home *** CD-ROM | disk | FTP | other *** search
/ Mac Easy 2010 May / Mac Life Ubuntu.iso / casper / filesystem.squashfs / usr / share / hal / fdi / policy / 10osvendor / 20-acl-management.fdi < prev    next >
Encoding:
Extensible Markup Language  |  2009-07-05  |  13.8 KB  |  287 lines
  1. <?xml version="1.0" encoding="UTF-8"?>
  2.  
  3. <deviceinfo version="0.2">
  4.   <device>
  5.  
  6.     <!-- NOTE: if you add a new access.type value, remember to update policy/org.freedesktop.hal.device-access.policy -->
  7.  
  8.     <!-- classification of devices where access can be controlled goes here -->
  9.  
  10.     <!-- sound card (ALSA) -->
  11.     <match key="info.capabilities" contains="alsa">
  12.       <match key="alsa.device_file" exists="true">
  13.         <addset key="info.capabilities" type="strlist">access_control</addset>
  14.         <merge key="access_control.file" type="copy_property">alsa.device_file</merge>
  15.         <merge key="access_control.type" type="string">sound</merge>
  16.       </match>
  17.     </match>
  18.  
  19.     <!-- sound card (OSS) -->
  20.     <match key="info.capabilities" contains="oss">
  21.       <match key="oss.device_file" exists="true">
  22.         <addset key="info.capabilities" type="strlist">access_control</addset>
  23.         <merge key="access_control.file" type="copy_property">oss.device_file</merge>
  24.         <merge key="access_control.type" type="string">sound</merge>
  25.       </match>
  26.     </match>
  27.  
  28.     <!-- video4linux devices -->
  29.     <match key="info.capabilities" contains="video4linux">
  30.       <match key="video4linux.device" exists="true">
  31.         <addset key="info.capabilities" type="strlist">access_control</addset>
  32.         <merge key="access_control.file" type="copy_property">video4linux.device</merge>
  33.         <merge key="access_control.type" type="string">video4linux</merge>
  34.       </match>
  35.     </match>
  36.  
  37.  
  38.     <!-- scsi generic devices -->
  39.     <match key="info.capabilities" contains="scsi_generic">
  40.       <match key="scsi_generic.device" exists="true">
  41.         <match key="info.capabilities" contains="scanner">
  42.         <addset key="info.capabilities" type="strlist">access_control</addset>
  43.       <merge key="access_control.file" type="copy_property">scsi_generic.device</merge>
  44.       <merge key="access_control.type" type="string">scanner</merge>
  45.         </match>
  46.       </match>
  47.     </match>
  48.  
  49.     <!-- DVB cards -->
  50.     <match key="info.capabilities" contains="dvb">
  51.       <match key="dvb.device" exists="true">
  52.         <addset key="info.capabilities" type="strlist">access_control</addset>
  53.         <merge key="access_control.file" type="copy_property">dvb.device</merge>
  54.         <merge key="access_control.type" type="string">dvb</merge>
  55.       </match>
  56.     </match>
  57.  
  58.     <!-- support for Linux USB stack where device node is on a child of the main USB device -->
  59.     <match key="info.capabilities" contains="usbraw">
  60.       <match key="usbraw.device" exists="true">
  61.         <match key="info.capabilities" sibling_contains="camera">
  62.         <addset key="info.capabilities" type="strlist">access_control</addset>
  63.       <merge key="access_control.file" type="copy_property">usbraw.device</merge>
  64.           <merge key="access_control.type" type="string">camera</merge>
  65.         </match>
  66.         <match key="info.capabilities" sibling_contains="scanner">
  67.       <addset key="info.capabilities" type="strlist">access_control</addset>
  68.       <merge key="access_control.file" type="copy_property">usbraw.device</merge>
  69.       <merge key="access_control.type" type="string">scanner</merge>
  70.         </match>
  71.         <match key="info.capabilities" sibling_contains="biometic.fingerprint_reader">
  72.       <addset key="info.capabilities" type="strlist">access_control</addset>
  73.       <merge key="access_control.file" type="copy_property">usbraw.device</merge>
  74.       <merge key="access_control.type" type="string">fingerprint-reader</merge>
  75.         </match>
  76.       </match>
  77.     </match>
  78.  
  79.     <!-- support for Linux USB stack where linux.device_file is set (e.g. device node is on the main usb device) -->
  80.     <match key="info.subsystem" string="usb">
  81.       <match key="@info.parent:linux.device_file" exists="true">
  82.         <match key="info.capabilities" contains="camera">
  83.           <addset key="info.capabilities" type="strlist">access_control</addset>
  84.           <merge key="access_control.type" type="string">camera</merge>
  85.           <merge key="access_control.file" type="copy_property">@info.parent:linux.device_file</merge>
  86.         </match>
  87.         <match key="info.capabilities" contains="scanner">
  88.           <addset key="info.capabilities" type="strlist">access_control</addset>
  89.           <merge key="access_control.type" type="string">scanner</merge>
  90.           <merge key="access_control.file" type="copy_property">@info.parent:linux.device_file</merge>
  91.         </match>
  92.         <match key="info.capabilities" contains="portable_audio_player">
  93.           <addset key="info.capabilities" type="strlist">access_control</addset>
  94.           <merge key="access_control.type" type="string">audio-player</merge>
  95.           <merge key="access_control.file" type="copy_property">@info.parent:linux.device_file</merge>
  96.         </match>
  97.         <match key="info.capabilities" contains="obex">
  98.           <addset key="info.capabilities" type="strlist">access_control</addset>
  99.           <merge key="access_control.type" type="string">obex</merge>
  100.           <merge key="access_control.file" type="copy_property">@info.parent:linux.device_file</merge>
  101.         </match>
  102.         <match key="info.capabilities" contains="biometric.fingerprint_reader">
  103.           <addset key="info.capabilities" type="strlist">access_control</addset>
  104.           <merge key="access_control.type" type="string">fingerprint-reader</merge>
  105.           <merge key="access_control.file" type="copy_property">@info.parent:linux.device_file</merge>
  106.         </match>
  107.       </match>
  108.     </match>
  109.  
  110.     <!-- Firewire devices are mostly driven by userspace libraries -->
  111.     <match key="info.capabilities" contains="ieee1394_unit.iidc">
  112.       <match key="@ieee1394_unit.originating_device:ieee1394.device" exists="true">
  113.         <addset key="info.capabilities" type="strlist">access_control</addset>
  114.         <merge key="access_control.file" type="copy_property">@ieee1394_unit.originating_device:ieee1394.device</merge>
  115.         <merge key="access_control.type" type="string">ieee1394-iidc</merge>
  116.       </match>
  117.     </match>
  118.     <match key="info.capabilities" contains="ieee1394_unit.avc">
  119.       <match key="@ieee1394_unit.originating_device:ieee1394.device" exists="true">
  120.         <addset key="info.capabilities" type="strlist">access_control</addset>
  121.         <merge key="access_control.file" type="copy_property">@ieee1394_unit.originating_device:ieee1394.device</merge>
  122.         <merge key="access_control.type" type="string">ieee1394-avc</merge>
  123.       </match>
  124.     </match>
  125.  
  126.     <!-- serial devices are assumed to be modems by default (no access) -->
  127.     <match key="info.category" string="serial">
  128.       <match key="serial.device" exists="true">
  129.     <addset key="info.capabilities" type="strlist">access_control</addset>
  130.     <merge key="access_control.file" type="copy_property">serial.device</merge>
  131.     <merge key="access_control.type" type="string">modem</merge>
  132.       </match>
  133.     </match>
  134.  
  135.     <!-- serial devices are assumed to be modems by default (no access) -->
  136.     <match key="info.category" string="ppdev">
  137.       <match key="linux.device_file" exists="true">
  138.     <addset key="info.capabilities" type="strlist">access_control</addset>
  139.     <merge key="access_control.file" type="copy_property">linux.device_file</merge>
  140.     <merge key="access_control.type" type="string">ppdev</merge>
  141.       </match>
  142.     </match>
  143.  
  144.     <!-- after serial to be able to override restrictive default -->
  145.     <match key="info.capabilities" contains="pda">
  146.       <!-- PalmOS PDAs -->
  147.       <addset key="info.capabilities" type="strlist">access_control</addset>
  148.       <merge key="access_control.type" type="string">pda</merge>
  149.       <match key="pda.platform" string="palm">
  150.         <merge key="access_control.file" type="copy_property">pda.palm.hotsync_interface</merge>
  151.       </match>
  152.       <!-- PocketPC PDAs -->
  153.       <match key="pda.platform" string="pocketpc">
  154.         <merge key="access_control.file" type="copy_property">pda.pocketpc.hotsync_interface</merge>
  155.       </match>
  156.     </match>
  157.  
  158.     <!-- linux input devices (needed e.g. for games) -->
  159.     <match key="linux.subsystem" string="input">
  160.       <match key="input.device" exists="true">
  161.         <!-- joysticks -->
  162.         <match key="info.capabilities" contains="input.joystick">
  163.       <addset key="info.capabilities" type="strlist">access_control</addset>
  164.       <merge key="access_control.file" type="copy_property">input.device</merge>
  165.       <merge key="access_control.type" type="string">joystick</merge>
  166.         </match>
  167.         <!-- mice -->
  168.         <match key="info.capabilities" contains="input.mouse">
  169.       <addset key="info.capabilities" type="strlist">access_control</addset>
  170.        <merge key="access_control.file" type="copy_property">input.device</merge>
  171.       <merge key="access_control.type" type="string">mouse</merge>
  172.         </match>
  173.       </match>
  174.     </match>
  175.  
  176.     <!-- graphics cards, e.g. for 3d accelleration -->
  177.     <match key="info.capabilities" contains="drm">
  178.       <match key="linux.device_file" exists="true">
  179.         <addset key="info.capabilities" type="strlist">access_control</addset>
  180.         <merge key="access_control.file" type="copy_property">linux.device_file</merge>
  181.         <merge key="access_control.type" type="string">video</merge>
  182.       </match>
  183.     </match>
  184.  
  185.     <!-- printer devices -->
  186.     <match key="info.capabilities" contains="printer">
  187.       <match key="printer.device" exists="true">
  188.         <addset key="info.capabilities" type="strlist">access_control</addset>
  189.         <merge key="access_control.file" type="copy_property">printer.device</merge>
  190.         <merge key="access_control.type" type="string">printer</merge>
  191.       </match>
  192.     </match>
  193.  
  194.  
  195.     <!-- keep all storage/block devices in this section together to prevent trouble -->
  196.     <!-- optical drives -->
  197.     <match key="info.capabilities" contains="storage.cdrom">
  198.       <match key="block.device" exists="true">
  199.         <addset key="info.capabilities" type="strlist">access_control</addset>
  200.         <merge key="access_control.file" type="copy_property">block.device</merge>
  201.         <merge key="access_control.type" type="string">cdrom</merge>
  202.       </match>
  203.     </match>
  204.     <!-- plain old floppy -->
  205.     <match key="storage.drive_type" string="floppy">
  206.       <match key="block.device" exists="true">
  207.         <match key="storage.no_partitions_hint" bool="true">
  208.       <match key="access_control.type" exists="false">
  209.         <addset key="info.capabilities" type="strlist">access_control</addset>
  210.         <merge key="access_control.file" type="copy_property">block.device</merge>
  211.         <merge key="access_control.type" type="string">floppy</merge>
  212.       </match>
  213.     </match>
  214.       </match>
  215.     </match>
  216.     <!-- scsi generic block device -->
  217.     <match key="info.capabilities" contains="scsi_generic">
  218.       <match key="scsi_generic.device" exists="true">
  219.         <match key="@info.parent:scsi.type" string="cdrom">
  220.       <addset key="info.capabilities" type="strlist">access_control</addset>
  221.       <merge key="access_control.file" type="copy_property">scsi_generic.device</merge>
  222.       <merge key="access_control.type" type="string">cdrom</merge>
  223.         </match>
  224.         <!-- usb floppy bnc#336327 -->
  225.         <match key="@info.parent:@info.parent:@info.parent:usb.interface.class" int="8">
  226.        <match key="@info.parent:@info.parent:@info.parent:usb.interface.subclass" int="4">
  227.         <addset key="info.capabilities" type="strlist">access_control</addset>
  228.         <merge key="access_control.file" type="copy_property">scsi_generic.device</merge>
  229.         <merge key="access_control.type" type="string">floppy</merge>
  230.       </match>
  231.         </match>
  232.       </match>
  233.     </match>
  234.  
  235.     <!-- Removable block devices -->
  236.     <match key="info.capabilities" contains="block">
  237.       <!-- Don't set removable-block policy to devices which have already another policy 
  238.            as e.g. floppy devices !!! -->
  239.       <match key="access_control.type" exists="false">
  240.         <match key="block.device" exists="true">
  241.           <match key="@block.storage_device:storage.removable" bool="true">
  242.             <!-- do not set acls on unpartitioned volumes, parent gets them -->
  243.             <match key="block.is_volume" bool="true"> 
  244.               <match key="volume.is_partition" bool="true"> 
  245.                 <addset key="info.capabilities" type="strlist">access_control</addset>
  246.                 <merge key="access_control.file" type="copy_property">block.device</merge>
  247.                 <merge key="access_control.type" type="string">removable-block</merge>
  248.               </match>
  249.             </match>
  250.             <match key="block.is_volume" bool="false"> 
  251.               <addset key="info.capabilities" type="strlist">access_control</addset>
  252.               <merge key="access_control.file" type="copy_property">block.device</merge>
  253.               <merge key="access_control.type" type="string">removable-block</merge>
  254.             </match>
  255.           </match>
  256.         </match>
  257.       </match>
  258.     </match>
  259.  
  260.     <!-- enforcement of policy goes here -->
  261.  
  262.     <!-- add / remove ACL's when devices are added and removed -->
  263.     <match key="info.capabilities" contains="access_control">
  264.       <addset key="info.callouts.add" type="strlist">hal-acl-tool --add-device</addset>
  265.       <addset key="info.callouts.remove" type="strlist">hal-acl-tool --remove-device</addset>
  266.     </match>
  267.  
  268.     <match key="info.udi" string="/org/freedesktop/Hal/devices/computer">
  269.  
  270.       <!-- remove all previously added ACL's on start-up -->
  271.       <addset key="info.callouts.add" type="strlist">hal-acl-tool --remove-all</addset>
  272.  
  273.       <!-- reconfigure all ACL's sessions are added and removed -->
  274.       <addset key="info.callouts.session_add" type="strlist">hal-acl-tool --reconfigure</addset>
  275.       <addset key="info.callouts.session_remove" type="strlist">hal-acl-tool --reconfigure</addset>
  276.  
  277.       <!-- reconfigure all ACL's when a session becomes active -->
  278.       <addset key="info.callouts.session_active" type="strlist">hal-acl-tool --reconfigure</addset>
  279.  
  280.       <!-- reconfigure all ACL's when a session becomes inactive -->
  281.       <addset key="info.callouts.session_inactive" type="strlist">hal-acl-tool --reconfigure</addset>
  282.  
  283.     </match>
  284.  
  285.   </device>
  286. </deviceinfo>
  287.