How do I allow automatic non root access to my non standard USB device ?
Kevin Coffin
kevin at finway.co.uk
Thu Jan 22 17:43:40 UTC 2009
On Wed, 2009-01-21 at 13:19 -0900, Jeff Spaleta wrote:
> On Wed, Jan 21, 2009 at 1:09 PM, Kevin Coffin <kevin at finway.co.uk> wrote:
>
> >Although the quick hack that I
> > posted does seem to work for me I am not sure exactly how it is
> > achieved. I do not see the group/owner on the endpoints for the usb
> > device change. If you have any pointers to further reading on the
> > inter-actions between hal and policykit they would be gratefully
> > received.
>
> Aren't they done via acl manipulations?
>
> Do you see changes in the getfacl output?
Ah, I didn't know about this command. Yes it does show that the acl's
have changed. Also when using ls -la you get this:
crw-rw-r--+ 1 root root 189, 4 2009-01-22 14:28 005
I have not seen the plus sign being used before.
>
> >
> > There is probably a better way to do this. Further reading today
> > indicated that this should have been placed in /etc/hal directory
> > structure. I do have an rpm for openocd and it would be nice to have it
> > install the correct permissions in the right place.
>
> The question remains. If a new documentation effort were to be made
> what form of documentation would be the first priority to work on?
>
> -jef
>
I guess what I was looking for was something which would give the steps
of how to integrate a totally unknown device into the hal/policykit
structure so that it could be used by a user other than root.
For example:
1. add a policy file to the /usr/share/PolicyKit/policy directory
containing
<action id="org.freedesktop.hal.device-access.usb-jtag">
<description>Directly access to usb jtag devices</description>
<message>System policy prevents access to usb jtag devices</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
This then shows up in the authorizations gui so that users can be added
to the acl.
2. Hal requires some metadata about this device, so add a .fd file in
the /usr/share/hal/fdi/information/20thirdparty directory containing
<?xml version="1.0" encoding="ISO-8859-1"?>
<deviceinfo version="0.2">
<device>
<match key="usb_device.vendor_id" int="0x15ba">
<append key="info.capabilities"
type="strlist">olimex-device</append>
<append key="info.capabilities"
type="strlist">usb-jtag</append>
<append key="info.capabilities"
type="strlist">access_control</append>
<merge key="access_control.file"
type="copy_property">linux.device_file</merge>
<merge key="access_control.type"
type="string">usb-jtag</merge>
</match>
</device>
</deviceinfo>
3. Add .fdi file for hal policy to
the /usr/share/hal/fdi/policy/20thirdparty directory containing
<match key="info.capabilities" contains="usbraw">
<match key="info.capabilities" sibling_contains="usb-jtag">
<append key="info.capabilities" type="strlist">access_control</append>
<merge key="access_control.file"
type="copy_property">usbraw.device</merge>
<merge key="access_control.type" type="string">usb-jtag</merge>
</match>
</match>
<!-- support for Linux USB stack where linux.device_file is set
(e.g. device node is on the main usb device) -->
<match key="info.subsystem" string="usb">
<match key="@info.parent:linux.device_file" exists="true">
<match key="info.capabilities" contains="usb-jtag">
<append key="info.capabilities"
type="strlist">access_control</append>
<merge key="access_control.type"
type="string">usb-jtag</merge>
<merge key="access_control.file"
type="copy_property">@info.parent:linux.device_file</merge>
</match>
</match>
</match>
4 Run the authorizations gui and grant the user the right to access the
device.
Oh look I've done it now - its simple when you have done it once. Would
you like me to write it up with more detail ? Someone will need to look
over it because I am not sure that everything I have done is correct.
Comments and suggestions welcome.
Kevin
More information about the fedora-devel-list
mailing list