On Mon, Apr 25, 2022 at 6:21 PM Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote: > > On Mon, Apr 25, 2022 at 05:17:28PM +0200, Bastien Nocera wrote: > > evdev, HID and USB revoke are 3 separate implementations that are > > necessary for common device accesses to be revocable. > > > > The HID patch shows how device access is implemented in systemd, with > > the seat leader (usually the compositor) being able to request fds from > > logind if the user doesn't already have access. > > > > logind would then be responsible for closing the USB devices the user > > doesn't have access to anymore when logging out, or switching user. It > > could either close fds it passed out, or use BPF to revoke opened HID > > and USB devices without needing to act as an intermediary. > > > > In short: > > - libusb programme opens USB device, either directly, or after asking > > the compositor to pass a fd (and being authorised to do so) > > - programme does its thing > > - fast user switch to another user > > - logind revokes libusb access for the old user > > - new user can use the device without problems > > What happens if there's another fast user switch back to the original > user? Won't the original user then expect the old usbfs fds to continue > working? > > Doesn't the whole idea of revoking file access permissions go against > the Unix philosophy of checking access rights only once, when a file is > opened, but not thereafter? I'm sure I've seen lots of emails by Linus > complaining when people try to use a different approach. Strictly speaking, it doesn't :) Basically, when you revoke an fd, it becomes unusable, and can not be reset to a usable state. It is as if the physical device has been unplugged. And when you think of it, it makes total sense to "unplug" the device when fast user switching, for the simple reason that you might (or the other user might) have set the device in a specific state, and when you come back, you have no idea what the current state is. So for end users: - they check the permissions once on open - fast user switching is happening, and they see the device as unplugged - then when the session comes back they need to re-open the device and re-initialize its state. Cheers, Benjamin
