selectively disabling ACLs

selectively disabling ACLs

[Bill Nottingham]

In the old HAL days, it was reasonable to configure which devices
would and would not get ownership/ACLs applied at the system level,
as HAL contained system level customization (via FDIs) to set this.

As I look at the current code in udev, I don't see a good way to
override this. The only infrastructure is a 70-acl.rules file
that has:

...
# optical drives
SUBSYSTEM="block", ENV{ID_CDROM}="1", ENV{ACL_MANAGE}="1"

# sound devices
SUBSYSTEM="sound", ENV{ACL_MANAGE}="1"
...
# apply ACL for all locally logged in users
LABEL="acl_apply", ENV{ACL_MANAGE}="?*",
# TEST="/var/run/ConsoleKit/database", \
  RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"

...

The only way I can see to disable ACLs, for, say, a webcam, would
be to write a rule that runs *before* this rules file, that sets
last_rule. That's quite a hack.

Is there a better way to set this that I don't see?

Bill

Re: selectively disabling ACLs

[Kay Sievers]

On Wed, Aug 5, 2009 at 16:16, Bill Nottingham<notting@redhat.com> wrote:
> In the old HAL days, it was reasonable to configure which devices
> would and would not get ownership/ACLs applied at the system level,
> as HAL contained system level customization (via FDIs) to set this.
>
> As I look at the current code in udev, I don't see a good way to
> override this. The only infrastructure is a 70-acl.rules file
> that has:
>
> ...
> # optical drives
> SUBSYSTEM="block", ENV{ID_CDROM}="1", ENV{ACL_MANAGE}="1"
>
> # sound devices
> SUBSYSTEM="sound", ENV{ACL_MANAGE}="1"
> ...
> # apply ACL for all locally logged in users
> LABEL="acl_apply", ENV{ACL_MANAGE}="?*",
> # TEST="/var/run/ConsoleKit/database", \
>  RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"
>
> ...
>
> The only way I can see to disable ACLs, for, say, a webcam, would
> be to write a rule that runs *before* this rules file, that sets
> last_rule. That's quite a hack.
>
> Is there a better way to set this that I don't see?

I guess the current logic could just check ACL_MANAGE=0, and skip the
device if that is set?

Kay

Re: selectively disabling ACLs

[Matthias Schwarzott]

On Mittwoch, 5. August 2009, Kay Sievers wrote:
> On Wed, Aug 5, 2009 at 16:16, Bill Nottingham<notting@redhat.com> wrote:
> > In the old HAL days, it was reasonable to configure which devices
> > would and would not get ownership/ACLs applied at the system level,
> > as HAL contained system level customization (via FDIs) to set this.
> >
> > As I look at the current code in udev, I don't see a good way to
> > override this. The only infrastructure is a 70-acl.rules file
> > that has:
> >
> > ...
> > # optical drives
> > SUBSYSTEM="block", ENV{ID_CDROM}="1", ENV{ACL_MANAGE}="1"
> >
> > # sound devices
> > SUBSYSTEM="sound", ENV{ACL_MANAGE}="1"
> > ...
> > # apply ACL for all locally logged in users
> > LABEL="acl_apply", ENV{ACL_MANAGE}="?*",
> > # TEST="/var/run/ConsoleKit/database", \
> >  RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"
> >
> > ...
> >
> > The only way I can see to disable ACLs, for, say, a webcam, would
> > be to write a rule that runs *before* this rules file, that sets
> > last_rule. That's quite a hack.
> >
> > Is there a better way to set this that I don't see?
>
> I guess the current logic could just check ACL_MANAGE=0, and skip the
> device if that is set?
>
Then one has to copy possibly complicated matching logic just to revert the 
result.
Why not let the match rules set some kind of ACL_CLASS to some user friendly 
name. (examples: block, sound, ptp, mtp, scanner, printer, optical, v4l, 
dvb, ...)

That way one can add rules like this to disable acl for joysticks
ENV{ACL_MANAGE}="1", ENV{ACL_CLASS}="joystick", ENV{ACL_MANAGE}="0"

Matthias

Re: selectively disabling ACLs

[Bill Nottingham]

Matthias Schwarzott (zzam@gentoo.org) said: 
> Then one has to copy possibly complicated matching logic just to revert the 
> result.
> Why not let the match rules set some kind of ACL_CLASS to some user friendly 
> name. (examples: block, sound, ptp, mtp, scanner, printer, optical, v4l, 
> dvb, ...)
> 
> That way one can add rules like this to disable acl for joysticks
> ENV{ACL_MANAGE}="1", ENV{ACL_CLASS}="joystick", ENV{ACL_MANAGE}="0"

Given that it's in the same rule file now, you'd need to split what's
currently there so you have a chance to set this.

Bill

Re: selectively disabling ACLs

[Kay Sievers]

On Wed, Aug 5, 2009 at 18:47, Matthias Schwarzott<zzam@gentoo.org> wrote:
> On Mittwoch, 5. August 2009, Kay Sievers wrote:
>> I guess the current logic could just check ACL_MANAGE=0, and skip the
>> device if that is set?
>>
> Then one has to copy possibly complicated matching logic just to revert the
> result.
> Why not let the match rules set some kind of ACL_CLASS to some user friendly
> name. (examples: block, sound, ptp, mtp, scanner, printer, optical, v4l,
> dvb, ...)
>
> That way one can add rules like this to disable acl for joysticks
> ENV{ACL_MANAGE}="1", ENV{ACL_CLASS}="joystick", ENV{ACL_MANAGE}="0"

For now, that all should be as simple as possible, and not spread
around packages with magic properties. It will likely change all with
the upcoming multi-seat support, which needs its own configuration and
which could define such facility.

Thanks,
Kay