2020-11-09 05:23:58 +01:00
|
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
2017-11-18 18:18:16 +01:00
|
|
|
#
|
2011-05-26 02:21:16 +02:00
|
|
|
# This file is part of systemd.
|
|
|
|
|
#
|
|
|
|
|
# systemd is free software; you can redistribute it and/or modify it
|
2012-04-12 00:20:58 +02:00
|
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
|
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
2011-05-26 02:21:16 +02:00
|
|
|
# (at your option) any later version.
|
|
|
|
|
|
|
|
|
|
ACTION=="remove", GOTO="uaccess_end"
|
|
|
|
|
ENV{MAJOR}=="", GOTO="uaccess_end"
|
|
|
|
|
|
|
|
|
|
# PTP/MTP protocol devices, cameras, portable media players
|
|
|
|
|
SUBSYSTEM=="usb", ENV{ID_USB_INTERFACES}=="*:060101:*", TAG+="uaccess"
|
|
|
|
|
|
|
|
|
|
# Digicams with proprietary protocol
|
2014-07-15 02:04:47 +02:00
|
|
|
ENV{ID_GPHOTO2}=="?*", TAG+="uaccess"
|
2011-05-26 02:21:16 +02:00
|
|
|
|
|
|
|
|
# SCSI and USB scanners
|
|
|
|
|
ENV{libsane_matched}=="yes", TAG+="uaccess"
|
|
|
|
|
|
|
|
|
|
# HPLIP devices (necessary for ink level check and HP tool maintenance)
|
|
|
|
|
ENV{ID_HPLIP}=="1", TAG+="uaccess"
|
|
|
|
|
|
|
|
|
|
# optical drives
|
|
|
|
|
SUBSYSTEM=="block", ENV{ID_CDROM}=="1", TAG+="uaccess"
|
|
|
|
|
SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", TAG+="uaccess"
|
|
|
|
|
|
|
|
|
|
# Sound devices
|
2018-02-23 16:49:17 +01:00
|
|
|
SUBSYSTEM=="sound", TAG+="uaccess", \
|
2013-07-07 18:32:34 +02:00
|
|
|
OPTIONS+="static_node=snd/timer", OPTIONS+="static_node=snd/seq"
|
2011-05-26 02:21:16 +02:00
|
|
|
|
|
|
|
|
# ffado is an userspace driver for firewire sound cards
|
|
|
|
|
SUBSYSTEM=="firewire", ENV{ID_FFADO}=="1", TAG+="uaccess"
|
|
|
|
|
|
|
|
|
|
# Webcams, frame grabber, TV cards
|
|
|
|
|
SUBSYSTEM=="video4linux", TAG+="uaccess"
|
|
|
|
|
SUBSYSTEM=="dvb", TAG+="uaccess"
|
|
|
|
|
|
|
|
|
|
# IIDC devices: industrial cameras and some webcams
|
|
|
|
|
SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x00010*", TAG+="uaccess"
|
|
|
|
|
SUBSYSTEM=="firewire", ATTR{units}=="*0x00b09d:0x00010*", TAG+="uaccess"
|
|
|
|
|
# AV/C devices: camcorders, set-top boxes, TV sets, audio devices, and more
|
|
|
|
|
SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", TAG+="uaccess"
|
|
|
|
|
SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="uaccess"
|
|
|
|
|
|
Revert "rules: allow users to access frame buffer devices" (#3333)
This reverts commit 483d8bbb4c0190f419bf9fba57fb0feb1a56bea6.
In [1] Michel Dänzer and Daniel Vetter wrote:
>> The scenario you describe isn't possible if the Wayland compositor
>> directly uses the KMS API of /dev/dri/card*, but it may be possible if
>> the Wayland compositor uses the fbdev API of /dev/fb* instead (e.g. if
>> weston uses its fbdev backend).
>
> Yeah, if both weston and your screen grabber uses native fbdev API you can
> now screenshot your desktop. And since fbdev has no concept of "current
> owner of the display hw" like the drm master, I think this is not fixable.
> At least not just in userspace. Also even with native KMS compositors
> fbdev still doesn't have the concept of ownership, which is why it doesn't
> bother clearing it's buffer before KMS takes over. I agree that this
> should be reverted or at least hidden better.
TBH, I think that privilege separation between processes running under the same
UID is tenuous. Even with drm, in common setups any user process can ptrace the
"current owner of the display" and call DROP_MASTER or do whatever. It *is*
possible to prevent that, e.g. by disabling ptrace using yama.ptrace_scope, or
selinux, and so on, but afaik this is not commonly done. E.g. all Fedora
systems pull in elfutils-default-yama-scope.rpm through dependencies which sets
yama.ptrace_scope=0. And even assuming that ptrace was disabled, it is trivial
to modify files on disk, communicate through dbus, etc; there is just to many
ways for a non-sandboxed process to interact maliciously with the display shell
to close them all off. To achieve real protection, some sort of sandboxing
must be implemented, and in that case there is no need to rely on access mode
on the device files, since much more stringent measures have to be implemented
anyway.
The situation is similar for framebuffer devices. It is common to add
framebuffer users to video group to allow them unlimited access to /dev/fb*.
Using uaccess would be better solution in that case. Also, since there is no
"current owner" limitation like in DRM, processes running under the same UID
should be able to access /proc/<pid-of-display-server>/fd/* and gain access to
the devices. Nevertheless, weston implements a suid wrapper to access the
devices and then drop privileges, and this patch would make this daemon
pointless. So if the weston developers feel that this change reduces security,
I prefer to revert it.
[1] https://lists.freedesktop.org/archives/wayland-devel/2016-May/029017.html
2016-05-24 11:32:30 +02:00
|
|
|
# DRI video devices
|
2017-10-31 16:46:24 +01:00
|
|
|
SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess"
|
2019-03-13 23:22:26 +01:00
|
|
|
m4_ifdef(`GROUP_RENDER_UACCESS',``
|
|
|
|
|
# DRI render nodes
|
|
|
|
|
SUBSYSTEM=="drm", KERNEL=="renderD*", TAG+="uaccess"''
|
|
|
|
|
)m4_dnl
|
2018-07-13 23:36:13 +02:00
|
|
|
m4_ifdef(`DEV_KVM_UACCESS',``
|
2018-07-10 14:47:58 +02:00
|
|
|
# KVM
|
2018-07-13 23:36:13 +02:00
|
|
|
SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"''
|
|
|
|
|
)m4_dnl
|
2018-07-10 14:47:58 +02:00
|
|
|
|
2011-05-26 02:21:16 +02:00
|
|
|
# smart-card readers
|
2014-07-15 02:04:47 +02:00
|
|
|
ENV{ID_SMARTCARD_READER}=="?*", TAG+="uaccess"
|
2011-05-26 02:21:16 +02:00
|
|
|
|
2012-07-24 20:13:46 +02:00
|
|
|
# (USB) authentication devices
|
2014-07-15 02:04:47 +02:00
|
|
|
ENV{ID_SECURITY_TOKEN}=="?*", TAG+="uaccess"
|
2012-07-24 20:13:46 +02:00
|
|
|
|
2011-05-26 02:21:16 +02:00
|
|
|
# PDA devices
|
2014-07-15 02:04:47 +02:00
|
|
|
ENV{ID_PDA}=="?*", TAG+="uaccess"
|
2011-05-26 02:21:16 +02:00
|
|
|
|
|
|
|
|
# Programmable remote control
|
|
|
|
|
ENV{ID_REMOTE_CONTROL}=="1", TAG+="uaccess"
|
|
|
|
|
|
|
|
|
|
# joysticks
|
|
|
|
|
SUBSYSTEM=="input", ENV{ID_INPUT_JOYSTICK}=="?*", TAG+="uaccess"
|
|
|
|
|
|
|
|
|
|
# color measurement devices
|
2014-07-15 02:04:47 +02:00
|
|
|
ENV{COLOR_MEASUREMENT_DEVICE}=="?*", TAG+="uaccess"
|
2011-05-26 02:21:16 +02:00
|
|
|
|
|
|
|
|
# DDC/CI device, usually high-end monitors such as the DreamColor
|
2014-07-15 02:04:47 +02:00
|
|
|
ENV{DDC_DEVICE}=="?*", TAG+="uaccess"
|
2011-05-26 02:21:16 +02:00
|
|
|
|
|
|
|
|
# media player raw devices (for user-mode drivers, Android SDK, etc.)
|
|
|
|
|
SUBSYSTEM=="usb", ENV{ID_MEDIA_PLAYER}=="?*", TAG+="uaccess"
|
|
|
|
|
|
rules: uaccess - add ID_SOFTWARE_RADIO
On Tue, Jul 15, 2014 at 1:52 PM, Alick Zhao <alick9188@gmail.com> wrote:
>>>
>>> So maybe ID_SOFTWARE_RADIO ?
>>
>> Hmm, SDR is more a term for a generic technology than for a device
>> class. To me it does not really sound like an administrator would know
>> what this is.
>>
>> What exactly is the device or subsystem you want to make accessible to
>> locally logged-in users only?
>
> Initially it is bladeRF, but many more are of interest: USRP, rtl-sdr,
> HackRF, ... [1]
>
> I agree an administrator might not know what SDR is, since it is
> currently still not widely known, and makes sense only for amateurs
> and researchers. But as a SDR fan, I see many new SDR peripherals
> are created recently, and expect to see more. So a generic ID seems
> reasonable to me.
>
> [1] http://en.wikipedia.org/wiki/List_of_software-defined_radios
2014-07-15 17:35:53 +02:00
|
|
|
# software-defined radio communication devices
|
|
|
|
|
ENV{ID_SOFTWARE_RADIO}=="?*", TAG+="uaccess"
|
|
|
|
|
|
2016-03-15 14:25:51 +01:00
|
|
|
# 3D printers, CNC machines, laser cutters, 3D scanners, etc.
|
|
|
|
|
ENV{ID_MAKER_TOOL}=="?*", TAG+="uaccess"
|
|
|
|
|
|
2011-05-26 02:21:16 +02:00
|
|
|
LABEL="uaccess_end"
|