mirror of
https://github.com/archr-linux/Arch-R.git
synced 2026-07-12 18:19:42 -07:00
Sync sysutils fixes from ROCKNIX
systemd: re-enable timedated (was -Dtimedated=false). Drop the post-install safe_remove that nuked /usr/bin/timedatectl so users can finally run timedatectl set-timezone from the shell. Two upstream-equivalent patches accompany the build: 0600 redirects the timedated write target to /var/run/localtime (writable on our read-only rootfs), 0601 makes the timezone reader follow indirect symlinks (matches the /etc -> /storage layout). udevil: pull the cleaned udevil.conf (UFS gate moved from allowed_devices to forbidden_devices, /dev/sd* whitelisted as removable). The udev rule now bails on anything that is not usb-storage. Internal mmc devices were never matched by the prior KERNEL=="sd*|sr*" filter anyway, but this makes the intent explicit and stops misclassified eSATA-like devices. input_sense: grep -line-buffered before the parse loop so only EV_KEY / EV_SW / error-reading lines reach the case statement. evtest output is mostly EV_ABS noise we threw away anyway; this cuts the CPU spent on the dispatch hot path on every controller. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -66,7 +66,7 @@ PKG_MESON_OPTS_TARGET="--libdir=/usr/lib \
|
||||
-Dnologin-path=/usr/sbin/nologin \
|
||||
-Dhomed=disabled \
|
||||
-Dnetworkd=false \
|
||||
-Dtimedated=false \
|
||||
-Dtimedated=true \
|
||||
-Dtimesyncd=true \
|
||||
-Dfirstboot=false \
|
||||
-Drandomseed=false \
|
||||
@@ -163,9 +163,6 @@ post_makeinstall_target() {
|
||||
safe_remove ${INSTALL}/usr/bin/systemd-nspawn
|
||||
safe_remove ${INSTALL}/usr/lib/systemd/system/systemd-nspawn@.service
|
||||
|
||||
# remove timedatectl
|
||||
safe_remove ${INSTALL}/usr/bin/timedatectl
|
||||
|
||||
# remove unneeded generators
|
||||
for gen in ${INSTALL}/usr/lib/systemd/system-generators/*; do
|
||||
case "${gen}" in
|
||||
|
||||
+58
@@ -0,0 +1,58 @@
|
||||
--- a/src/timedate/timedated.c
|
||||
+++ b/src/timedate/timedated.c
|
||||
@@ -290,34 +290,47 @@
|
||||
static int context_write_data_timezone(Context *c) {
|
||||
_cleanup_free_ char *p = NULL;
|
||||
const char *source;
|
||||
+ int r;
|
||||
|
||||
assert(c);
|
||||
|
||||
- /* No timezone is very similar to UTC. Hence in either of these cases link the UTC file in. Except if
|
||||
- * it isn't installed, in which case we remove the symlink altogether. Since glibc defaults to an
|
||||
- * internal version of UTC in that case behaviour is mostly equivalent. We still prefer creating the
|
||||
- * symlink though, since things are more self explanatory then. */
|
||||
|
||||
if (isempty(c->zone) || streq(c->zone, "UTC")) {
|
||||
|
||||
if (access("/usr/share/zoneinfo/UTC", F_OK) < 0) {
|
||||
|
||||
- if (unlink("/etc/localtime") < 0 && errno != ENOENT)
|
||||
+ if (unlink("/var/run/localtime") < 0 && errno != ENOENT)
|
||||
return -errno;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
- source = "../usr/share/zoneinfo/UTC";
|
||||
+ source = "/usr/share/zoneinfo/UTC";
|
||||
} else {
|
||||
- p = path_join("../usr/share/zoneinfo", c->zone);
|
||||
+ p = path_join("/usr/share/zoneinfo", c->zone);
|
||||
if (!p)
|
||||
return -ENOMEM;
|
||||
|
||||
source = p;
|
||||
}
|
||||
|
||||
- return symlink_atomic(source, "/etc/localtime");
|
||||
+ r = symlink_atomic(source, "/var/run/localtime");
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+
|
||||
+ /* Persist timezone across reboots via /storage/.cache/timezone */
|
||||
+ if (!isempty(c->zone)) {
|
||||
+ _cleanup_free_ char *tz_line = NULL;
|
||||
+
|
||||
+ tz_line = strjoin("TIMEZONE=", c->zone, "\n");
|
||||
+ if (tz_line)
|
||||
+ (void) write_string_file("/storage/.cache/timezone", tz_line,
|
||||
+ WRITE_STRING_FILE_CREATE |
|
||||
+ WRITE_STRING_FILE_ATOMIC |
|
||||
+ WRITE_STRING_FILE_TRUNCATE);
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static int context_write_data_local_rtc(Context *c) {
|
||||
+23
@@ -0,0 +1,23 @@
|
||||
--- a/src/basic/time-util.c
|
||||
+++ b/src/basic/time-util.c
|
||||
@@ -1626,8 +1626,18 @@ int get_timezone(char **ret) {
|
||||
return r; /* returns EINVAL if not a symlink */
|
||||
|
||||
e = PATH_STARTSWITH_SET(t, "/usr/share/zoneinfo/", "../usr/share/zoneinfo/");
|
||||
- if (!e)
|
||||
- return -EINVAL;
|
||||
+ if (!e) {
|
||||
+ char resolved[PATH_MAX + 1];
|
||||
+ if (realpath("/etc/localtime", resolved)) {
|
||||
+ free(t);
|
||||
+ t = strdup(resolved);
|
||||
+ if (!t)
|
||||
+ return -ENOMEM;
|
||||
+ e = PATH_STARTSWITH_SET(t, "/usr/share/zoneinfo/", "../usr/share/zoneinfo/");
|
||||
+ }
|
||||
+ if (!e)
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
|
||||
if (!timezone_is_valid(e, LOG_DEBUG))
|
||||
return -EINVAL;
|
||||
@@ -4,7 +4,7 @@
|
||||
#
|
||||
# This file controls what devices, networks, and files users may mount and
|
||||
# unmount via udevil (set suid).
|
||||
#
|
||||
#
|
||||
# IMPORTANT: IT IS POSSIBLE TO CREATE SERIOUS SECURITY PROBLEMS IF THIS FILE
|
||||
# IS MISCONFIGURED - EDIT WITH CARE
|
||||
#
|
||||
@@ -42,7 +42,7 @@ log_keep_days = 10
|
||||
# Setting allowed_types = * does NOT allow all types, as this is a security
|
||||
# risk, but does allow all recognized types.
|
||||
# allowed_types = $KNOWN_FILESYSTEMS, file, cifs, smbfs, nfs, curlftpfs, ftpfs, sshfs, davfs, tmpfs, ramfs
|
||||
allowed_types = $KNOWN_FILESYSTEMS, hfsplus, hfs
|
||||
allowed_types = $KNOWN_FILESYSTEMS, hfsplus, hfs, btrfs
|
||||
|
||||
|
||||
# allowed_users is a list of users permitted to mount and unmount with udevil.
|
||||
@@ -108,7 +108,7 @@ allowed_media_dirs = /media, /var/media, /run/media/$USER
|
||||
# or unmount. If a device is not listed in allowed_devices, it cannot be
|
||||
# un/mounted (unless in fstab). However, even if a device is listed, other
|
||||
# factors may prevent its use. For example, access to system internal devices
|
||||
# will be denied to normal users even if they are included in allowed_devices.
|
||||
# will be denied to normal users even if they are included in allowed_devices.
|
||||
# allowed_devices_FSTYPE, if present, is used to override allowed_devices when
|
||||
# mounting or unmounting a specific fstype (eg ext3, ntfs). For example, to
|
||||
# prevent all block devices containing an ext4 filesystem from being
|
||||
@@ -133,7 +133,7 @@ allowed_devices = /dev/*
|
||||
# Some removable esata drives look like internal drives to udevil. To avoid
|
||||
# this problem, they can be treated as removable with this setting.
|
||||
# WARNING: SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
|
||||
# allowed_internal_devices =
|
||||
allowed_internal_devices = /dev/sd*
|
||||
|
||||
|
||||
# allowed_internal_uuids and allowed_internal_uuids_FSTYPE work similarly to
|
||||
@@ -141,7 +141,7 @@ allowed_devices = /dev/*
|
||||
# For example, to allow un/mounting of an internal filesystem based on UUID:
|
||||
# allowed_internal_uuids = cc0c4489-8def-1e5b-a304-ab87c3cb626c0
|
||||
# WARNING: SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
|
||||
# allowed_internal_uuids =
|
||||
# allowed_internal_uuids =
|
||||
|
||||
|
||||
# forbidden_devices is used to prevent block devices from being un/mounted
|
||||
@@ -153,13 +153,13 @@ allowed_devices = /dev/*
|
||||
# forbidden_devices_ntfs = /dev/sdd1
|
||||
# NOTE: device node paths are canonicalized before being tested, so forbidding
|
||||
# a link to a device will have no effect.
|
||||
forbidden_devices =
|
||||
forbidden_devices = /dev/disk/by-path/*ufshc*
|
||||
|
||||
|
||||
# allowed_networks determines what hosts may be un/mounted by udevil users when
|
||||
# using nfs, cifs, smbfs, curlftpfs, ftpfs, or sshfs. Hosts may be specified
|
||||
# using a hostname (eg myserver.com) or IP address (192.168.1.100).
|
||||
# Wildcards may be used in hostnames and IP addresses, but CIDR notation
|
||||
# Wildcards may be used in hostnames and IP addresses, but CIDR notation
|
||||
# (192.168.1.0/16) is NOT supported. IP v6 is supported. For example:
|
||||
# allowed_networks = 127.0.0.1, 192.168.1.*, 10.0.0.*, localmachine, *.okay.com
|
||||
# Or, to prevent un/mounting of any network shares, set:
|
||||
@@ -178,7 +178,7 @@ allowed_networks = *
|
||||
# NO REVERSE LOOKUP IS PERFORMED, so including bad.com will only have an effect
|
||||
# if the user uses that hostname. IP lookup is always performed, so forbidding
|
||||
# an IP address will also forbid all corresponding hostnames.
|
||||
forbidden_networks =
|
||||
forbidden_networks =
|
||||
|
||||
|
||||
# allowed_files is used to determine what files in what directories may be
|
||||
@@ -198,7 +198,7 @@ allowed_files = *
|
||||
# for "forbidden_files = *".
|
||||
# NOTE: file paths are canonicalized before being tested, so forbidding
|
||||
# a link to a file will have no effect.
|
||||
forbidden_files =
|
||||
forbidden_files =
|
||||
|
||||
|
||||
# default_options specifies what options are always included when performing
|
||||
@@ -230,7 +230,7 @@ default_options_ftpfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
|
||||
default_options_davfs = nosuid, noexec, nodev, uid=$UID, gid=$GID
|
||||
default_options_tmpfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
|
||||
default_options_ramfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
|
||||
|
||||
default_options_btrfs = compress=zstd:3
|
||||
|
||||
# allowed_options determines all options that a user may specify when mounting.
|
||||
# All the options used in default_options above must be included here too, or
|
||||
@@ -299,7 +299,7 @@ allowed_options_exfat = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gi
|
||||
|
||||
# validate_rootexec works similarly to validate_exec, except that the program
|
||||
# is run as root. validate_rootexec will also be run if the root user runs
|
||||
# udevil. If both validate_exec and validate_rootexec are specified,
|
||||
# udevil. If both validate_exec and validate_rootexec are specified,
|
||||
# validate_rootexec will run first, followed by validate_exec.
|
||||
# The program must return an exit status of 0 to allow the mount or unmount
|
||||
# to proceed. If it returns non-zero, the user will be denied permission.
|
||||
@@ -309,7 +309,7 @@ allowed_options_exfat = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gi
|
||||
# validate_rootexec =
|
||||
|
||||
|
||||
# success_exec is run after a successful mount, remount, or unmount. The
|
||||
# success_exec is run after a successful mount, remount, or unmount. The
|
||||
# program is run as a normal user (if root runs udevil, success_exec
|
||||
# will NOT be run).
|
||||
# The program is passed the username, a printable description of what action
|
||||
@@ -329,4 +329,3 @@ allowed_options_exfat = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gi
|
||||
# rootexec settings NOT be used, as it is easy to inadvertently open exploits.
|
||||
# THIS PROGRAM IS ALWAYS RUN AS ROOT, even if the user running udevil is not.
|
||||
# success_rootexec =
|
||||
|
||||
|
||||
@@ -2,15 +2,18 @@
|
||||
IMPORT{cmdline}="installer"
|
||||
ENV{installer}=="1", GOTO="exit"
|
||||
|
||||
# check for blockdevices, /dev/sd*, /dev/sr*, /dev/mmc*, and /dev/nvme*
|
||||
SUBSYSTEM!="block", KERNEL!="sd*|sr*|mmc*|nvme*", GOTO="exit"
|
||||
# check for blockdevices, /dev/sd*, /dev/sr*
|
||||
SUBSYSTEM!="block", KERNEL!="sd*|sr*", GOTO="exit"
|
||||
|
||||
# only allow USB-attached devices
|
||||
ENV{ID_USB_DRIVER}!="usb-storage", GOTO="exit"
|
||||
|
||||
# check for special partitions we dont want mount
|
||||
IMPORT{builtin}="blkid"
|
||||
ENV{ID_FS_LABEL}=="EFI|BOOT|Recovery|RECOVERY|SETTINGS|boot|root0|share0", GOTO="exit"
|
||||
|
||||
# /dev/sd*, /dev/mmc*, and /dev/nvme* with partitions/disk and filesystems only, and /dev/sr* disks only
|
||||
KERNEL=="sd*|mmc*|nvme*", ENV{DEVTYPE}=="partition|disk", ENV{ID_FS_USAGE}=="filesystem", GOTO="harddisk"
|
||||
# /dev/sd* with partitions/disk and filesystems only and /dev/sr* disks only
|
||||
KERNEL=="sd*", ENV{DEVTYPE}=="partition|disk", ENV{ID_FS_USAGE}=="filesystem", GOTO="harddisk"
|
||||
KERNEL=="sr*", ENV{DEVTYPE}=="disk", GOTO="optical"
|
||||
GOTO="exit"
|
||||
|
||||
@@ -27,4 +30,3 @@ GOTO="exit"
|
||||
|
||||
# Exit
|
||||
LABEL="exit"
|
||||
|
||||
|
||||
@@ -319,7 +319,7 @@ set +e
|
||||
done
|
||||
|
||||
wait # Wait for all background loops (they never end unless forcibly stopped)
|
||||
) | while read line; do
|
||||
) | grep --line-buffered "EV_KEY\|EV_SW\|error reading" | while read line; do
|
||||
|
||||
# Parse lines from any evtest instance:
|
||||
case ${line} in
|
||||
|
||||
@@ -66,7 +66,7 @@ PKG_MESON_OPTS_TARGET="--libdir=/usr/lib \
|
||||
-Duserdb=false \
|
||||
-Dhomed=false \
|
||||
-Dnetworkd=false \
|
||||
-Dtimedated=false \
|
||||
-Dtimedated=true \
|
||||
-Dtimesyncd=true \
|
||||
-Dfirstboot=false \
|
||||
-Drandomseed=false \
|
||||
@@ -168,9 +168,6 @@ post_makeinstall_target() {
|
||||
safe_remove ${INSTALL}/usr/bin/systemd-nspawn
|
||||
safe_remove ${INSTALL}/usr/lib/systemd/system/systemd-nspawn@.service
|
||||
|
||||
# remove timedatectl
|
||||
safe_remove ${INSTALL}/usr/bin/timedatectl
|
||||
|
||||
# remove unneeded generators
|
||||
for gen in ${INSTALL}/usr/lib/systemd/system-generators/*; do
|
||||
case "${gen}" in
|
||||
|
||||
+58
@@ -0,0 +1,58 @@
|
||||
--- a/src/timedate/timedated.c
|
||||
+++ b/src/timedate/timedated.c
|
||||
@@ -290,34 +290,47 @@
|
||||
static int context_write_data_timezone(Context *c) {
|
||||
_cleanup_free_ char *p = NULL;
|
||||
const char *source;
|
||||
+ int r;
|
||||
|
||||
assert(c);
|
||||
|
||||
- /* No timezone is very similar to UTC. Hence in either of these cases link the UTC file in. Except if
|
||||
- * it isn't installed, in which case we remove the symlink altogether. Since glibc defaults to an
|
||||
- * internal version of UTC in that case behaviour is mostly equivalent. We still prefer creating the
|
||||
- * symlink though, since things are more self explanatory then. */
|
||||
|
||||
if (isempty(c->zone) || streq(c->zone, "UTC")) {
|
||||
|
||||
if (access("/usr/share/zoneinfo/UTC", F_OK) < 0) {
|
||||
|
||||
- if (unlink("/etc/localtime") < 0 && errno != ENOENT)
|
||||
+ if (unlink("/var/run/localtime") < 0 && errno != ENOENT)
|
||||
return -errno;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
- source = "../usr/share/zoneinfo/UTC";
|
||||
+ source = "/usr/share/zoneinfo/UTC";
|
||||
} else {
|
||||
- p = path_join("../usr/share/zoneinfo", c->zone);
|
||||
+ p = path_join("/usr/share/zoneinfo", c->zone);
|
||||
if (!p)
|
||||
return -ENOMEM;
|
||||
|
||||
source = p;
|
||||
}
|
||||
|
||||
- return symlink_atomic(source, "/etc/localtime");
|
||||
+ r = symlink_atomic(source, "/var/run/localtime");
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+
|
||||
+ /* Persist timezone across reboots via /storage/.cache/timezone */
|
||||
+ if (!isempty(c->zone)) {
|
||||
+ _cleanup_free_ char *tz_line = NULL;
|
||||
+
|
||||
+ tz_line = strjoin("TIMEZONE=", c->zone, "\n");
|
||||
+ if (tz_line)
|
||||
+ (void) write_string_file("/storage/.cache/timezone", tz_line,
|
||||
+ WRITE_STRING_FILE_CREATE |
|
||||
+ WRITE_STRING_FILE_ATOMIC |
|
||||
+ WRITE_STRING_FILE_TRUNCATE);
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static int context_write_data_local_rtc(Context *c) {
|
||||
+23
@@ -0,0 +1,23 @@
|
||||
--- a/src/basic/time-util.c
|
||||
+++ b/src/basic/time-util.c
|
||||
@@ -1626,8 +1626,18 @@ int get_timezone(char **ret) {
|
||||
return r; /* returns EINVAL if not a symlink */
|
||||
|
||||
e = PATH_STARTSWITH_SET(t, "/usr/share/zoneinfo/", "../usr/share/zoneinfo/");
|
||||
- if (!e)
|
||||
- return -EINVAL;
|
||||
+ if (!e) {
|
||||
+ char resolved[PATH_MAX + 1];
|
||||
+ if (realpath("/etc/localtime", resolved)) {
|
||||
+ free(t);
|
||||
+ t = strdup(resolved);
|
||||
+ if (!t)
|
||||
+ return -ENOMEM;
|
||||
+ e = PATH_STARTSWITH_SET(t, "/usr/share/zoneinfo/", "../usr/share/zoneinfo/");
|
||||
+ }
|
||||
+ if (!e)
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
|
||||
if (!timezone_is_valid(e, LOG_DEBUG))
|
||||
return -EINVAL;
|
||||
@@ -4,7 +4,7 @@
|
||||
#
|
||||
# This file controls what devices, networks, and files users may mount and
|
||||
# unmount via udevil (set suid).
|
||||
#
|
||||
#
|
||||
# IMPORTANT: IT IS POSSIBLE TO CREATE SERIOUS SECURITY PROBLEMS IF THIS FILE
|
||||
# IS MISCONFIGURED - EDIT WITH CARE
|
||||
#
|
||||
@@ -108,7 +108,7 @@ allowed_media_dirs = /media, /var/media, /run/media/$USER
|
||||
# or unmount. If a device is not listed in allowed_devices, it cannot be
|
||||
# un/mounted (unless in fstab). However, even if a device is listed, other
|
||||
# factors may prevent its use. For example, access to system internal devices
|
||||
# will be denied to normal users even if they are included in allowed_devices.
|
||||
# will be denied to normal users even if they are included in allowed_devices.
|
||||
# allowed_devices_FSTYPE, if present, is used to override allowed_devices when
|
||||
# mounting or unmounting a specific fstype (eg ext3, ntfs). For example, to
|
||||
# prevent all block devices containing an ext4 filesystem from being
|
||||
@@ -119,7 +119,7 @@ allowed_media_dirs = /media, /var/media, /run/media/$USER
|
||||
# allowed_devices = /dev/*
|
||||
# WARNING: ALLOWING USERS TO MOUNT DEVICES OUTSIDE OF /dev CAN CAUSE SERIOUS
|
||||
# SECURITY PROBLEMS. DO NOT ALLOW DEVICES IN /dev/shm
|
||||
allowed_devices = /dev/* !*ufshc-scsi*
|
||||
allowed_devices = /dev/*
|
||||
|
||||
|
||||
# allowed_internal_devices causes udevil to treat any listed block devices as
|
||||
@@ -133,7 +133,7 @@ allowed_devices = /dev/* !*ufshc-scsi*
|
||||
# Some removable esata drives look like internal drives to udevil. To avoid
|
||||
# this problem, they can be treated as removable with this setting.
|
||||
# WARNING: SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
|
||||
# allowed_internal_devices =
|
||||
allowed_internal_devices = /dev/sd*
|
||||
|
||||
|
||||
# allowed_internal_uuids and allowed_internal_uuids_FSTYPE work similarly to
|
||||
@@ -141,7 +141,7 @@ allowed_devices = /dev/* !*ufshc-scsi*
|
||||
# For example, to allow un/mounting of an internal filesystem based on UUID:
|
||||
# allowed_internal_uuids = cc0c4489-8def-1e5b-a304-ab87c3cb626c0
|
||||
# WARNING: SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
|
||||
# allowed_internal_uuids =
|
||||
# allowed_internal_uuids =
|
||||
|
||||
|
||||
# forbidden_devices is used to prevent block devices from being un/mounted
|
||||
@@ -153,13 +153,13 @@ allowed_devices = /dev/* !*ufshc-scsi*
|
||||
# forbidden_devices_ntfs = /dev/sdd1
|
||||
# NOTE: device node paths are canonicalized before being tested, so forbidding
|
||||
# a link to a device will have no effect.
|
||||
forbidden_devices =
|
||||
forbidden_devices = /dev/disk/by-path/*ufshc*
|
||||
|
||||
|
||||
# allowed_networks determines what hosts may be un/mounted by udevil users when
|
||||
# using nfs, cifs, smbfs, curlftpfs, ftpfs, or sshfs. Hosts may be specified
|
||||
# using a hostname (eg myserver.com) or IP address (192.168.1.100).
|
||||
# Wildcards may be used in hostnames and IP addresses, but CIDR notation
|
||||
# Wildcards may be used in hostnames and IP addresses, but CIDR notation
|
||||
# (192.168.1.0/16) is NOT supported. IP v6 is supported. For example:
|
||||
# allowed_networks = 127.0.0.1, 192.168.1.*, 10.0.0.*, localmachine, *.okay.com
|
||||
# Or, to prevent un/mounting of any network shares, set:
|
||||
@@ -178,7 +178,7 @@ allowed_networks = *
|
||||
# NO REVERSE LOOKUP IS PERFORMED, so including bad.com will only have an effect
|
||||
# if the user uses that hostname. IP lookup is always performed, so forbidding
|
||||
# an IP address will also forbid all corresponding hostnames.
|
||||
forbidden_networks =
|
||||
forbidden_networks =
|
||||
|
||||
|
||||
# allowed_files is used to determine what files in what directories may be
|
||||
@@ -198,7 +198,7 @@ allowed_files = *
|
||||
# for "forbidden_files = *".
|
||||
# NOTE: file paths are canonicalized before being tested, so forbidding
|
||||
# a link to a file will have no effect.
|
||||
forbidden_files =
|
||||
forbidden_files =
|
||||
|
||||
|
||||
# default_options specifies what options are always included when performing
|
||||
@@ -299,7 +299,7 @@ allowed_options_exfat = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gi
|
||||
|
||||
# validate_rootexec works similarly to validate_exec, except that the program
|
||||
# is run as root. validate_rootexec will also be run if the root user runs
|
||||
# udevil. If both validate_exec and validate_rootexec are specified,
|
||||
# udevil. If both validate_exec and validate_rootexec are specified,
|
||||
# validate_rootexec will run first, followed by validate_exec.
|
||||
# The program must return an exit status of 0 to allow the mount or unmount
|
||||
# to proceed. If it returns non-zero, the user will be denied permission.
|
||||
@@ -309,7 +309,7 @@ allowed_options_exfat = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gi
|
||||
# validate_rootexec =
|
||||
|
||||
|
||||
# success_exec is run after a successful mount, remount, or unmount. The
|
||||
# success_exec is run after a successful mount, remount, or unmount. The
|
||||
# program is run as a normal user (if root runs udevil, success_exec
|
||||
# will NOT be run).
|
||||
# The program is passed the username, a printable description of what action
|
||||
@@ -329,4 +329,3 @@ allowed_options_exfat = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gi
|
||||
# rootexec settings NOT be used, as it is easy to inadvertently open exploits.
|
||||
# THIS PROGRAM IS ALWAYS RUN AS ROOT, even if the user running udevil is not.
|
||||
# success_rootexec =
|
||||
|
||||
|
||||
@@ -5,6 +5,9 @@ ENV{installer}=="1", GOTO="exit"
|
||||
# check for blockdevices, /dev/sd*, /dev/sr*
|
||||
SUBSYSTEM!="block", KERNEL!="sd*|sr*", GOTO="exit"
|
||||
|
||||
# only allow USB-attached devices
|
||||
ENV{ID_USB_DRIVER}!="usb-storage", GOTO="exit"
|
||||
|
||||
# check for special partitions we dont want mount
|
||||
IMPORT{builtin}="blkid"
|
||||
ENV{ID_FS_LABEL}=="EFI|BOOT|Recovery|RECOVERY|SETTINGS|boot|root0|share0", GOTO="exit"
|
||||
|
||||
Reference in New Issue
Block a user