
@ -585,12 +539,6 @@ int session_load(Session *s) {
|
||||
s->remote = k;
|
||||
}
|
||||
|
||||
if (extra_device_access) {
|
||||
k = parse_boolean(extra_device_access);
|
||||
if (k >= 0)
|
||||
s->extra_device_access = k;
|
||||
}
|
||||
|
||||
if (vtnr)
|
||||
(void) safe_atou(vtnr, &s->vtnr);
|
||||
|
||||
@ -915,9 +863,6 @@ int session_start(Session *s, sd_bus_message *properties, sd_bus_error *error) {
|
||||
if (s->seat)
|
||||
(void) seat_save(s->seat);
|
||||
|
||||
if (s->extra_device_access)
|
||||
(void) trigger_xaccess();
|
||||
|
||||
/* Send signals */
|
||||
(void) session_send_signal(s, true);
|
||||
(void) user_send_changed(s->user, "Display");
|
||||
@ -1008,9 +953,6 @@ int session_stop(Session *s, bool force) {
|
||||
(void) session_save(s);
|
||||
(void) user_save(s->user);
|
||||
|
||||
if (s->extra_device_access)
|
||||
(void) trigger_xaccess();
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
|
||||
@ -121,7 +121,6 @@ typedef struct Session {
|
||||
char *remote_host;
|
||||
char *service;
|
||||
char *desktop;
|
||||
bool extra_device_access;
|
||||
|
||||
char *scope;
|
||||
char *scope_job;
|
||||
|
||||
@ -145,7 +145,6 @@ typedef struct CreateSessionParameters {
|
||||
int remote;
|
||||
const char *remote_user;
|
||||
const char *remote_host;
|
||||
bool extra_device_access;
|
||||
} CreateSessionParameters;
|
||||
|
||||
static void create_session_parameters_done(CreateSessionParameters *p) {
|
||||
@ -170,7 +169,6 @@ static int vl_method_create_session(sd_varlink *link, sd_json_variant *parameter
|
||||
{ "Remote", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_tristate, offsetof(CreateSessionParameters, remote), 0 },
|
||||
{ "RemoteUser", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, offsetof(CreateSessionParameters, remote_user), 0 },
|
||||
{ "RemoteHost", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, offsetof(CreateSessionParameters, remote_host), 0 },
|
||||
{ "ExtraDeviceAccess", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(CreateSessionParameters, extra_device_access), 0 },
|
||||
{}
|
||||
};
|
||||
|
||||
@ -180,7 +178,6 @@ static int vl_method_create_session(sd_varlink *link, sd_json_variant *parameter
|
||||
.class = _SESSION_CLASS_INVALID,
|
||||
.type = _SESSION_TYPE_INVALID,
|
||||
.remote = -1,
|
||||
.extra_device_access = false,
|
||||
};
|
||||
|
||||
r = sd_varlink_dispatch(link, parameters, dispatch_table, &p);
|
||||
@ -267,7 +264,6 @@ static int vl_method_create_session(sd_varlink *link, sd_json_variant *parameter
|
||||
p.remote,
|
||||
p.remote_user,
|
||||
p.remote_host,
|
||||
p.extra_device_access,
|
||||
&session);
|
||||
if (r == -EBUSY)
|
||||
return sd_varlink_error(link, "io.systemd.Login.AlreadySessionMember", /* parameters= */ NULL);
|
||||
|
||||
@ -814,7 +814,6 @@ typedef struct SessionContext {
|
||||
uint32_t vtnr;
|
||||
const char *tty;
|
||||
const char *display;
|
||||
bool extra_device_access;
|
||||
bool remote;
|
||||
const char *remote_user;
|
||||
const char *remote_host;
|
||||
@ -1149,8 +1148,7 @@ static int register_session(
|
||||
JSON_BUILD_PAIR_STRING_NON_EMPTY("Display", c->display),
|
||||
SD_JSON_BUILD_PAIR_BOOLEAN("Remote", c->remote),
|
||||
JSON_BUILD_PAIR_STRING_NON_EMPTY("RemoteUser", c->remote_user),
|
||||
JSON_BUILD_PAIR_STRING_NON_EMPTY("RemoteHost", c->remote_host),
|
||||
JSON_BUILD_PAIR_CONDITION_BOOLEAN(c->extra_device_access, "ExtraDeviceAccess", c->extra_device_access));
|
||||
JSON_BUILD_PAIR_STRING_NON_EMPTY("RemoteHost", c->remote_host));
|
||||
if (r < 0)
|
||||
return pam_syslog_errno(pamh, LOG_ERR, r,
|
||||
"Failed to issue io.systemd.Login.CreateSession varlink call: %m");
|
||||
@ -1317,10 +1315,6 @@ static int register_session(
|
||||
if (r != PAM_SUCCESS)
|
||||
return r;
|
||||
|
||||
r = update_environment(pamh, "XDG_SESSION_EXTRA_DEVICE_ACCESS", one_zero(c->extra_device_access));
|
||||
if (r != PAM_SUCCESS)
|
||||
return r;
|
||||
|
||||
r = update_environment(pamh, "XDG_SEAT", real_seat);
|
||||
if (r != PAM_SUCCESS)
|
||||
return r;
|
||||
@ -1787,7 +1781,6 @@ _public_ PAM_EXTERN int pam_sm_open_session(
|
||||
c.desktop = getenv_harder(pamh, "XDG_SESSION_DESKTOP", desktop_pam);
|
||||
c.area = getenv_harder(pamh, "XDG_AREA", area_pam);
|
||||
c.incomplete = getenv_harder_bool(pamh, "XDG_SESSION_INCOMPLETE", false);
|
||||
c.extra_device_access = getenv_harder_bool(pamh, "XDG_SESSION_EXTRA_DEVICE_ACCESS", false);
|
||||
|
||||
r = pam_get_data_many(
|
||||
pamh,
|
||||
|
||||
@ -8,7 +8,6 @@
|
||||
#include "errno-util.h"
|
||||
#include "extract-word.h"
|
||||
#include "fd-util.h"
|
||||
#include "set.h"
|
||||
#include "string-util.h"
|
||||
#include "strv.h"
|
||||
#include "user-util.h"
|
||||
@ -81,9 +80,8 @@ int dlopen_libacl(void) {
|
||||
DLSYM_ARG(acl_to_any_text));
|
||||
}
|
||||
|
||||
int devnode_acl(int fd, const Set *uids) {
|
||||
_cleanup_set_free_ Set *found = NULL;
|
||||
bool changed = false;
|
||||
int devnode_acl(int fd, uid_t uid) {
|
||||
bool changed = false, found = false;
|
||||
int r;
|
||||
|
||||
assert(fd >= 0);
|
||||
@ -109,12 +107,12 @@ int devnode_acl(int fd, const Set *uids) {
|
||||
if (tag != ACL_USER)
|
||||
continue;
|
||||
|
||||
if (!set_isempty(uids)) {
|
||||
if (uid > 0) {
|
||||
uid_t *u = sym_acl_get_qualifier(entry);
|
||||
if (!u)
|
||||
return -errno;
|
||||
|
||||
if (set_contains(uids, UID_TO_PTR(*u))) {
|
||||
if (*u == uid) {
|
||||
acl_permset_t permset;
|
||||
if (sym_acl_get_permset(entry, &permset) < 0)
|
||||
return -errno;
|
||||
@ -134,10 +132,7 @@ int devnode_acl(int fd, const Set *uids) {
|
||||
changed = true;
|
||||
}
|
||||
|
||||
r = set_ensure_put(&found, NULL, UID_TO_PTR(*u));
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
found = true;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
@ -150,16 +145,7 @@ int devnode_acl(int fd, const Set *uids) {
|
||||
if (r < 0)
|
||||
return -errno;
|
||||
|
||||
void *p;
|
||||
SET_FOREACH(p, uids) {
|
||||
uid_t uid = PTR_TO_UID(p);
|
||||
|
||||
if (uid == 0)
|
||||
continue;
|
||||
|
||||
if (set_contains(found, UID_TO_PTR(uid)))
|
||||
continue;
|
||||
|
||||
if (!found && uid > 0) {
|
||||
if (sym_acl_create_entry(&acl, &entry) < 0)
|
||||
return -errno;
|
||||
|
||||
|
||||
@ -38,7 +38,7 @@ extern DLSYM_PROTOTYPE(acl_to_any_text);
|
||||
|
||||
int dlopen_libacl(void);
|
||||
|
||||
int devnode_acl(int fd, const Set *uids);
|
||||
int devnode_acl(int fd, uid_t uid);
|
||||
|
||||
int calc_acl_mask_if_needed(acl_t *acl_p);
|
||||
int add_base_acls_if_needed(acl_t *acl_p, const char *path);
|
||||
@ -89,7 +89,7 @@ static inline int dlopen_libacl(void) {
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
static inline int devnode_acl(int fd, const Set *uids) {
|
||||
static inline int devnode_acl(int fd, uid_t uid) {
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
|
||||
@ -65,10 +65,6 @@ static SD_VARLINK_DEFINE_METHOD(
|
||||
SD_VARLINK_DEFINE_INPUT(RemoteUser, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
|
||||
SD_VARLINK_FIELD_COMMENT("Host name of the remote host"),
|
||||
SD_VARLINK_DEFINE_INPUT(RemoteHost, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
|
||||
SD_VARLINK_FIELD_COMMENT("If true this session is granted access to additional hardware devices, "
|
||||
"typically useful for remote, graphical sessions. "
|
||||
"This adds access for all devices tagged with \"xaccess\" in udev."),
|
||||
SD_VARLINK_DEFINE_INPUT(ExtraDeviceAccess, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
|
||||
SD_VARLINK_FIELD_COMMENT("The identifier string of the session of the user."),
|
||||
SD_VARLINK_DEFINE_OUTPUT(Id, SD_VARLINK_STRING, 0),
|
||||
SD_VARLINK_FIELD_COMMENT("The runtime path ($XDG_RUNTIME_DIR) of the user."),
|
||||
|
||||
@ -150,9 +150,6 @@ int sd_session_is_active(const char *session);
|
||||
/* Return 1 if the session is remote. */
|
||||
int sd_session_is_remote(const char *session);
|
||||
|
||||
/* Return 1 if the session is granted extra device access. */
|
||||
int sd_session_has_extra_device_access(const char *session);
|
||||
|
||||
/* Get state from session. Possible states: online, active, closing.
|
||||
* This function is a more generic version of sd_session_is_active(). */
|
||||
int sd_session_get_state(const char *session, char **ret_state);
|
||||
|
||||
@ -3,23 +3,15 @@
|
||||
#include "sd-login.h"
|
||||
|
||||
#include "acl-util.h"
|
||||
#include "alloc-util.h"
|
||||
#include "device-util.h"
|
||||
#include "errno-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "login-util.h"
|
||||
#include "set.h"
|
||||
#include "string-util.h"
|
||||
#include "strv.h"
|
||||
#include "udev-builtin.h"
|
||||
#include "user-util.h"
|
||||
|
||||
static int builtin_uaccess(UdevEvent *event, int argc, char *argv[]) {
|
||||
sd_device *dev = ASSERT_PTR(ASSERT_PTR(event)->dev);
|
||||
_cleanup_strv_free_ char **sessions = NULL;
|
||||
_cleanup_set_free_ Set *uids = NULL;
|
||||
uid_t uid;
|
||||
int r = 0, k;
|
||||
int r, k;
|
||||
|
||||
if (event->event_mode != EVENT_UDEV_WORKER) {
|
||||
log_device_debug(dev, "Running in test mode, skipping execution of 'uaccess' builtin command.");
|
||||
@ -41,62 +33,24 @@ static int builtin_uaccess(UdevEvent *event, int argc, char *argv[]) {
|
||||
return ignore ? 0 : fd;
|
||||
}
|
||||
|
||||
r = sd_device_has_tag(dev, "uaccess");
|
||||
if (r < 0)
|
||||
return log_device_error_errno(dev, r, "Failed to query uaccess tag: %m");
|
||||
|
||||
if (r > 0) {
|
||||
const char *seat;
|
||||
r = device_get_seat(dev, &seat);
|
||||
if (r < 0)
|
||||
return log_device_error_errno(dev, r, "Failed to get seat: %m");
|
||||
|
||||
uid_t uid;
|
||||
r = sd_seat_get_active(seat, /* ret_session= */ NULL, &uid);
|
||||
if (r < 0) {
|
||||
if (IN_SET(r, -ENXIO, -ENODATA))
|
||||
/* No active session on this seat */
|
||||
r = 0;
|
||||
else if (r < 0)
|
||||
log_device_error_errno(dev, r, "Failed to determine active user on seat %s, ignoring: %m", seat);
|
||||
else {
|
||||
if (set_ensure_put(&uids, NULL, UID_TO_PTR(uid)) < 0)
|
||||
return log_oom();
|
||||
}
|
||||
else
|
||||
log_device_error_errno(dev, r, "Failed to determine active user on seat %s: %m", seat);
|
||||
|
||||
goto reset;
|
||||
}
|
||||
|
||||
r = sd_device_has_tag(dev, "xaccess");
|
||||
if (r < 0)
|
||||
return log_device_error_errno(dev, r, "Failed to query device xaccess tag: %m");
|
||||
|
||||
if (r > 0) {
|
||||
r = sd_get_sessions(&sessions);
|
||||
if (r < 0)
|
||||
return log_device_error_errno(dev, r, "Failed to list sessions: %m");
|
||||
|
||||
STRV_FOREACH(s, sessions) {
|
||||
_cleanup_free_ char *state = NULL;
|
||||
if (sd_session_get_state(*s, &state) < 0) {
|
||||
log_device_debug_errno(dev, r, "Failed to query state for session %s, ignoring: %m", *s);
|
||||
continue;
|
||||
}
|
||||
if (streq(state, "closing"))
|
||||
continue;
|
||||
r = sd_session_has_extra_device_access(*s);
|
||||
if (r < 0) {
|
||||
log_device_debug_errno(dev, r, "Failed to query extra device access for session %s, ignoring: %m", *s);
|
||||
continue;
|
||||
}
|
||||
if (r == 0)
|
||||
continue;
|
||||
if (sd_session_get_uid(*s, &uid) < 0) {
|
||||
log_device_debug_errno(dev, r, "Failed to query uid for session %s, ignoring: %m", *s);
|
||||
continue;
|
||||
}
|
||||
if (set_ensure_put(&uids, NULL, UID_TO_PTR(uid)) < 0)
|
||||
return log_oom();
|
||||
}
|
||||
}
|
||||
|
||||
r = devnode_acl(fd, uids);
|
||||
r = devnode_acl(fd, uid);
|
||||
if (r < 0) {
|
||||
log_device_full_errno(dev, r == -ENOENT ? LOG_DEBUG : LOG_ERR, r, "Failed to apply ACL: %m");
|
||||
goto reset;
|
||||
@ -106,7 +60,7 @@ static int builtin_uaccess(UdevEvent *event, int argc, char *argv[]) {
|
||||
|
||||
reset:
|
||||
/* Better be safe than sorry and reset ACL */
|
||||
k = devnode_acl(fd, /* uids= */ NULL);
|
||||
k = devnode_acl(fd, /* uid= */ 0);
|
||||
if (k < 0)
|
||||
RET_GATHER(r, log_device_full_errno(dev, k == -ENOENT ? LOG_DEBUG : LOG_ERR, k, "Failed to flush ACLs: %m"));
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user