Merge pull request #13356 from keszybz/static-nodes-perms

Fix permissions on static nodes

4 files changed, 43 insertions, 16 deletions

diff --git a/rules/50-udev-default.rules.in b/rules/50-udev-default.rules.in
index 580b8971a6..50747a1988 100644
--- a/rules/50-udev-default.rules.in
+++ b/rules/50-udev-default.rules.in
@@ -39,6 +39,9 @@ SUBSYSTEM=="cec", GROUP="video"
 SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="@GROUP_RENDER_MODE@"
 SUBSYSTEM=="kfd", GROUP="render", MODE="@GROUP_RENDER_MODE@"
 
+# When using static_node= with non-default permissions, also update
+# tmpfiles.d/static-nodes-permissions.conf.in to keep permissions synchronized.
+
 SUBSYSTEM=="sound", GROUP="audio", \
   OPTIONS+="static_node=snd/seq", OPTIONS+="static_node=snd/timer"
 
diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build
index f14b4fc6df..e77f46d06b 100644
--- a/tmpfiles.d/meson.build
+++ b/tmpfiles.d/meson.build
@@ -24,26 +24,33 @@ foreach pair : tmpfiles
         endif
 endforeach
 
-m4_files = [['etc.conf',             ''],
-            ['systemd.conf',         ''],
-            ['var.conf',             ''],
-           ]
+in_files = ['static-nodes-permissions.conf']
 
-foreach pair : m4_files
-        if not enable_tmpfiles
-                # do nothing
-        elif pair[1] == '' or conf.get(pair[1]) == 1
+foreach file : in_files
+        gen = configure_file(
+                input : file + '.in',
+                output : file,
+                configuration : substs)
+        if enable_tmpfiles
+                install_data(gen,
+                             install_dir : tmpfilesdir)
+        endif
+endforeach
+
+m4_files = ['etc.conf',
+            'systemd.conf',
+            'var.conf']
+
+foreach file : m4_files
+        if enable_tmpfiles
                 custom_target(
-                        'tmpfiles.d_' + pair[0],
-                         input : pair[0] + '.m4',
-                         output: pair[0],
+                        'tmpfiles.d_' + file,
+                         input : file + '.m4',
+                         output: file,
                          command : [meson_apply_m4, config_h, '@INPUT@'],
                          capture : true,
                          install : true,
                          install_dir : tmpfilesdir)
-        else
-                message('Not installing tmpfiles.d/@0@.m4 because @1@ is @2@'
-                        .format(pair[0], pair[1], conf.get(pair[1], 0)))
         endif
 endforeach
 
diff --git a/tmpfiles.d/static-nodes-permissions.conf.in b/tmpfiles.d/static-nodes-permissions.conf.in
new file mode 100644
index 0000000000..50cffe2cd9
--- /dev/null
+++ b/tmpfiles.d/static-nodes-permissions.conf.in
@@ -0,0 +1,17 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+# This file adds permissions on top of static-nodes.conf generated by
+# kmod-static-nodes.service. Rules specified here should match the
+# permissions specified for udev in 50-udev-default.rules.
+
+z /dev/snd/seq      0660 - audio -
+z /dev/snd/timer    0660 - audio -
+z /dev/loop-control 0660 - disk  -
+z /dev/net/tun      0666 - -     -
+z /dev/fuse         0666 - -     -
+z /dev/kvm          @DEV_KVM_MODE@ - kvm -
diff --git a/units/kmod-static-nodes.service.in b/units/kmod-static-nodes.service.in
index a6c5eb228f..0971edf9ec 100644
--- a/units/kmod-static-nodes.service.in
+++ b/units/kmod-static-nodes.service.in
@@ -8,7 +8,7 @@
 #  (at your option) any later version.
 
 [Unit]
-Description=Create list of required static device nodes for the current kernel
+Description=Create list of static device nodes for the current kernel
 DefaultDependencies=no
 Before=sysinit.target systemd-tmpfiles-setup-dev.service
 ConditionCapability=CAP_SYS_MODULE
@@ -17,4 +17,4 @@ ConditionFileNotEmpty=/lib/modules/%v/modules.devname
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=@KMOD@ static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf
+ExecStart=@KMOD@ static-nodes --format=tmpfiles --output=/run/tmpfiles.d/static-nodes.conf