[PATCH 0/3] Add input group and udev rule to fix rootless X

[PATCH 0/3] Add input group and udev rule to fix rootless X

[Darren Hart]

Fix [YOCTO 4164] (usb mouse and keyboard don't work at liveboot on atom-pc) by
adding an input group and a udev rule to make all /dev/input/* devices added to
the input group with g+rw permissions. Drop the o+rw setting from
xserver-nodm-init.

Tested on atom-pc from current poky master using core-image-sato.

Thanks,

Darren

The following changes since commit 92aeb31341b28b193d616ab5cf38af1b9673e37d:

  qemuimage-testlib: Fix quoting issue (2013-03-30 17:26:56 +0000)

are available in the git repository at:
  git://git.yoctoproject.org/poky-contrib dvhart/xuser
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=dvhart/xuser

Darren Hart (3):
  base-passwd: Add input group
  udev: Add rule adding input devices to input group
  xserver-nodm-init: Add xuser to input group

 .../base-passwd/base-passwd-3.5.26/input.patch     |   22 ++++++++++++++++++++
 .../recipes-core/base-passwd/base-passwd_3.5.26.bb |    5 ++-
 meta/recipes-core/udev/udev/local.rules            |    2 +
 meta/recipes-core/udev/udev_182.bb                 |    2 +-
 .../x11-common/xserver-nodm-init.bb                |    4 +-
 .../x11-common/xserver-nodm-init/xserver-nodm      |    1 -
 6 files changed, 30 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-core/base-passwd/base-passwd-3.5.26/input.patch

-- 
1.7.5.4

[PATCH 1/3] base-passwd: Add input group

[Darren Hart]

Fixes [YOCTO 4164](1/3)

Add input group for the /dev/input/* devices. This is needed for
rootless X without adding a security hole by making the device o+rw.

Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Cc: Saul Wold <sgw@linux.intel.com>
---
 .../base-passwd/base-passwd-3.5.26/input.patch     |   22 ++++++++++++++++++++
 .../recipes-core/base-passwd/base-passwd_3.5.26.bb |    5 ++-
 2 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-core/base-passwd/base-passwd-3.5.26/input.patch

diff --git a/meta/recipes-core/base-passwd/base-passwd-3.5.26/input.patch b/meta/recipes-core/base-passwd/base-passwd-3.5.26/input.patch
new file mode 100644
index 0000000..f1bfc2f
--- /dev/null
+++ b/meta/recipes-core/base-passwd/base-passwd-3.5.26/input.patch
@@ -0,0 +1,22 @@
+Add an input group for the /dev/input/* devices.
+
+Upstream-Status: Invalid [configuration]
+
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+
+---
+ group.master |    1 +
+ 1 file changed, 1 insertion(+)
+
+Index: base-passwd-3.5.26/group.master
+===================================================================
+--- base-passwd-3.5.26.orig/group.master
++++ base-passwd-3.5.26/group.master
+@@ -12,6 +12,7 @@ uucp:*:10:
+ man:*:12:
+ proxy:*:13:
+ kmem:*:15:
++input:*:19:
+ dialout:*:20:
+ fax:*:21:
+ voice:*:22:
diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.26.bb b/meta/recipes-core/base-passwd/base-passwd_3.5.26.bb
index febddcf..1c7e6b0 100644
--- a/meta/recipes-core/base-passwd/base-passwd_3.5.26.bb
+++ b/meta/recipes-core/base-passwd/base-passwd_3.5.26.bb
@@ -1,12 +1,13 @@
 SUMMARY = "Base system master password/group files."
 DESCRIPTION = "The master copies of the user database files (/etc/passwd and /etc/group).  The update-passwd tool is also provided to keep the system databases synchronized with these master files."
 SECTION = "base"
-PR = "r1"
+PR = "r2"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a"
 
 SRC_URI = "${DEBIAN_MIRROR}/main/b/base-passwd/base-passwd_${PV}.tar.gz \
-           file://nobash.patch"
+           file://nobash.patch \
+           file://input.patch"
 
 SRC_URI[md5sum] = "74245e5c21dc74d9675c77cd8dfa02e6"
 SRC_URI[sha256sum] = "258a78317aa563143d10375c6e1e63a60898e503887f00fffd70b6b297c1b429"
-- 
1.7.5.4

[PATCH 2/3] udev: Add rule adding input devices to input group

[Darren Hart]

Fixes [YOCTO 4164](2/3)

Add all /dev/input/* devices to the input group with g+rw.  This is
needed for rootless X without adding a security hole by making the
device o+rw.

Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Cc: Saul Wold <sgw@linux.intel.com>
Cc: Radu Moisan <radu.moisan@intel.com>
---
 meta/recipes-core/udev/udev/local.rules |    2 ++
 meta/recipes-core/udev/udev_182.bb      |    2 +-
 2 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/meta/recipes-core/udev/udev/local.rules b/meta/recipes-core/udev/udev/local.rules
index 72d92ef..8ebcb2c 100644
--- a/meta/recipes-core/udev/udev/local.rules
+++ b/meta/recipes-core/udev/udev/local.rules
@@ -19,3 +19,5 @@ ACTION=="add", DEVPATH=="/devices/*", ENV{MODALIAS}=="?*", RUN+="/sbin/modprobe
 # Create a symlink to any touchscreen input device
 SUBSYSTEM=="input", KERNEL=="event[0-9]*", ATTRS{modalias}=="input:*-e0*,3,*a0,1,*18,*", SYMLINK+="input/touchscreen0"
 
+# Make all input devices read-write to the input group
+SUBSYSTEM=="input", GROUP="input", MODE="660"
diff --git a/meta/recipes-core/udev/udev_182.bb b/meta/recipes-core/udev/udev_182.bb
index 42b4d08..d66292e 100644
--- a/meta/recipes-core/udev/udev_182.bb
+++ b/meta/recipes-core/udev/udev_182.bb
@@ -1,6 +1,6 @@
 include udev.inc
 
-PR = "r6"
+PR = "r7"
 
 # module-init-tools from kmod_git will provide libkmod runtime
 DEPENDS += "module-init-tools"
-- 
1.7.5.4

[PATCH 3/3] xserver-nodm-init: Add xuser to input group

[Darren Hart]

Fixes [YOCTO 4164](3/3)

Input devices come and go, so a single chmod in this init script is not
adequate to ensure rootless X servers can use input devices.

The o+rw method also introduces a security hole.

The newly added input group and input udev rule address this in a secure
way. Ensure the xuser is added to the input group.

Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Cc: Saul Wold <sgw@linux.intel.com>
Cc: Laurentiu Palcu <laurentiu.palcu@intel.com>
---
 .../x11-common/xserver-nodm-init.bb                |    4 ++--
 .../x11-common/xserver-nodm-init/xserver-nodm      |    1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
index eab76c5..d2797a9 100644
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
@@ -2,7 +2,7 @@ DESCRIPTION = "Simple Xserver Init Script (no dm)"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
 SECTION = "x11"
-PR = "r30"
+PR = "r31"
 RDEPENDS_${PN} = "sudo"
 
 SRC_URI = "file://xserver-nodm \
@@ -34,6 +34,6 @@ INITSCRIPT_PARAMS = "start 9 5 2 . stop 20 0 1 6 ."
 # USERADD_PARAM is in sync with the one in connman.inc
 USERADD_PACKAGES = "${PN}"
 USERADD_PARAM_${PN} = "--create-home \
-                       --groups video,tty,audio \
+                       --groups video,tty,audio,input \
                        --user-group xuser"
 
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
index e790fb0..f6692a8 100755
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
@@ -33,7 +33,6 @@ case "$1" in
            # setting for rootless X
            chmod o+w /var/log
            chmod g+r /dev/tty[0-3]
-           chmod o+rw /dev/input/*
            # hidraw device is probably needed
            if [ -e /dev/hidraw0 ]; then
                chmod o+rw /dev/hidraw*
-- 
1.7.5.4

Re: [PATCH 0/3] Add input group and udev rule to fix rootless X

[Ross Burton]

On Tuesday, 2 April 2013 at 23:42, Darren Hart wrote:
> udev: Add rule adding input devices to input group

Please put this in udev-extraconf so that systemd's udev can use it too.

Ross 

Re: [PATCH 0/3] Add input group and udev rule to fix rootless X

[Darren Hart]

On 04/03/2013 01:09 AM, Ross Burton wrote:
> On Tuesday, 2 April 2013 at 23:42, Darren Hart wrote:
>> udev: Add rule adding input devices to input group
> 
> Please put this in udev-extraconf so that systemd's udev can use it too.

OK, will do.

-- 
Darren Hart
Intel Open Source Technology Center
Yocto Project - Technical Lead - Linux Kernel

Re: [PATCH 0/3] Add input group and udev rule to fix rootless X

[Darren Hart]

On 04/03/2013 01:09 AM, Ross Burton wrote:
> On Tuesday, 2 April 2013 at 23:42, Darren Hart wrote:
>> udev: Add rule adding input devices to input group
> 
> Please put this in udev-extraconf so that systemd's udev can use it too.

Do you mean instead of udev? I didn't see udev-extraconf in the package
built for core-image-sato for atom-pc...


-- 
Darren Hart
Intel Open Source Technology Center
Yocto Project - Technical Lead - Linux Kernel

Re: [PATCH 0/3] Add input group and udev rule to fix rootless X

[Darren Hart]

On 04/03/2013 11:37 AM, Darren Hart wrote:
> On 04/03/2013 01:09 AM, Ross Burton wrote:
>> On Tuesday, 2 April 2013 at 23:42, Darren Hart wrote:
>>> udev: Add rule adding input devices to input group
>>
>> Please put this in udev-extraconf so that systemd's udev can use it too.
> 
> Do you mean instead of udev? I didn't see udev-extraconf in the package
> built for core-image-sato for atom-pc...

Uh, never mind me, looking in the arch dir instead of the all dir.
Nothing to see here, move it along...

-- 
Darren Hart
Intel Open Source Technology Center
Yocto Project - Technical Lead - Linux Kernel

Re: [PATCH 0/3] Add input group and udev rule to fix rootless X

[Burton, Ross]

On 3 April 2013 19:37, Darren Hart <dvhart@linux.intel.com> wrote:
>>> udev: Add rule adding input devices to input group
>>
>> Please put this in udev-extraconf so that systemd's udev can use it too.
>
> Do you mean instead of udev? I didn't see udev-extraconf in the package
> built for core-image-sato for atom-pc...

Yes, udev-extraconf is in recipes-core/udev/ and is where the
automount helpers go, so it's recommended by both traditional udev and
systemd's udev already.

Ross