/* add or remove a ACL for a given uid from all matching devices */
static void apply_acl_to_devices(uid_t uid, int add)
{
struct udev *udev;
struct udev_enumerate *enumerate;
struct udev_list_entry *list_entry;
/* iterate over all devices tagged with ACL_SET */
udev = udev_new();
enumerate = udev_enumerate_new(udev);
udev_enumerate_add_match_tag(enumerate, "udev-acl");
udev_enumerate_scan_devices(enumerate);
udev_list_entry_foreach(list_entry, udev_enumerate_get_list_entry(enumerate)) {
struct udev_device *device;
const char *node;
device = udev_device_new_from_syspath(udev_enumerate_get_udev(enumerate),
udev_list_entry_get_name(list_entry));
if (device == NULL)
continue;
node = udev_device_get_devnode(device);
if (node == NULL) {
udev_device_unref(device);
continue;
}
set_facl(node, uid, add);
udev_device_unref(device);
}
udev_enumerate_unref(enumerate);
udev_unref(udev);
}
static void cleanup(void)
{
g_cancellable_cancel(polkit_cancellable);
if (state == STATE_WAITING_FOR_STDIN_EOF)
set_facl(path, getuid(), 0);
if (loop)
g_main_loop_quit(loop);
}
static void check_authorization_cb(PolkitAuthority *authority,
GAsyncResult *res, gpointer data)
{
PolkitAuthorizationResult *result;
GError *err = NULL;
struct stat stat_buf;
g_clear_object(&polkit_cancellable);
result = polkit_authority_check_authorization_finish(authority, res, &err);
if (err) {
FATAL_ERROR("PoliciKit error: %s\n", err->message);
g_error_free(err);
return;
}
if (polkit_authorization_result_get_dismissed(result)) {
ERROR("CANCELED\n");
return;
}
if (!polkit_authorization_result_get_is_authorized(result)) {
ERROR("Not authorized\n");
return;
}
snprintf(path, PATH_MAX, "/dev/bus/usb/%03d/%03d", busnum, devnum);
if (stat(path, &stat_buf) != 0) {
FATAL_ERROR("statting %s: %s\n", path, strerror(errno));
return;
}
if (!S_ISCHR(stat_buf.st_mode)) {
FATAL_ERROR("%s is not a character device\n", path);
return;
}
if (set_facl(path, getuid(), 1)) {
FATAL_ERROR("setting facl: %s\n", strerror(errno));
return;
}
fprintf(stdout, "SUCCESS\n");
fflush(stdout);
state = STATE_WAITING_FOR_STDIN_EOF;
}
int main (int argc, char* argv[])
{
static const struct option options[] = {
{ "action", required_argument, NULL, 'a' },
{ "device", required_argument, NULL, 'D' },
{ "user", required_argument, NULL, 'u' },
{ "debug", no_argument, NULL, 'd' },
{ "help", no_argument, NULL, 'h' },
{}
};
int action = -1;
const char *device = NULL;
bool uid_given = false;
uid_t uid = 0;
uid_t uid2 = 0;
const char* remove_session_id = NULL;
int rc = 0;
/* valgrind is more important to us than a slice allocator */
g_slice_set_config (G_SLICE_CONFIG_ALWAYS_MALLOC, 1);
while (1) {
int option;
option = getopt_long(argc, argv, "+a:D:u:dh", options, NULL);
if (option == -1)
break;
switch (option) {
case 'a':
if (strcmp(optarg, "remove") == 0)
action = ACTION_REMOVE;
else
action = ACTION_ADD;
break;
case 'D':
device = optarg;
break;
case 'u':
uid_given = true;
uid = strtoul(optarg, NULL, 10);
break;
case 'd':
debug = 1;
break;
case 'h':
printf("Usage: udev-acl --action=ACTION [--device=DEVICEFILE] [--user=UID]\n\n");
goto out;
}
}
if (action < 0 && device == NULL && !uid_given)
if (!consolekit_called(argv[optind], &uid, &uid2, &remove_session_id, &action))
uid_given = true;
if (action < 0) {
fprintf(stderr, "missing action\n\n");
rc = 2;
goto out;
}
if (device != NULL && uid_given) {
fprintf(stderr, "only one option, --device=DEVICEFILE or --user=UID expected\n\n");
rc = 3;
goto out;
}
if (uid_given) {
switch (action) {
case ACTION_ADD:
/* Add ACL for given uid to all matching devices. */
apply_acl_to_devices(uid, 1);
break;
case ACTION_REMOVE:
remove_uid(uid, remove_session_id);
break;
case ACTION_CHANGE:
remove_uid(uid, remove_session_id);
apply_acl_to_devices(uid2, 1);
break;
case ACTION_NONE:
goto out;
break;
default:
g_assert_not_reached();
break;
}
} else if (device != NULL) {
/*
* Add ACLs for all current session uids to a given device.
*
* Or remove ACLs for uids which do not have any current local
* active session. Remove is not really interesting, because in
* most cases the device node is removed anyway.
*/
GSList *list;
GSList *l;
list = uids_with_local_active_session(NULL);
for (l = list; l != NULL; l = g_slist_next(l)) {
uid_t u;
u = GPOINTER_TO_UINT(l->data);
if (action == ACTION_ADD || !uid_in_list(list, u))
set_facl(device, u, action == ACTION_ADD);
}
g_slist_free(list);
} else {
fprintf(stderr, "--device=DEVICEFILE or --user=UID expected\n\n");
rc = 3;
}
out:
return rc;
}
