How do I allow automatic non root access to my non standard USB device ?

Kevin Coffin kevin at finway.co.uk
Thu Jan 22 17:43:40 UTC 2009


On Wed, 2009-01-21 at 13:19 -0900, Jeff Spaleta wrote:
> On Wed, Jan 21, 2009 at 1:09 PM, Kevin Coffin <kevin at finway.co.uk> wrote:
> 
> >Although the quick hack that I
> > posted does seem to work for me I am not sure exactly how it is
> > achieved. I do not see the group/owner on the endpoints for the usb
> > device change. If you have any pointers to further reading on the
> > inter-actions between hal and policykit they would be gratefully
> > received.
> 
> Aren't they done via acl manipulations?
> 
> Do you see changes in the getfacl  output?

Ah, I didn't know about this command. Yes it does show that the acl's
have changed. Also when using ls -la you get this:

crw-rw-r--+ 1 root root 189, 4 2009-01-22 14:28 005

I have not seen the plus sign being used before.

> 
> >
> > There is probably a better way to do this. Further reading today
> > indicated that this should have been placed in /etc/hal directory
> > structure. I do have an rpm for openocd and it would be nice to have it
> > install the correct permissions in the right place.
> 
> The question remains. If a new documentation effort were to be made
> what form of documentation would be the first priority to work on?
> 
> -jef
> 

I guess what I was looking for was something which would give the steps
of how to integrate a totally unknown device into the hal/policykit
structure so that it could be used by a user other than root.

For example:

1. add a policy file to the /usr/share/PolicyKit/policy directory
containing

  <action id="org.freedesktop.hal.device-access.usb-jtag">
    <description>Directly access to usb jtag devices</description>
    <message>System policy prevents access to usb jtag devices</message>
    <defaults>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

This then shows up in the authorizations gui so that users can be added
to the acl.

2. Hal requires some metadata about this device, so add a .fd file in
the /usr/share/hal/fdi/information/20thirdparty directory containing

<?xml version="1.0" encoding="ISO-8859-1"?>
<deviceinfo version="0.2">
  <device>

      <match key="usb_device.vendor_id" int="0x15ba">
         <append key="info.capabilities"
type="strlist">olimex-device</append>
         <append key="info.capabilities"
type="strlist">usb-jtag</append>
          <append key="info.capabilities"
type="strlist">access_control</append>
          <merge key="access_control.file"
type="copy_property">linux.device_file</merge>
          <merge key="access_control.type"
type="string">usb-jtag</merge>
     </match>
  
  </device>
</deviceinfo>

3. Add .fdi file for hal policy to
the /usr/share/hal/fdi/policy/20thirdparty directory containing

   <match key="info.capabilities" contains="usbraw">
      <match key="info.capabilities" sibling_contains="usb-jtag">
	<append key="info.capabilities" type="strlist">access_control</append>
	<merge key="access_control.file"
type="copy_property">usbraw.device</merge>
	<merge key="access_control.type" type="string">usb-jtag</merge>
      </match>
    </match>

    <!-- support for Linux USB stack where linux.device_file is set
(e.g. device node is on the main usb device) -->
    <match key="info.subsystem" string="usb">
      <match key="@info.parent:linux.device_file" exists="true">
       <match key="info.capabilities" contains="usb-jtag">
          <append key="info.capabilities"
type="strlist">access_control</append>
          <merge key="access_control.type"
type="string">usb-jtag</merge>
          <merge key="access_control.file"
type="copy_property">@info.parent:linux.device_file</merge>
        </match>
     </match>
    </match>

4 Run the authorizations gui and grant the user the right to access the
device.


Oh look I've done it now - its simple when you have done it once. Would
you like me to write it up with more detail ? Someone will need to look
over it because I am not sure that everything I have done is correct.

Comments and suggestions welcome.

Kevin








More information about the fedora-devel-list mailing list