shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-06 13:17:44 +03:00
Code

Merge pull request #1159 from AnchorCat/polkit-details/v2

Browse Source 
Provide unit name and operation in manage-units polkit checks (v2)
This commit is contained in:
Lennart Poettering 2015-09-06 02:00:05 +02:00
commit 25b31f2fbd
18 changed files with 180 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
po/POTFILES.in
View File

@ -5,3 +5,4 @@ src/locale/org.freedesktop.locale1.policy.in
src/login/org.freedesktop.login1.policy.in src/login/org.freedesktop.login1.policy.in
src/machine/org.freedesktop.machine1.policy.in src/machine/org.freedesktop.machine1.policy.in
src/timedate/org.freedesktop.timedate1.policy.in src/timedate/org.freedesktop.timedate1.policy.in
src/core/dbus-unit.c

1
src/basic/util.h
View File

@ -567,6 +567,7 @@ void *xbsearch_r(const void *key, const void *base, size_t nmemb, size_t size,
void *arg); void *arg);
#define _(String) gettext (String) #define _(String) gettext (String)
#define N_(String) String
void init_gettext(void); void init_gettext(void);
bool is_locale_utf8(void); bool is_locale_utf8(void);

70
src/core/dbus-unit.c
View File

@ -391,6 +391,29 @@ static int property_get_load_error(
return sd_bus_message_append(reply, "(ss)", e.name, e.message); return sd_bus_message_append(reply, "(ss)", e.name, e.message);
} }
static int bus_verify_manage_units_async_full(
Unit *u,
const char *verb,
int capability,
const char *polkit_message,
sd_bus_message *call,
sd_bus_error *error) {
const char *details[9] = {
"unit", u->id,
"verb", verb,
};
if (polkit_message) {
details[4] = "polkit.message";
details[5] = polkit_message;
details[6] = "polkit.gettext_domain";
details[7] = GETTEXT_PACKAGE;
}
return bus_verify_polkit_async(call, capability, "org.freedesktop.systemd1.manage-units", details, false, UID_INVALID, &u->manager->polkit_registry, error);
}
int bus_unit_method_start_generic( int bus_unit_method_start_generic(
sd_bus_message *message, sd_bus_message *message,
Unit *u, Unit *u,
@ -400,6 +423,14 @@ int bus_unit_method_start_generic(
const char *smode; const char *smode;
JobMode mode; JobMode mode;
_cleanup_free_ char *verb = NULL;
static const char *const polkit_message_for_job[_JOB_TYPE_MAX] = {
[JOB_START] = N_("Authentication is required to start '$(unit)'."),
[JOB_STOP] = N_("Authentication is required to stop '$(unit)'."),
[JOB_RELOAD] = N_("Authentication is required to reload '$(unit)'."),
[JOB_RESTART] = N_("Authentication is required to restart '$(unit)'."),
[JOB_TRY_RESTART] = N_("Authentication is required to restart '$(unit)'."),
};
int r; int r;
assert(message); assert(message);
@ -418,7 +449,20 @@ int bus_unit_method_start_generic(
if (mode < 0) if (mode < 0)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Job mode %s invalid", smode); return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Job mode %s invalid", smode);
r = bus_verify_manage_units_async(u->manager, message, error); if (reload_if_possible)
verb = strjoin("reload-or-", job_type_to_string(job_type), NULL);
else
verb = strdup(job_type_to_string(job_type));
if (!verb)
return -ENOMEM;
r = bus_verify_manage_units_async_full(
u,
verb,
CAP_SYS_ADMIN,
job_type < _JOB_TYPE_MAX ? polkit_message_for_job[job_type] : NULL,
message,
error);
if (r < 0) if (r < 0)
return r; return r;
if (r == 0) if (r == 0)
@ -484,7 +528,13 @@ int bus_unit_method_kill(sd_bus_message *message, void *userdata, sd_bus_error *
if (signo <= 0 || signo >= _NSIG) if (signo <= 0 || signo >= _NSIG)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Signal number out of range."); return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Signal number out of range.");
r = bus_verify_manage_units_async_for_kill(u->manager, message, error); r = bus_verify_manage_units_async_full(
u,
"kill",
CAP_KILL,
N_("Authentication is required to kill '$(unit)'."),
message,
error);
if (r < 0) if (r < 0)
return r; return r;
if (r == 0) if (r == 0)
@ -508,7 +558,13 @@ int bus_unit_method_reset_failed(sd_bus_message *message, void *userdata, sd_bus
if (r < 0) if (r < 0)
return r; return r;
r = bus_verify_manage_units_async(u->manager, message, error); r = bus_verify_manage_units_async_full(
u,
"reset-failed",
CAP_SYS_ADMIN,
N_("Authentication is required to reset the \"failed\" state of '$(unit)'."),
message,
error);
if (r < 0) if (r < 0)
return r; return r;
if (r == 0) if (r == 0)
@ -534,7 +590,13 @@ int bus_unit_method_set_properties(sd_bus_message *message, void *userdata, sd_b
if (r < 0) if (r < 0)
return r; return r;
r = bus_verify_manage_units_async(u->manager, message, error); r = bus_verify_manage_units_async_full(
u,
"set-property",
CAP_SYS_ADMIN,
N_("Authentication is required to set properties on '$(unit)'."),
message,
error);
if (r < 0) if (r < 0)
return r; return r;
if (r == 0) if (r == 0)

13
src/core/dbus.c
View File

@ -1198,22 +1198,17 @@ int bus_track_coldplug(Manager *m, sd_bus_track **t, char ***l) {
} }
int bus_verify_manage_units_async(Manager *m, sd_bus_message *call, sd_bus_error *error) { int bus_verify_manage_units_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-units", false, UID_INVALID, &m->polkit_registry, error); return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-units", NULL, false, UID_INVALID, &m->polkit_registry, error);
}
/* Same as bus_verify_manage_unit_async(), but checks for CAP_KILL instead of CAP_SYS_ADMIN */
int bus_verify_manage_units_async_for_kill(Manager *m, sd_bus_message *call, sd_bus_error *error) {
return bus_verify_polkit_async(call, CAP_KILL, "org.freedesktop.systemd1.manage-units", false, UID_INVALID, &m->polkit_registry, error);
} }
int bus_verify_manage_unit_files_async(Manager *m, sd_bus_message *call, sd_bus_error *error) { int bus_verify_manage_unit_files_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-unit-files", false, UID_INVALID, &m->polkit_registry, error); return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-unit-files", NULL, false, UID_INVALID, &m->polkit_registry, error);
} }
int bus_verify_reload_daemon_async(Manager *m, sd_bus_message *call, sd_bus_error *error) { int bus_verify_reload_daemon_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.reload-daemon", false, UID_INVALID, &m->polkit_registry, error); return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.reload-daemon", NULL, false, UID_INVALID, &m->polkit_registry, error);
} }
int bus_verify_set_environment_async(Manager *m, sd_bus_message *call, sd_bus_error *error) { int bus_verify_set_environment_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.set-environment", false, UID_INVALID, &m->polkit_registry, error); return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.set-environment", NULL, false, UID_INVALID, &m->polkit_registry, error);
} }

1
src/core/dbus.h
View File

@ -37,7 +37,6 @@ int bus_track_coldplug(Manager *m, sd_bus_track **t, char ***l);
int bus_foreach_bus(Manager *m, sd_bus_track *subscribed2, int (*send_message)(sd_bus *bus, void *userdata), void *userdata); int bus_foreach_bus(Manager *m, sd_bus_track *subscribed2, int (*send_message)(sd_bus *bus, void *userdata), void *userdata);
int bus_verify_manage_units_async(Manager *m, sd_bus_message *call, sd_bus_error *error); int bus_verify_manage_units_async(Manager *m, sd_bus_message *call, sd_bus_error *error);
int bus_verify_manage_units_async_for_kill(Manager *m, sd_bus_message *call, sd_bus_error *error);
int bus_verify_manage_unit_files_async(Manager *m, sd_bus_message *call, sd_bus_error *error); int bus_verify_manage_unit_files_async(Manager *m, sd_bus_message *call, sd_bus_error *error);
int bus_verify_reload_daemon_async(Manager *m, sd_bus_message *call, sd_bus_error *error); int bus_verify_reload_daemon_async(Manager *m, sd_bus_message *call, sd_bus_error *error);
int bus_verify_set_environment_async(Manager *m, sd_bus_message *call, sd_bus_error *error); int bus_verify_set_environment_async(Manager *m, sd_bus_message *call, sd_bus_error *error);

3
src/hostname/hostnamed.c
View File

@ -434,6 +434,7 @@ static int method_set_hostname(sd_bus_message *m, void *userdata, sd_bus_error *
m, m,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.hostname1.set-hostname", "org.freedesktop.hostname1.set-hostname",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&c->polkit_registry, &c->polkit_registry,
@ -486,6 +487,7 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_
m, m,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.hostname1.set-static-hostname", "org.freedesktop.hostname1.set-static-hostname",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&c->polkit_registry, &c->polkit_registry,
@ -557,6 +559,7 @@ static int set_machine_info(Context *c, sd_bus_message *m, int prop, sd_bus_mess
m, m,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
prop == PROP_PRETTY_HOSTNAME ? "org.freedesktop.hostname1.set-static-hostname" : "org.freedesktop.hostname1.set-machine-info", prop == PROP_PRETTY_HOSTNAME ? "org.freedesktop.hostname1.set-static-hostname" : "org.freedesktop.hostname1.set-machine-info",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&c->polkit_registry, &c->polkit_registry,

6
src/import/importd.c
View File

@ -735,6 +735,7 @@ static int method_import_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_
msg, msg,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.import1.import", "org.freedesktop.import1.import",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -799,6 +800,7 @@ static int method_export_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_
msg, msg,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.import1.export", "org.freedesktop.import1.export",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -864,6 +866,7 @@ static int method_pull_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_er
msg, msg,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.import1.pull", "org.freedesktop.import1.pull",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -945,6 +948,7 @@ static int method_pull_dkr(sd_bus_message *msg, void *userdata, sd_bus_error *er
msg, msg,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.import1.pull", "org.freedesktop.import1.pull",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -1079,6 +1083,7 @@ static int method_cancel(sd_bus_message *msg, void *userdata, sd_bus_error *erro
msg, msg,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.import1.pull", "org.freedesktop.import1.pull",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&t->manager->polkit_registry, &t->manager->polkit_registry,
@ -1108,6 +1113,7 @@ static int method_cancel_transfer(sd_bus_message *msg, void *userdata, sd_bus_er
msg, msg,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.import1.pull", "org.freedesktop.import1.pull",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,

3
src/locale/localed.c
View File

@ -960,6 +960,7 @@ static int method_set_locale(sd_bus_message *m, void *userdata, sd_bus_error *er
m, m,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.locale1.set-locale", "org.freedesktop.locale1.set-locale",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&c->polkit_registry, &c->polkit_registry,
@ -1049,6 +1050,7 @@ static int method_set_vc_keyboard(sd_bus_message *m, void *userdata, sd_bus_erro
m, m,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.locale1.set-keyboard", "org.freedesktop.locale1.set-keyboard",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&c->polkit_registry, &c->polkit_registry,
@ -1180,6 +1182,7 @@ static int method_set_x11_keyboard(sd_bus_message *m, void *userdata, sd_bus_err
m, m,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.locale1.set-keyboard", "org.freedesktop.locale1.set-keyboard",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&c->polkit_registry, &c->polkit_registry,

20
src/login/logind-dbus.c
View File

@ -942,6 +942,7 @@ static int method_lock_sessions(sd_bus_message *message, void *userdata, sd_bus_
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.login1.lock-sessions", "org.freedesktop.login1.lock-sessions",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -1096,6 +1097,7 @@ static int method_set_user_linger(sd_bus_message *message, void *userdata, sd_bu
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.login1.set-user-linger", "org.freedesktop.login1.set-user-linger",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -1268,6 +1270,7 @@ static int method_attach_device(sd_bus_message *message, void *userdata, sd_bus_
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.login1.attach-device", "org.freedesktop.login1.attach-device",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -1299,6 +1302,7 @@ static int method_flush_devices(sd_bus_message *message, void *userdata, sd_bus_
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.login1.flush-devices", "org.freedesktop.login1.flush-devices",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -1649,7 +1653,7 @@ static int verify_shutdown_creds(
blocked = manager_is_inhibited(m, w, INHIBIT_BLOCK, NULL, false, true, uid, NULL); blocked = manager_is_inhibited(m, w, INHIBIT_BLOCK, NULL, false, true, uid, NULL);
if (multiple_sessions && action_multiple_sessions) { if (multiple_sessions && action_multiple_sessions) {
r = bus_verify_polkit_async(message, CAP_SYS_BOOT, action_multiple_sessions, interactive, UID_INVALID, &m->polkit_registry, error); r = bus_verify_polkit_async(message, CAP_SYS_BOOT, action_multiple_sessions, NULL, interactive, UID_INVALID, &m->polkit_registry, error);
if (r < 0) if (r < 0)
return r; return r;
if (r == 0) if (r == 0)
@ -1657,7 +1661,7 @@ static int verify_shutdown_creds(
} }
if (blocked && action_ignore_inhibit) { if (blocked && action_ignore_inhibit) {
r = bus_verify_polkit_async(message, CAP_SYS_BOOT, action_ignore_inhibit, interactive, UID_INVALID, &m->polkit_registry, error); r = bus_verify_polkit_async(message, CAP_SYS_BOOT, action_ignore_inhibit, NULL, interactive, UID_INVALID, &m->polkit_registry, error);
if (r < 0) if (r < 0)
return r; return r;
if (r == 0) if (r == 0)
@ -1665,7 +1669,7 @@ static int verify_shutdown_creds(
} }
if (!multiple_sessions && !blocked && action) { if (!multiple_sessions && !blocked && action) {
r = bus_verify_polkit_async(message, CAP_SYS_BOOT, action, interactive, UID_INVALID, &m->polkit_registry, error); r = bus_verify_polkit_async(message, CAP_SYS_BOOT, action, NULL, interactive, UID_INVALID, &m->polkit_registry, error);
if (r < 0) if (r < 0)
return r; return r;
if (r == 0) if (r == 0)
@ -2085,7 +2089,7 @@ static int method_can_shutdown_or_sleep(
blocked = manager_is_inhibited(m, w, INHIBIT_BLOCK, NULL, false, true, uid, NULL); blocked = manager_is_inhibited(m, w, INHIBIT_BLOCK, NULL, false, true, uid, NULL);
if (multiple_sessions) { if (multiple_sessions) {
r = bus_test_polkit(message, CAP_SYS_BOOT, action_multiple_sessions, UID_INVALID, &challenge, error); r = bus_test_polkit(message, CAP_SYS_BOOT, action_multiple_sessions, NULL, UID_INVALID, &challenge, error);
if (r < 0) if (r < 0)
return r; return r;
@ -2098,7 +2102,7 @@ static int method_can_shutdown_or_sleep(
} }
if (blocked) { if (blocked) {
r = bus_test_polkit(message, CAP_SYS_BOOT, action_ignore_inhibit, UID_INVALID, &challenge, error); r = bus_test_polkit(message, CAP_SYS_BOOT, action_ignore_inhibit, NULL, UID_INVALID, &challenge, error);
if (r < 0) if (r < 0)
return r; return r;
@ -2114,7 +2118,7 @@ static int method_can_shutdown_or_sleep(
/* If neither inhibit nor multiple sessions /* If neither inhibit nor multiple sessions
* apply then just check the normal policy */ * apply then just check the normal policy */
r = bus_test_polkit(message, CAP_SYS_BOOT, action, UID_INVALID, &challenge, error); r = bus_test_polkit(message, CAP_SYS_BOOT, action, NULL, UID_INVALID, &challenge, error);
if (r < 0) if (r < 0)
return r; return r;
@ -2233,6 +2237,7 @@ static int method_set_reboot_to_firmware_setup(
r = bus_verify_polkit_async(message, r = bus_verify_polkit_async(message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-to-firmware-setup", "org.freedesktop.login1.set-reboot-to-firmware-setup",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -2271,6 +2276,7 @@ static int method_can_reboot_to_firmware_setup(
r = bus_test_polkit(message, r = bus_test_polkit(message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-to-firmware-setup", "org.freedesktop.login1.set-reboot-to-firmware-setup",
NULL,
UID_INVALID, UID_INVALID,
&challenge, &challenge,
error); error);
@ -2307,6 +2313,7 @@ static int method_set_wall_message(
r = bus_verify_polkit_async(message, r = bus_verify_polkit_async(message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.login1.set-wall-message", "org.freedesktop.login1.set-wall-message",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -2378,6 +2385,7 @@ static int method_inhibit(sd_bus_message *message, void *userdata, sd_bus_error
w == INHIBIT_HANDLE_SUSPEND_KEY ? "org.freedesktop.login1.inhibit-handle-suspend-key" : w == INHIBIT_HANDLE_SUSPEND_KEY ? "org.freedesktop.login1.inhibit-handle-suspend-key" :
w == INHIBIT_HANDLE_HIBERNATE_KEY ? "org.freedesktop.login1.inhibit-handle-hibernate-key" : w == INHIBIT_HANDLE_HIBERNATE_KEY ? "org.freedesktop.login1.inhibit-handle-hibernate-key" :
"org.freedesktop.login1.inhibit-handle-lid-switch", "org.freedesktop.login1.inhibit-handle-lid-switch",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,

1
src/login/logind-seat-dbus.c
View File

@ -204,6 +204,7 @@ int bus_seat_method_terminate(sd_bus_message *message, void *userdata, sd_bus_er
message, message,
CAP_KILL, CAP_KILL,
"org.freedesktop.login1.manage", "org.freedesktop.login1.manage",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&s->manager->polkit_registry, &s->manager->polkit_registry,

3
src/login/logind-session-dbus.c
View File

@ -191,6 +191,7 @@ int bus_session_method_terminate(sd_bus_message *message, void *userdata, sd_bus
message, message,
CAP_KILL, CAP_KILL,
"org.freedesktop.login1.manage", "org.freedesktop.login1.manage",
NULL,
false, false,
s->user->uid, s->user->uid,
&s->manager->polkit_registry, &s->manager->polkit_registry,
@ -232,6 +233,7 @@ int bus_session_method_lock(sd_bus_message *message, void *userdata, sd_bus_erro
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.login1.lock-sessions", "org.freedesktop.login1.lock-sessions",
NULL,
false, false,
s->user->uid, s->user->uid,
&s->manager->polkit_registry, &s->manager->polkit_registry,
@ -306,6 +308,7 @@ int bus_session_method_kill(sd_bus_message *message, void *userdata, sd_bus_erro
message, message,
CAP_KILL, CAP_KILL,
"org.freedesktop.login1.manage", "org.freedesktop.login1.manage",
NULL,
false, false,
s->user->uid, s->user->uid,
&s->manager->polkit_registry, &s->manager->polkit_registry,

2
src/login/logind-user-dbus.c
View File

@ -179,6 +179,7 @@ int bus_user_method_terminate(sd_bus_message *message, void *userdata, sd_bus_er
message, message,
CAP_KILL, CAP_KILL,
"org.freedesktop.login1.manage", "org.freedesktop.login1.manage",
NULL,
false, false,
u->uid, u->uid,
&u->manager->polkit_registry, &u->manager->polkit_registry,
@ -207,6 +208,7 @@ int bus_user_method_kill(sd_bus_message *message, void *userdata, sd_bus_error *
message, message,
CAP_KILL, CAP_KILL,
"org.freedesktop.login1.manage", "org.freedesktop.login1.manage",
NULL,
false, false,
u->uid, u->uid,
&u->manager->polkit_registry, &u->manager->polkit_registry,

5
src/machine/image-dbus.c
View File

@ -43,6 +43,7 @@ int bus_image_method_remove(
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images", "org.freedesktop.machine1.manage-images",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -83,6 +84,7 @@ int bus_image_method_rename(
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images", "org.freedesktop.machine1.manage-images",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -123,6 +125,7 @@ int bus_image_method_clone(
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images", "org.freedesktop.machine1.manage-images",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -158,6 +161,7 @@ int bus_image_method_mark_read_only(
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images", "org.freedesktop.machine1.manage-images",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,
@ -194,6 +198,7 @@ int bus_image_method_set_limit(
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images", "org.freedesktop.machine1.manage-images",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,

7
src/machine/machine-dbus.c
View File

@ -124,6 +124,7 @@ int bus_machine_method_terminate(sd_bus_message *message, void *userdata, sd_bus
message, message,
CAP_KILL, CAP_KILL,
"org.freedesktop.machine1.manage-machines", "org.freedesktop.machine1.manage-machines",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->manager->polkit_registry, &m->manager->polkit_registry,
@ -169,6 +170,7 @@ int bus_machine_method_kill(sd_bus_message *message, void *userdata, sd_bus_erro
message, message,
CAP_KILL, CAP_KILL,
"org.freedesktop.machine1.manage-machines", "org.freedesktop.machine1.manage-machines",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->manager->polkit_registry, &m->manager->polkit_registry,
@ -488,6 +490,7 @@ int bus_machine_method_open_pty(sd_bus_message *message, void *userdata, sd_bus_
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-open-pty" : "org.freedesktop.machine1.open-pty", m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-open-pty" : "org.freedesktop.machine1.open-pty",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->manager->polkit_registry, &m->manager->polkit_registry,
@ -577,6 +580,7 @@ int bus_machine_method_open_login(sd_bus_message *message, void *userdata, sd_bu
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-login" : "org.freedesktop.machine1.login", m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-login" : "org.freedesktop.machine1.login",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->manager->polkit_registry, &m->manager->polkit_registry,
@ -675,6 +679,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-shell" : "org.freedesktop.machine1.shell", m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-shell" : "org.freedesktop.machine1.shell",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->manager->polkit_registry, &m->manager->polkit_registry,
@ -883,6 +888,7 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines", "org.freedesktop.machine1.manage-machines",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->manager->polkit_registry, &m->manager->polkit_registry,
@ -1145,6 +1151,7 @@ int bus_machine_method_copy(sd_bus_message *message, void *userdata, sd_bus_erro
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines", "org.freedesktop.machine1.manage-machines",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->manager->polkit_registry, &m->manager->polkit_registry,

1
src/machine/machined-dbus.c
View File

@ -810,6 +810,7 @@ static int method_set_pool_limit(sd_bus_message *message, void *userdata, sd_bus
message, message,
CAP_SYS_ADMIN, CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines", "org.freedesktop.machine1.manage-machines",
NULL,
false, false,
UID_INVALID, UID_INVALID,
&m->polkit_registry, &m->polkit_registry,

74
src/shared/bus-util.c
View File

@ -220,6 +220,7 @@ int bus_test_polkit(
sd_bus_message *call, sd_bus_message *call,
int capability, int capability,
const char *action, const char *action,
const char **details,
uid_t good_user, uid_t good_user,
bool *_challenge, bool *_challenge,
sd_bus_error *e) { sd_bus_error *e) {
@ -242,29 +243,52 @@ int bus_test_polkit(
return 1; return 1;
#ifdef ENABLE_POLKIT #ifdef ENABLE_POLKIT
else { else {
_cleanup_bus_message_unref_ sd_bus_message *request = NULL;
_cleanup_bus_message_unref_ sd_bus_message *reply = NULL; _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
int authorized = false, challenge = false; int authorized = false, challenge = false;
const char *sender; const char *sender, **k, **v;
sender = sd_bus_message_get_sender(call); sender = sd_bus_message_get_sender(call);
if (!sender) if (!sender)
return -EBADMSG; return -EBADMSG;
r = sd_bus_call_method( r = sd_bus_message_new_method_call(
call->bus, call->bus,
&request,
"org.freedesktop.PolicyKit1", "org.freedesktop.PolicyKit1",
"/org/freedesktop/PolicyKit1/Authority", "/org/freedesktop/PolicyKit1/Authority",
"org.freedesktop.PolicyKit1.Authority", "org.freedesktop.PolicyKit1.Authority",
"CheckAuthorization", "CheckAuthorization");
e, if (r < 0)
&reply, return r;
"(sa{sv})sa{ss}us",
"system-bus-name", 1, "name", "s", sender,
action,
0,
0,
"");
r = sd_bus_message_append(
request,
"(sa{sv})s",
"system-bus-name", 1, "name", "s", sender,
action);
if (r < 0)
return r;
r = sd_bus_message_open_container(request, 'a', "{ss}");
if (r < 0)
return r;
STRV_FOREACH_PAIR(k, v, details) {
r = sd_bus_message_append(request, "{ss}", *k, *v);
if (r < 0)
return r;
}
r = sd_bus_message_close_container(request);
if (r < 0)
return r;
r = sd_bus_message_append(request, "us", 0, NULL);
if (r < 0)
return r;
r = sd_bus_call(call->bus, request, 0, e, &reply);
if (r < 0) { if (r < 0) {
/* Treat no PK available as access denied */ /* Treat no PK available as access denied */
if (sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN)) { if (sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN)) {
@ -354,6 +378,7 @@ int bus_verify_polkit_async(
sd_bus_message *call, sd_bus_message *call,
int capability, int capability,
const char *action, const char *action,
const char **details,
bool interactive, bool interactive,
uid_t good_user, uid_t good_user,
Hashmap **registry, Hashmap **registry,
@ -362,7 +387,7 @@ int bus_verify_polkit_async(
#ifdef ENABLE_POLKIT #ifdef ENABLE_POLKIT
_cleanup_bus_message_unref_ sd_bus_message *pk = NULL; _cleanup_bus_message_unref_ sd_bus_message *pk = NULL;
AsyncPolkitQuery *q; AsyncPolkitQuery *q;
const char *sender; const char *sender, **k, **v;
sd_bus_message_handler_t callback; sd_bus_message_handler_t callback;
void *userdata; void *userdata;
int c; int c;
@ -460,12 +485,27 @@ int bus_verify_polkit_async(
r = sd_bus_message_append( r = sd_bus_message_append(
pk, pk,
"(sa{sv})sa{ss}us", "(sa{sv})s",
"system-bus-name", 1, "name", "s", sender, "system-bus-name", 1, "name", "s", sender,
action, action);
0, if (r < 0)
!!interactive, return r;
NULL);
r = sd_bus_message_open_container(pk, 'a', "{ss}");
if (r < 0)
return r;
STRV_FOREACH_PAIR(k, v, details) {
r = sd_bus_message_append(pk, "{ss}", *k, *v);
if (r < 0)
return r;
}
r = sd_bus_message_close_container(pk);
if (r < 0)
return r;
r = sd_bus_message_append(pk, "us", !!interactive, NULL);
if (r < 0) if (r < 0)
return r; return r;

4
src/shared/bus-util.h
View File

@ -60,9 +60,9 @@ int bus_name_has_owner(sd_bus *c, const char *name, sd_bus_error *error);
int bus_check_peercred(sd_bus *c); int bus_check_peercred(sd_bus *c);
int bus_test_polkit(sd_bus_message *call, int capability, const char *action, uid_t good_user, bool *_challenge, sd_bus_error *e); int bus_test_polkit(sd_bus_message *call, int capability, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e);
int bus_verify_polkit_async(sd_bus_message *call, int capability, const char *action, bool interactive, uid_t good_user, Hashmap **registry, sd_bus_error *error); int bus_verify_polkit_async(sd_bus_message *call, int capability, const char *action, const char **details, bool interactive, uid_t good_user, Hashmap **registry, sd_bus_error *error);
void bus_verify_polkit_async_registry_free(Hashmap *registry); void bus_verify_polkit_async_registry_free(Hashmap *registry);
int bus_open_system_systemd(sd_bus **_bus); int bus_open_system_systemd(sd_bus **_bus);

4
src/timedate/timedated.c
View File

@ -361,6 +361,7 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error *
m, m,
CAP_SYS_TIME, CAP_SYS_TIME,
"org.freedesktop.timedate1.set-timezone", "org.freedesktop.timedate1.set-timezone",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&c->polkit_registry, &c->polkit_registry,
@ -428,6 +429,7 @@ static int method_set_local_rtc(sd_bus_message *m, void *userdata, sd_bus_error
m, m,
CAP_SYS_TIME, CAP_SYS_TIME,
"org.freedesktop.timedate1.set-local-rtc", "org.freedesktop.timedate1.set-local-rtc",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&c->polkit_registry, &c->polkit_registry,
@ -543,6 +545,7 @@ static int method_set_time(sd_bus_message *m, void *userdata, sd_bus_error *erro
m, m,
CAP_SYS_TIME, CAP_SYS_TIME,
"org.freedesktop.timedate1.set-time", "org.freedesktop.timedate1.set-time",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&c->polkit_registry, &c->polkit_registry,
@ -601,6 +604,7 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
m, m,
CAP_SYS_TIME, CAP_SYS_TIME,
"org.freedesktop.timedate1.set-ntp", "org.freedesktop.timedate1.set-ntp",
NULL,
interactive, interactive,
UID_INVALID, UID_INVALID,
&c->polkit_registry, &c->polkit_registry,