daemon: Add a policy for reload-config

This fixes `rpm-ostree reload` as root, and supports configuring it to be enabled for other users as well. This was overlooked in the polkit work originally. Closes: https://github.com/projectatomic/rpm-ostree/issues/976 Closes: #977 Approved by: jlebon
2017-09-07 10:20:33 -04:00 · 2017-09-07 10:20:33 -04:00 · b5c98ec4f1
commit b5c98ec4f1
parent b0c75ae900
3 changed files with 24 additions and 2 deletions
--- a/src/daemon/org.projectatomic.rpmostree1.policy
+++ b/src/daemon/org.projectatomic.rpmostree1.policy
@ -96,6 +96,16 @@
    </defaults>
  </action>

+  <action id="org.projectatomic.rpmostree1.reload-daemon">
+    <description>Reload the daemon state</description>
+    <message>Authentication is required to reload the rpmostree daemon state</message>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+
  <action id="org.projectatomic.rpmostree1.cleanup">
    <description>Clear cache</description>
    <message>Authentication is required to clear cache / pending data</message>
--- a/src/daemon/rpmostreed-sysroot.c
+++ b/src/daemon/rpmostreed-sysroot.c
@ -582,6 +582,10 @@ sysroot_authorize_method (GDBusInterfaceSkeleton *interface,
      /* GetOS() is always allowed */
      authorized = TRUE;
    }
+  else if (g_strcmp0 (method_name, "ReloadConfig") == 0)
+    {
+      action = "org.projectatomic.rpmostree1.reload-daemon";
+    }
  else if (g_strcmp0 (method_name, "RegisterClient") == 0 ||
           g_strcmp0 (method_name, "UnregisterClient") == 0)
    {
--- a/tests/vmcheck/test-basic.sh
+++ b/tests/vmcheck/test-basic.sh
@ -44,13 +44,17 @@ if ! vm_cmd getent passwd testuser; then
  vm_cmd chown -R testuser:testuser /home/testuser/.ssh
 fi

-# Make sure we can't layer as non-root
+# Make sure we can't do various operations as non-root
 vm_build_rpm foo
 if vm_cmd_as testuser rpm-ostree pkg-add foo &> err.txt; then
    assert_not_reached "Was able to install a package as non-root!"
 fi
 assert_file_has_content err.txt 'PkgChange not allowed for user'
-echo "ok layering requires root or auth"
+if vm_cmd_as testuser rpm-ostree reload &> err.txt; then
+    assert_not_reached "Was able to reload as non-root!"
+fi
+assert_file_has_content err.txt 'ReloadConfig not allowed for user'
+echo "ok auth"

 # Assert that we can do status as non-root
 vm_cmd_as testuser rpm-ostree status
@ -60,6 +64,10 @@ echo "ok status doesn't require root"
 vm_cmd runuser -u bin rpm-ostree status
 echo "ok status doesn't require active PAM session"

+# Reload as root https://github.com/projectatomic/rpm-ostree/issues/976
+vm_cmd rpm-ostree reload
+echo "ok reload"
+
 # Add metadata string containing EnfOfLife attribtue
 META_ENDOFLIFE_MESSAGE="this is a test for metadata message"
 commit=$(vm_cmd ostree commit -b vmcheck \