Add user ACLs for /dev/rfkill

linux-hotplug.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Add user ACLs for /dev/rfkill
@ 2009-07-31 10:58 Harald Hoyer
  2009-07-31 11:47 ` Marcel Holtmann
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: Harald Hoyer @ 2009-07-31 10:58 UTC (permalink / raw)
  To: linux-hotplug

[-- Attachment #1: Type: text/plain, Size: 0 bytes --]



[-- Attachment #2: 0001-70-acl.rules-add-rfkill-switch.patch --]
[-- Type: text/plain, Size: 1049 bytes --]

From 6e4ceb8205a7027b750d0cf1477834e91341e502 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Fri, 31 Jul 2009 12:55:49 +0200
Subject: [PATCH] 70-acl.rules: add rfkill switch

For gnome-bluetooth's killswitch code to work, the user on the local
console needs to have access to /dev/rfkill.

see https://bugzilla.redhat.com/show_bug.cgi?id=514798
---
 extras/udev-acl/70-acl.rules |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/extras/udev-acl/70-acl.rules b/extras/udev-acl/70-acl.rules
index f41bb66..85ea8a1 100644
--- a/extras/udev-acl/70-acl.rules
+++ b/extras/udev-acl/70-acl.rules
@@ -44,6 +44,9 @@ SUBSYSTEM=="misc", KERNEL=="kvm", ENV{ACL_MANAGE}="1"
 # smart-card readers
 ENV{ID_SMARTCARD_READER}=="*?", ENV{ACL_MANAGE}="1"
 
+# rfkill switch
+KERNEL=="rfkill", ENV{ACL_MANAGE}="1"
+
 # apply ACL for all locally logged in users
 LABEL="acl_apply", ENV{ACL_MANAGE}=="?*", TEST=="/var/run/ConsoleKit/database", \
   RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"
-- 
1.6.2.5


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: Add user ACLs for /dev/rfkill
  2009-07-31 10:58 Add user ACLs for /dev/rfkill Harald Hoyer
@ 2009-07-31 11:47 ` Marcel Holtmann
  2009-08-07 12:27 ` Harald Hoyer
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Marcel Holtmann @ 2009-07-31 11:47 UTC (permalink / raw)
  To: linux-hotplug

Hi Harald,

> From 6e4ceb8205a7027b750d0cf1477834e91341e502 Mon Sep 17 00:00:00 2001
> From: Harald Hoyer <harald@redhat.com>
> Date: Fri, 31 Jul 2009 12:55:49 +0200
> Subject: [PATCH] 70-acl.rules: add rfkill switch

do you mind using git send-email instead of just attaching the patch
without any email body.

> For gnome-bluetooth's killswitch code to work, the user on the local
> console needs to have access to /dev/rfkill.
> 
> see https://bugzilla.redhat.com/show_bug.cgi?idQ4798
> ---
>  extras/udev-acl/70-acl.rules |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/extras/udev-acl/70-acl.rules
> b/extras/udev-acl/70-acl.rules
> index f41bb66..85ea8a1 100644
> --- a/extras/udev-acl/70-acl.rules
> +++ b/extras/udev-acl/70-acl.rules
> @@ -44,6 +44,9 @@ SUBSYSTEM="misc", KERNEL="kvm",
> ENV{ACL_MANAGE}="1"
>  # smart-card readers
>  ENV{ID_SMARTCARD_READER}="*?", ENV{ACL_MANAGE}="1"
>  
> +# rfkill switch
> +KERNEL="rfkill", ENV{ACL_MANAGE}="1"
> +

I am not convinced this is the right way to do. Exposing the RFKILL
control to the console user might be wrong.

Regards

Marcel



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Add user ACLs for /dev/rfkill
  2009-07-31 10:58 Add user ACLs for /dev/rfkill Harald Hoyer
  2009-07-31 11:47 ` Marcel Holtmann
@ 2009-08-07 12:27 ` Harald Hoyer
  2009-08-07 12:38 ` Kay Sievers
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Harald Hoyer @ 2009-08-07 12:27 UTC (permalink / raw)
  To: linux-hotplug

Kay?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Add user ACLs for /dev/rfkill
  2009-07-31 10:58 Add user ACLs for /dev/rfkill Harald Hoyer
  2009-07-31 11:47 ` Marcel Holtmann
  2009-08-07 12:27 ` Harald Hoyer
@ 2009-08-07 12:38 ` Kay Sievers
  2009-08-07 14:22 ` Bill Nottingham
  2009-08-07 17:30 ` Marcel Holtmann
  4 siblings, 0 replies; 6+ messages in thread
From: Kay Sievers @ 2009-08-07 12:38 UTC (permalink / raw)
  To: linux-hotplug

On Fri, Aug 7, 2009 at 14:27, Harald Hoyer<harald@redhat.com> wrote:
> Kay?

What's the use case and unprivileged user will need this? It's more
that NetworkManager and such will interact with that, right?

Kay

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Add user ACLs for /dev/rfkill
  2009-07-31 10:58 Add user ACLs for /dev/rfkill Harald Hoyer
                   ` (2 preceding siblings ...)
  2009-08-07 12:38 ` Kay Sievers
@ 2009-08-07 14:22 ` Bill Nottingham
  2009-08-07 17:30 ` Marcel Holtmann
  4 siblings, 0 replies; 6+ messages in thread
From: Bill Nottingham @ 2009-08-07 14:22 UTC (permalink / raw)
  To: linux-hotplug

Kay Sievers (kay.sievers@vrfy.org) said: 
> On Fri, Aug 7, 2009 at 14:27, Harald Hoyer<harald@redhat.com> wrote:
> > Kay?
> 
> What's the use case and unprivileged user will need this? It's more
> that NetworkManager and such will interact with that, right?

The bluetooth radio itself is not necessarily a NM-managed object; it's
managed by gnome-bluetooth or similar stacks.

My concern about making it user accesible is it makes it harder for
an administrator to lock down the device if the user can then just
unlock it. But perhaps that's better done at the modprobe level
(not that that works sanely now.)

Bill

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Add user ACLs for /dev/rfkill
  2009-07-31 10:58 Add user ACLs for /dev/rfkill Harald Hoyer
                   ` (3 preceding siblings ...)
  2009-08-07 14:22 ` Bill Nottingham
@ 2009-08-07 17:30 ` Marcel Holtmann
  4 siblings, 0 replies; 6+ messages in thread
From: Marcel Holtmann @ 2009-08-07 17:30 UTC (permalink / raw)
  To: linux-hotplug

Hi Bill,

> > > Kay?
> > 
> > What's the use case and unprivileged user will need this? It's more
> > that NetworkManager and such will interact with that, right?
> 
> The bluetooth radio itself is not necessarily a NM-managed object; it's
> managed by gnome-bluetooth or similar stacks.

the Bluetooth radio is not managed by gnome-bluetooth. It is managed by
bluetoothd. The gnome-bluetooth is just UI code. I object against having
UI code control RFKILL switches directly without proper policy and
access management in between.

> My concern about making it user accesible is it makes it harder for
> an administrator to lock down the device if the user can then just
> unlock it. But perhaps that's better done at the modprobe level
> (not that that works sanely now.)

Exactly. We can not just give a user control over all RFKILL switches.
If you wanna do that in a generic way, you better have a D-Bus enabled
RFKILL daemon that integrates with PolicyKit or use something like
ConnMan which already does this.

Regards

Marcel

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2009-08-07 17:30 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-07-31 10:58 Add user ACLs for /dev/rfkill Harald Hoyer
2009-07-31 11:47 ` Marcel Holtmann
2009-08-07 12:27 ` Harald Hoyer
2009-08-07 12:38 ` Kay Sievers
2009-08-07 14:22 ` Bill Nottingham
2009-08-07 17:30 ` Marcel Holtmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).