[Dev] Input device files group

Lukasz Pawelczyk l.pawelczyk at samsung.com
Tue Oct 28 16:23:05 GMT 2014


On wto, 2014-10-28 at 14:51 +0100, Stéphane Desneux wrote:

> Also, I'm not sure that the rules for defining the permissions on such
> devices should be global. 

Because:

1. The security policy is global and it's not to applications to define
that. You have 2 packages that write potentially conflicting entries to
the same file now (udev input rules). You might as well introduce a
third that does something completely different.

Not to mention that this is so wrong on the RPM/filesystem consistency
level. The files should be provided by RPM and installed together with
the package, not created by post scripts. That's why there are config.d
directories in the first place. Now you can't even see who added this
entry and why. Every script can do as he wishes. A malicious app could
add another entry to the file and rpm --verify wouldn't catch that.

2. Because you might have packages on much lower level then X/wayland. I
already gave examples. And those could be used on headless installations
and want to rely on such permissions (which wouldn't exist without
X/wayland installed).

Security containers is a live example.

> And currently, you'll notice that every
> profile is free to define the permissions as needed (because
> weston-common or x11-common are packages specific to Tizen:Common, not
> supposed to be inherited directly in a Tizen profile.
> 
> Why not specifying the input rules where the 'input' group is defined ?

It only means that the input group is defined in the wrong place.


-- 
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics





More information about the Dev mailing list