[PATCH V2 0/3] Add input group and udev rule to fix rootless X

[PATCH V2 0/3] Add input group and udev rule to fix rootless X

[Darren Hart]

Fix [YOCTO 4164] (usb mouse and keyboard don't work at liveboot on atom-pc) by
adding an input group and a udev rule to make all /dev/input/* devices added to
the input group with g+rw permissions. Drop the o+rw setting from
xserver-nodm-init.

Tested on atom-pc from current poky master using core-image-sato.

V2: Package the udev rule in udev-extraconf so systemd can use it also.

Thanks,

Darren


The following changes since commit 92aeb31341b28b193d616ab5cf38af1b9673e37d:

  qemuimage-testlib: Fix quoting issue (2013-03-30 17:26:56 +0000)

are available in the git repository at:
  git://git.yoctoproject.org/poky-contrib dvhart/xuser
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=dvhart/xuser

Darren Hart (3):
  base-passwd: Add input group
  udev-extraconf: Add rule adding input devices to input group
  xserver-nodm-init: Add xuser to input group

 .../base-passwd/base-passwd-3.5.26/input.patch     |   22 ++++++++++++++++++++
 .../recipes-core/base-passwd/base-passwd_3.5.26.bb |    5 ++-
 .../udev/udev-extraconf/localextra.rules           |    2 +
 meta/recipes-core/udev/udev-extraconf_1.0.bb       |    2 +-
 .../x11-common/xserver-nodm-init.bb                |    4 +-
 .../x11-common/xserver-nodm-init/xserver-nodm      |    1 -
 6 files changed, 30 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-core/base-passwd/base-passwd-3.5.26/input.patch

-- 
1.7.5.4

[PATCH 1/3] base-passwd: Add input group

[Darren Hart]

Fixes [YOCTO 4164](1/3)

Add input group for the /dev/input/* devices. This is needed for
rootless X without adding a security hole by making the device o+rw.

Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Cc: Saul Wold <sgw@linux.intel.com>
---
 .../base-passwd/base-passwd-3.5.26/input.patch     |   22 ++++++++++++++++++++
 .../recipes-core/base-passwd/base-passwd_3.5.26.bb |    5 ++-
 2 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-core/base-passwd/base-passwd-3.5.26/input.patch

diff --git a/meta/recipes-core/base-passwd/base-passwd-3.5.26/input.patch b/meta/recipes-core/base-passwd/base-passwd-3.5.26/input.patch
new file mode 100644
index 0000000..f1bfc2f
--- /dev/null
+++ b/meta/recipes-core/base-passwd/base-passwd-3.5.26/input.patch
@@ -0,0 +1,22 @@
+Add an input group for the /dev/input/* devices.
+
+Upstream-Status: Invalid [configuration]
+
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+
+---
+ group.master |    1 +
+ 1 file changed, 1 insertion(+)
+
+Index: base-passwd-3.5.26/group.master
+===================================================================
+--- base-passwd-3.5.26.orig/group.master
++++ base-passwd-3.5.26/group.master
+@@ -12,6 +12,7 @@ uucp:*:10:
+ man:*:12:
+ proxy:*:13:
+ kmem:*:15:
++input:*:19:
+ dialout:*:20:
+ fax:*:21:
+ voice:*:22:
diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.26.bb b/meta/recipes-core/base-passwd/base-passwd_3.5.26.bb
index febddcf..1c7e6b0 100644
--- a/meta/recipes-core/base-passwd/base-passwd_3.5.26.bb
+++ b/meta/recipes-core/base-passwd/base-passwd_3.5.26.bb
@@ -1,12 +1,13 @@
 SUMMARY = "Base system master password/group files."
 DESCRIPTION = "The master copies of the user database files (/etc/passwd and /etc/group).  The update-passwd tool is also provided to keep the system databases synchronized with these master files."
 SECTION = "base"
-PR = "r1"
+PR = "r2"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a"
 
 SRC_URI = "${DEBIAN_MIRROR}/main/b/base-passwd/base-passwd_${PV}.tar.gz \
-           file://nobash.patch"
+           file://nobash.patch \
+           file://input.patch"
 
 SRC_URI[md5sum] = "74245e5c21dc74d9675c77cd8dfa02e6"
 SRC_URI[sha256sum] = "258a78317aa563143d10375c6e1e63a60898e503887f00fffd70b6b297c1b429"
-- 
1.7.5.4

[PATCH 2/3] udev-extraconf: Add rule adding input devices to input group

[Darren Hart]

Fixes [YOCTO 4164](2/3)

Add all /dev/input/* devices to the input group with g+rw.  This is
needed for rootless X without adding a security hole by making the
device o+rw.

Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Cc: Saul Wold <sgw@linux.intel.com>
Cc: Radu Moisan <radu.moisan@intel.com>
Cc: Ross Burton <ross.burton@intel.com>
---
 .../udev/udev-extraconf/localextra.rules           |    2 ++
 meta/recipes-core/udev/udev-extraconf_1.0.bb       |    2 +-
 2 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/meta/recipes-core/udev/udev-extraconf/localextra.rules b/meta/recipes-core/udev/udev-extraconf/localextra.rules
index 4eaa8ca..3d51d3e 100644
--- a/meta/recipes-core/udev/udev-extraconf/localextra.rules
+++ b/meta/recipes-core/udev/udev-extraconf/localextra.rules
@@ -19,3 +19,5 @@ KERNEL=="rtc0", SYMLINK+="rtc"
 #The first framebuffer is symlinked to /dev/fb
 KERNEL=="fb0",  SYMLINK+="fb"
 
+# Make all input devices read-write to the input group
+SUBSYSTEM=="input", GROUP="input", MODE="660"
diff --git a/meta/recipes-core/udev/udev-extraconf_1.0.bb b/meta/recipes-core/udev/udev-extraconf_1.0.bb
index 2c4a4f1..ea95a60 100644
--- a/meta/recipes-core/udev/udev-extraconf_1.0.bb
+++ b/meta/recipes-core/udev/udev-extraconf_1.0.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=3f40d7994397109285ec7b81fdeb3
 
 inherit allarch
 
-PR = "r7"
+PR = "r8"
 
 SRC_URI = " \
        file://automount.rules \
-- 
1.7.5.4

[PATCH 3/3] xserver-nodm-init: Add xuser to input group

[Darren Hart]

Fixes [YOCTO 4164](3/3)

Input devices come and go, so a single chmod in this init script is not
adequate to ensure rootless X servers can use input devices.

The o+rw method also introduces a security hole.

The newly added input group and input udev rule address this in a secure
way. Ensure the xuser is added to the input group.

Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Cc: Saul Wold <sgw@linux.intel.com>
Cc: Laurentiu Palcu <laurentiu.palcu@intel.com>
---
 .../x11-common/xserver-nodm-init.bb                |    4 ++--
 .../x11-common/xserver-nodm-init/xserver-nodm      |    1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
index eab76c5..d2797a9 100644
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
@@ -2,7 +2,7 @@ DESCRIPTION = "Simple Xserver Init Script (no dm)"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
 SECTION = "x11"
-PR = "r30"
+PR = "r31"
 RDEPENDS_${PN} = "sudo"
 
 SRC_URI = "file://xserver-nodm \
@@ -34,6 +34,6 @@ INITSCRIPT_PARAMS = "start 9 5 2 . stop 20 0 1 6 ."
 # USERADD_PARAM is in sync with the one in connman.inc
 USERADD_PACKAGES = "${PN}"
 USERADD_PARAM_${PN} = "--create-home \
-                       --groups video,tty,audio \
+                       --groups video,tty,audio,input \
                        --user-group xuser"
 
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
index e790fb0..f6692a8 100755
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
@@ -33,7 +33,6 @@ case "$1" in
            # setting for rootless X
            chmod o+w /var/log
            chmod g+r /dev/tty[0-3]
-           chmod o+rw /dev/input/*
            # hidraw device is probably needed
            if [ -e /dev/hidraw0 ]; then
                chmod o+rw /dev/hidraw*
-- 
1.7.5.4