From 6ab4b0faef22b4fda4b6a3b45dca4c3858eb8802 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Wed, 13 May 2026 13:43:39 +0100 Subject: feat(udev,flatpak): allow ungoogled-chromium to talk to ZSA keyboards usevia.app uses WebHID to talk to /dev/hidraw* directly. Two layers were blocking it: 1. Host: no udev rule existed for ZSA boards, so /dev/hidraw nodes were root-only. Add etc/udev/rules.d/50-zsa.rules covering the ZSA VID 3297 (ErgoDox EZ / Moonlander / Voyager) with TAG+=uaccess so logind grants the active session user access. Also include the two bootloader VIDs used during firmware flashing for completeness. 2. Sandbox: the chromium flatpak only sees /dev/dri by default. Add a --device=all override (flatpak has no finer-grained device knob). The host udev rule still gates which hidraw nodes the user can actually open, so this isn't a meaningful escalation. Also wire `udevadm control --reload && udevadm trigger` into the etc deploy script so rule changes apply without a reboot or replug. --- etc/udev/rules.d/50-zsa.rules | 13 +++++++++++++ run_onchange_after_deploy-etc.sh.tmpl | 5 +++++ run_onchange_after_deploy-flatpak-overrides.sh.tmpl | 6 ++++++ 3 files changed, 24 insertions(+) create mode 100644 etc/udev/rules.d/50-zsa.rules diff --git a/etc/udev/rules.d/50-zsa.rules b/etc/udev/rules.d/50-zsa.rules new file mode 100644 index 0000000..86e443a --- /dev/null +++ b/etc/udev/rules.d/50-zsa.rules @@ -0,0 +1,13 @@ +# ZSA keyboards (ErgoDox EZ, Moonlander, Voyager) raw-HID access. +# Required for Wally flashing and VIA / usevia.app key-remapping over WebHID. +# `uaccess` tag delegates permission to the active logind session user, +# so no plugdev/input group membership is needed. +KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0660", TAG+="uaccess" + +# STM32 DFU bootloader for Moonlander / Voyager (only fires while flashing). +SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", \ + MODE="0660", TAG+="uaccess" + +# Halfkay bootloader (ErgoDox EZ) — used by Wally / Teensy loader. +SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="0478", \ + MODE="0660", TAG+="uaccess" diff --git a/run_onchange_after_deploy-etc.sh.tmpl b/run_onchange_after_deploy-etc.sh.tmpl index d08f989..ec53c99 100755 --- a/run_onchange_after_deploy-etc.sh.tmpl +++ b/run_onchange_after_deploy-etc.sh.tmpl @@ -31,6 +31,11 @@ sudo ln -sfT sudo /etc/pam.d/sudo-i # (e.g. HandlePowerKey overrides) take effect without dropping sessions. sudo systemctl kill -s HUP systemd-logind +# Reload udev rules and re-trigger so changes in etc/udev/rules.d/ apply +# to already-plugged devices without a reboot or replug. +sudo udevadm control --reload +sudo udevadm trigger + # Make sudo-rs the system-wide sudo via /usr/local/bin precedence. # Targets may not exist yet on first bootstrap (sudo-rs is installed by # the subsequent pkg-apply step); the symlinks resolve once it lands. diff --git a/run_onchange_after_deploy-flatpak-overrides.sh.tmpl b/run_onchange_after_deploy-flatpak-overrides.sh.tmpl index 0456883..fb73022 100644 --- a/run_onchange_after_deploy-flatpak-overrides.sh.tmpl +++ b/run_onchange_after_deploy-flatpak-overrides.sh.tmpl @@ -19,3 +19,9 @@ apply io.mpv.Mpv --filesystem=xdg-config/mpv:ro # LibreWolf needs raw /dev access for v4l2 webcams. Flatpak has no # finer-grained device option, so this opens video/dri/snd at once. apply io.gitlab.librewolf-community --device=all + +# Ungoogled Chromium needs /dev/hidraw* for WebHID (e.g. usevia.app +# configuring ZSA keyboards). --device=all is the only knob flatpak +# offers; the host udev rule (etc/udev/rules.d/50-zsa.rules) restricts +# which hidraw nodes the user can actually open. +apply io.github.ungoogled_software.ungoogled_chromium --device=all -- cgit v1.3.1