From c874e22e0da6f87aa72ade635f11421e6ecb6e48 Mon Sep 17 00:00:00 2001
From: Kay Sievers <kay.sievers@vrfy.org>
Date: Thu, 14 Jul 2011 02:02:35 +0200
Subject: udev-acl: skip ACLs when systemd is running, disable by default

---
 Makefile.am                       |  2 +-
 configure.ac                      | 28 +++++++--------
 extras/udev-acl/70-acl.rules      | 73 -------------------------------------
 extras/udev-acl/70-udev-acl.rules | 76 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 91 insertions(+), 88 deletions(-)
 delete mode 100644 extras/udev-acl/70-acl.rules
 create mode 100644 extras/udev-acl/70-udev-acl.rules

diff --git a/Makefile.am b/Makefile.am
index 0599bb24cf..d2e9b855fe 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -360,7 +360,7 @@ if ENABLE_UDEV_ACL
 extras_udev_acl_udev_acl_SOURCES = extras/udev-acl/udev-acl.c
 extras_udev_acl_udev_acl_CPPFLAGS = $(AM_CPPFLAGS) $(GLIB_CFLAGS)
 extras_udev_acl_udev_acl_LDADD = libudev/libudev-private.la -lacl $(GLIB_LIBS)
-dist_udevrules_DATA += extras/udev-acl/70-acl.rules
+dist_udevrules_DATA += extras/udev-acl/70-udev-acl.rules
 libexec_PROGRAMS += extras/udev-acl/udev-acl
 
 udevacl-install-hook:
diff --git a/configure.ac b/configure.ac
index 7bdb229043..d1327ab5d2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -126,20 +126,6 @@ if test "x$enable_hwdb" = xyes; then
 fi
 AM_CONDITIONAL([ENABLE_HWDB], [test "x$enable_hwdb" = xyes])
 
-# ------------------------------------------------------------------------------
-# udev_acl - apply ACLs for users with local forground sessions
-# ------------------------------------------------------------------------------
-AC_ARG_ENABLE([udev_acl],
-	AS_HELP_STRING([--disable-udev_acl], [disable local user acl permissions support]),
-	[], [enable_udev_acl=yes])
-if test "x$enable_udev_acl" = xyes; then
-	AC_CHECK_LIB([acl], [acl_init], [:], AC_MSG_ERROR([libacl not found]))
-	AC_CHECK_HEADER([acl/libacl.h], [:], AC_MSG_ERROR([libacl header not found]))
-
-	PKG_CHECK_MODULES([GLIB], [glib-2.0 >= 2.22.0 gobject-2.0 >= 2.22.0])
-fi
-AM_CONDITIONAL([ENABLE_UDEV_ACL], [test "x$enable_udev_acl" = xyes])
-
 # ------------------------------------------------------------------------------
 # GUdev - libudev gobject interface
 # ------------------------------------------------------------------------------
@@ -183,6 +169,20 @@ if test "x$enable_keymap" = xyes; then
 fi
 AM_CONDITIONAL([ENABLE_KEYMAP], [test "x$enable_keymap" = xyes])
 
+# ------------------------------------------------------------------------------
+# udev_acl - apply ACLs for users with local forground sessions
+# ------------------------------------------------------------------------------
+AC_ARG_ENABLE([udev_acl],
+	AS_HELP_STRING([--enable-udev_acl], [enable local user acl permissions support]),
+	[], [enable_udev_acl=no])
+if test "x$enable_udev_acl" = xyes; then
+	AC_CHECK_LIB([acl], [acl_init], [:], AC_MSG_ERROR([libacl not found]))
+	AC_CHECK_HEADER([acl/libacl.h], [:], AC_MSG_ERROR([libacl header not found]))
+
+	PKG_CHECK_MODULES([GLIB], [glib-2.0 >= 2.22.0 gobject-2.0 >= 2.22.0])
+fi
+AM_CONDITIONAL([ENABLE_UDEV_ACL], [test "x$enable_udev_acl" = xyes])
+
 # ------------------------------------------------------------------------------
 # create_floppy_devices - historical floppy kernel device nodes (/dev/fd0h1440, ...)
 # ------------------------------------------------------------------------------
diff --git a/extras/udev-acl/70-acl.rules b/extras/udev-acl/70-acl.rules
deleted file mode 100644
index 5dc5ed0bfc..0000000000
--- a/extras/udev-acl/70-acl.rules
+++ /dev/null
@@ -1,73 +0,0 @@
-# do not edit this file, it will be overwritten on update
-
-# Do not use TAG+="udev-acl" outside of this file. This variable is private to
-# udev-acl of this udev release and may be replaced at any time.
-
-ENV{MAJOR}=="", GOTO="acl_end"
-ACTION=="remove", GOTO="acl_apply"
-
-# PTP/MTP protocol devices, cameras, portable media players
-SUBSYSTEM=="usb", ENV{ID_USB_INTERFACES}=="*:060101:*", TAG+="udev-acl"
-
-# digicams with proprietary protocol
-ENV{ID_GPHOTO2}=="*?", TAG+="udev-acl"
-
-# SCSI and USB scanners
-ENV{libsane_matched}=="yes", TAG+="udev-acl"
-
-# HPLIP devices (necessary for ink level check and HP tool maintenance)
-ENV{ID_HPLIP}=="1", TAG+="udev-acl"
-
-# optical drives
-SUBSYSTEM=="block", ENV{ID_CDROM}=="1", TAG+="udev-acl"
-SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", TAG+="udev-acl"
-
-# sound devices
-SUBSYSTEM=="sound", TAG+="udev-acl"
-
-# ffado is an userspace driver for firewire sound cards
-SUBSYSTEM=="firewire", ENV{ID_FFADO}=="1", TAG+="udev-acl"
-
-# webcams, frame grabber, TV cards
-SUBSYSTEM=="video4linux", TAG+="udev-acl"
-SUBSYSTEM=="dvb", TAG+="udev-acl"
-
-# IIDC devices: industrial cameras and some webcams
-SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x00010*",  TAG+="udev-acl"
-SUBSYSTEM=="firewire", ATTR{units}=="*0x00b09d:0x00010*",  TAG+="udev-acl"
-# AV/C devices: camcorders, set-top boxes, TV sets, audio devices, and more
-SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", TAG+="udev-acl"
-SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="udev-acl"
-
-# DRI video devices
-SUBSYSTEM=="drm", KERNEL=="card*", TAG+="udev-acl"
-
-# KVM
-SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="udev-acl"
-
-# smart-card readers
-ENV{ID_SMARTCARD_READER}=="*?", TAG+="udev-acl"
-
-# PDA devices
-ENV{ID_PDA}=="*?", TAG+="udev-acl"
-
-# Programmable remote control
-ENV{ID_REMOTE_CONTROL}=="1", TAG+="udev-acl"
-
-# joysticks
-SUBSYSTEM=="input", ENV{ID_INPUT_JOYSTICK}=="?*", TAG+="udev-acl"
-
-# color measurement devices
-ENV{COLOR_MEASUREMENT_DEVICE}=="*?", TAG+="udev-acl"
-
-# DDC/CI device, usually high-end monitors such as the DreamColor
-ENV{DDC_DEVICE}=="*?", TAG+="udev-acl"
-
-# media player raw devices (for user-mode drivers, Android SDK, etc.)
-SUBSYSTEM=="usb", ENV{ID_MEDIA_PLAYER}=="?*", TAG+="udev-acl"
-
-# apply ACL for all locally logged in users
-LABEL="acl_apply", TAG=="udev-acl", TEST=="/var/run/ConsoleKit/database", \
-  RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"
-
-LABEL="acl_end"
diff --git a/extras/udev-acl/70-udev-acl.rules b/extras/udev-acl/70-udev-acl.rules
new file mode 100644
index 0000000000..2dac283101
--- /dev/null
+++ b/extras/udev-acl/70-udev-acl.rules
@@ -0,0 +1,76 @@
+# do not edit this file, it will be overwritten on update
+
+# Do not use TAG+="udev-acl" outside of this file. This variable is private to
+# udev-acl of this udev release and may be replaced at any time.
+
+ENV{MAJOR}=="", GOTO="acl_end"
+ACTION=="remove", GOTO="acl_apply"
+
+# systemd replaces udev-acl entirely, skip if active
+TEST=="/sys/fs/cgroup/systemd", TAG=="uaccess", GOTO="acl_end"
+
+# PTP/MTP protocol devices, cameras, portable media players
+SUBSYSTEM=="usb", ENV{ID_USB_INTERFACES}=="*:060101:*", TAG+="udev-acl"
+
+# digicams with proprietary protocol
+ENV{ID_GPHOTO2}=="*?", TAG+="udev-acl"
+
+# SCSI and USB scanners
+ENV{libsane_matched}=="yes", TAG+="udev-acl"
+
+# HPLIP devices (necessary for ink level check and HP tool maintenance)
+ENV{ID_HPLIP}=="1", TAG+="udev-acl"
+
+# optical drives
+SUBSYSTEM=="block", ENV{ID_CDROM}=="1", TAG+="udev-acl"
+SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", TAG+="udev-acl"
+
+# sound devices
+SUBSYSTEM=="sound", TAG+="udev-acl"
+
+# ffado is an userspace driver for firewire sound cards
+SUBSYSTEM=="firewire", ENV{ID_FFADO}=="1", TAG+="udev-acl"
+
+# webcams, frame grabber, TV cards
+SUBSYSTEM=="video4linux", TAG+="udev-acl"
+SUBSYSTEM=="dvb", TAG+="udev-acl"
+
+# IIDC devices: industrial cameras and some webcams
+SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x00010*",  TAG+="udev-acl"
+SUBSYSTEM=="firewire", ATTR{units}=="*0x00b09d:0x00010*",  TAG+="udev-acl"
+# AV/C devices: camcorders, set-top boxes, TV sets, audio devices, and more
+SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", TAG+="udev-acl"
+SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="udev-acl"
+
+# DRI video devices
+SUBSYSTEM=="drm", KERNEL=="card*", TAG+="udev-acl"
+
+# KVM
+SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="udev-acl"
+
+# smart-card readers
+ENV{ID_SMARTCARD_READER}=="*?", TAG+="udev-acl"
+
+# PDA devices
+ENV{ID_PDA}=="*?", TAG+="udev-acl"
+
+# Programmable remote control
+ENV{ID_REMOTE_CONTROL}=="1", TAG+="udev-acl"
+
+# joysticks
+SUBSYSTEM=="input", ENV{ID_INPUT_JOYSTICK}=="?*", TAG+="udev-acl"
+
+# color measurement devices
+ENV{COLOR_MEASUREMENT_DEVICE}=="*?", TAG+="udev-acl"
+
+# DDC/CI device, usually high-end monitors such as the DreamColor
+ENV{DDC_DEVICE}=="*?", TAG+="udev-acl"
+
+# media player raw devices (for user-mode drivers, Android SDK, etc.)
+SUBSYSTEM=="usb", ENV{ID_MEDIA_PLAYER}=="?*", TAG+="udev-acl"
+
+# apply ACL for all locally logged in users
+LABEL="acl_apply", TAG=="udev-acl", TEST=="/var/run/ConsoleKit/database", \
+  RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"
+
+LABEL="acl_end"
-- 
cgit v1.2.3-54-g00ecf