1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00

Merge pull request #13457 from keszybz/resolved-issue

This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2019-09-03 11:27:03 +02:00
commit d93d10c3d1
7 changed files with 251 additions and 51 deletions

View File

@ -1354,8 +1354,7 @@ _public_ int sd_bus_open_user_with_description(sd_bus **ret, const char *descrip
b->bus_client = true;
b->is_user = true;
/* We don't do any per-method access control on the user
* bus. */
/* We don't do any per-method access control on the user bus. */
b->trusted = true;
b->is_local = true;

View File

@ -19,9 +19,24 @@
#define DEFAULT_BUS_PATH "unix:path=/run/dbus/system_bus_socket"
static struct context c = {};
static int happy_finder_object = 0;
static int happy_finder(sd_bus *bus, const char *path, const char *interface, void *userdata, void **found, sd_bus_error *error) {
assert(userdata);
assert(userdata == &c);
#ifndef __cplusplus
log_info("%s called", __func__);
#endif
happy_finder_object++;
*found = &happy_finder_object;
return 1; /* found */
}
static void test_vtable(void) {
sd_bus *bus = NULL;
struct context c = {};
int r;
assert(sd_bus_new(&bus) >= 0);
@ -32,16 +47,23 @@ static void test_vtable(void) {
assert(sd_bus_add_object_vtable(bus, NULL, "/foo", "org.freedesktop.systemd.testVtable221",
(const sd_bus_vtable *)vtable_format_221, &c) >= 0);
assert(sd_bus_add_fallback_vtable(bus, NULL, "/fallback", "org.freedesktop.systemd.testVtable2", test_vtable_2, happy_finder, &c) >= 0);
assert(sd_bus_set_address(bus, DEFAULT_BUS_PATH) >= 0);
r = sd_bus_start(bus);
assert(r == 0 || /* success */
r == -ENOENT /* dbus is inactive */ );
#ifndef __cplusplus
_cleanup_free_ char *s = NULL;
_cleanup_free_ char *s, *s2;
assert_se(introspect_path(bus, "/foo", NULL, false, true, NULL, &s, NULL) == 1);
fputs(s, stdout);
assert_se(introspect_path(bus, "/fallback", NULL, false, true, NULL, &s2, NULL) == 1);
fputs(s2, stdout);
assert_se(happy_finder_object == 1);
#endif
sd_bus_unref(bus);

View File

@ -42,7 +42,7 @@ static const sd_bus_vtable test_vtable_1[] = {
static const sd_bus_vtable test_vtable_2[] = {
SD_BUS_VTABLE_START(0),
SD_BUS_METHOD("AlterSomething", "s", "s", handler, 0),
SD_BUS_METHOD("AlterSomething", "s", "s", handler, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("Exit", "", "", handler, 0),
SD_BUS_METHOD_WITH_OFFSET("AlterSomething2", "s", "s", handler, 200, 0),
SD_BUS_METHOD_WITH_OFFSET("Exit2", "", "", handler, 200, 0),

View File

@ -40,4 +40,103 @@
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.set-dns-servers">
<description gettext-domain="systemd">Set DNS servers</description>
<message gettext-domain="systemd">Authentication is required to set DNS servers.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.set-domains">
<description gettext-domain="systemd">Set domains</description>
<message gettext-domain="systemd">Authentication is required to set domains.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.set-default-route">
<description gettext-domain="systemd">Set default route</description>
<message gettext-domain="systemd">Authentication is required to set default route.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.set-llmnr">
<description gettext-domain="systemd">Enable/disable LLMNR</description>
<message gettext-domain="systemd">Authentication is required to enable or disable LLMNR.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.set-mdns">
<description gettext-domain="systemd">Enable/disable multicast DNS</description>
<message gettext-domain="systemd">Authentication is required to enable or disable multicast DNS.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.set-dns-over-tls">
<description gettext-domain="systemd">Enable/disable DNS over TLS</description>
<message gettext-domain="systemd">Authentication is required to enable or disable DNS over TLS.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.set-dnssec">
<description gettext-domain="systemd">Enable/disable DNSSEC</description>
<message gettext-domain="systemd">Authentication is required to enable or disable DNSSEC.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.set-dnssec-negative-trust-anchors">
<description gettext-domain="systemd">Set DNSSEC Negative Trust Anchors</description>
<message gettext-domain="systemd">Authentication is required to set DNSSEC Negative Trust Anchros.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.revert">
<description gettext-domain="systemd">Revert name resolution settings</description>
<message gettext-domain="systemd">Authentication is required to revert name resolution settings.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
</policyconfig>

View File

@ -1638,15 +1638,6 @@ static int bus_method_register_service(sd_bus_message *message, void *userdata,
if (m->mdns_support != RESOLVE_SUPPORT_YES)
return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Support for MulticastDNS is disabled");
r = bus_verify_polkit_async(message, CAP_SYS_ADMIN,
"org.freedesktop.resolve1.register-service",
NULL, false, UID_INVALID,
&m->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* Polkit will call us back */
service = new0(DnssdService, 1);
if (!service)
return log_oom();
@ -1771,6 +1762,15 @@ static int bus_method_register_service(sd_bus_message *message, void *userdata,
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_SYS_ADMIN,
"org.freedesktop.resolve1.register-service",
NULL, false, UID_INVALID,
&m->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* Polkit will call us back */
r = hashmap_ensure_allocated(&m->dnssd_services, &string_hash_ops);
if (r < 0)
return r;
@ -1854,19 +1854,19 @@ static const sd_bus_vtable resolve_vtable[] = {
SD_BUS_METHOD("ResolveAddress", "iiayt", "a(is)t", bus_method_resolve_address, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("ResolveRecord", "isqqt", "a(iqqay)t", bus_method_resolve_record, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("ResolveService", "isssit", "a(qqqsa(iiay)s)aayssst", bus_method_resolve_service, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("ResetStatistics", NULL, NULL, bus_method_reset_statistics, 0),
SD_BUS_METHOD("FlushCaches", NULL, NULL, bus_method_flush_caches, 0),
SD_BUS_METHOD("ResetServerFeatures", NULL, NULL, bus_method_reset_server_features, 0),
SD_BUS_METHOD("ResetStatistics", NULL, NULL, bus_method_reset_statistics, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("FlushCaches", NULL, NULL, bus_method_flush_caches, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("ResetServerFeatures", NULL, NULL, bus_method_reset_server_features, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("GetLink", "i", "o", bus_method_get_link, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetLinkDNS", "ia(iay)", NULL, bus_method_set_link_dns_servers, 0),
SD_BUS_METHOD("SetLinkDomains", "ia(sb)", NULL, bus_method_set_link_domains, 0),
SD_BUS_METHOD("SetLinkDefaultRoute", "ib", NULL, bus_method_set_link_default_route, 0),
SD_BUS_METHOD("SetLinkLLMNR", "is", NULL, bus_method_set_link_llmnr, 0),
SD_BUS_METHOD("SetLinkMulticastDNS", "is", NULL, bus_method_set_link_mdns, 0),
SD_BUS_METHOD("SetLinkDNSOverTLS", "is", NULL, bus_method_set_link_dns_over_tls, 0),
SD_BUS_METHOD("SetLinkDNSSEC", "is", NULL, bus_method_set_link_dnssec, 0),
SD_BUS_METHOD("SetLinkDNSSECNegativeTrustAnchors", "ias", NULL, bus_method_set_link_dnssec_negative_trust_anchors, 0),
SD_BUS_METHOD("RevertLink", "i", NULL, bus_method_revert_link, 0),
SD_BUS_METHOD("SetLinkDNS", "ia(iay)", NULL, bus_method_set_link_dns_servers, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetLinkDomains", "ia(sb)", NULL, bus_method_set_link_domains, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetLinkDefaultRoute", "ib", NULL, bus_method_set_link_default_route, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetLinkLLMNR", "is", NULL, bus_method_set_link_llmnr, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetLinkMulticastDNS", "is", NULL, bus_method_set_link_mdns, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetLinkDNSOverTLS", "is", NULL, bus_method_set_link_dns_over_tls, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetLinkDNSSEC", "is", NULL, bus_method_set_link_dnssec, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetLinkDNSSECNegativeTrustAnchors", "ias", NULL, bus_method_set_link_dnssec_negative_trust_anchors, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("RevertLink", "i", NULL, bus_method_revert_link, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("RegisterService", "sssqqqaa{say}", "o", bus_method_register_service, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("UnregisterService", "o", NULL, bus_method_unregister_service, SD_BUS_VTABLE_UNPRIVILEGED),

View File

@ -1,6 +1,8 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#include <net/if.h>
#include <netinet/in.h>
#include <sys/capability.h>
#include "alloc-util.h"
#include "bus-common-errors.h"
@ -11,6 +13,7 @@
#include "resolved-link-bus.h"
#include "resolved-resolv-conf.h"
#include "strv.h"
#include "user-util.h"
static BUS_DEFINE_PROPERTY_GET(property_get_dnssec_supported, "b", Link, link_dnssec_supported);
static BUS_DEFINE_PROPERTY_GET2(property_get_dnssec_mode, "s", Link, link_get_dnssec_mode, dnssec_mode_to_string);
@ -262,6 +265,15 @@ int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-dns-servers",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* Polkit will call us back */
dns_server_mark_all(l->dns_servers);
for (i = 0; i < n; i++) {
@ -325,12 +337,21 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Root domain is not suitable as search domain");
}
dns_search_domain_mark_all(l->search_domains);
r = sd_bus_message_rewind(message, false);
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-domains",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* Polkit will call us back */
dns_search_domain_mark_all(l->search_domains);
for (;;) {
DnsSearchDomain *d;
const char *name;
@ -388,6 +409,15 @@ int bus_link_method_set_default_route(sd_bus_message *message, void *userdata, s
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-default-route",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* Polkit will call us back */
if (l->default_route != b) {
l->default_route = b;
@ -423,6 +453,15 @@ int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_er
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid LLMNR setting: %s", llmnr);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-llmnr",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* Polkit will call us back */
l->llmnr_support = mode;
link_allocate_scopes(l);
link_add_rrs(l, false);
@ -457,6 +496,15 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid MulticastDNS setting: %s", mdns);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-mdns",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* Polkit will call us back */
l->mdns_support = mode;
link_allocate_scopes(l);
link_add_rrs(l, false);
@ -491,6 +539,15 @@ int bus_link_method_set_dns_over_tls(sd_bus_message *message, void *userdata, sd
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSOverTLS setting: %s", dns_over_tls);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-dns-over-tls",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* Polkit will call us back */
link_set_dns_over_tls_mode(l, mode);
(void) link_save_user(l);
@ -523,6 +580,15 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSSEC setting: %s", dnssec);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-dnssec",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* Polkit will call us back */
link_set_dnssec_mode(l, mode);
(void) link_save_user(l);
@ -544,6 +610,10 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v
if (r < 0)
return r;
ns = set_new(&dns_name_hash_ops);
if (!ns)
return -ENOMEM;
r = sd_bus_message_read_strv(message, &ntas);
if (r < 0)
return r;
@ -553,19 +623,23 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v
if (r < 0)
return r;
if (r == 0)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid negative trust anchor domain: %s", *i);
}
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS,
"Invalid negative trust anchor domain: %s", *i);
ns = set_new(&dns_name_hash_ops);
if (!ns)
return -ENOMEM;
STRV_FOREACH(i, ntas) {
r = set_put_strdup(ns, *i);
if (r < 0)
return r;
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-dnssec-negative-trust-anchors",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* Polkit will call us back */
set_free_free(l->dnssec_negative_trust_anchors);
l->dnssec_negative_trust_anchors = TAKE_PTR(ns);
@ -585,6 +659,15 @@ int bus_link_method_revert(sd_bus_message *message, void *userdata, sd_bus_error
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.revert",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* Polkit will call us back */
link_flush_settings(l);
link_allocate_scopes(l);
link_add_rrs(l, false);
@ -610,15 +693,15 @@ const sd_bus_vtable link_vtable[] = {
SD_BUS_PROPERTY("DNSSECNegativeTrustAnchors", "as", property_get_ntas, 0, 0),
SD_BUS_PROPERTY("DNSSECSupported", "b", property_get_dnssec_supported, 0, 0),
SD_BUS_METHOD("SetDNS", "a(iay)", NULL, bus_link_method_set_dns_servers, 0),
SD_BUS_METHOD("SetDomains", "a(sb)", NULL, bus_link_method_set_domains, 0),
SD_BUS_METHOD("SetDefaultRoute", "b", NULL, bus_link_method_set_default_route, 0),
SD_BUS_METHOD("SetLLMNR", "s", NULL, bus_link_method_set_llmnr, 0),
SD_BUS_METHOD("SetMulticastDNS", "s", NULL, bus_link_method_set_mdns, 0),
SD_BUS_METHOD("SetDNSOverTLS", "s", NULL, bus_link_method_set_dns_over_tls, 0),
SD_BUS_METHOD("SetDNSSEC", "s", NULL, bus_link_method_set_dnssec, 0),
SD_BUS_METHOD("SetDNSSECNegativeTrustAnchors", "as", NULL, bus_link_method_set_dnssec_negative_trust_anchors, 0),
SD_BUS_METHOD("Revert", NULL, NULL, bus_link_method_revert, 0),
SD_BUS_METHOD("SetDNS", "a(iay)", NULL, bus_link_method_set_dns_servers, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetDomains", "a(sb)", NULL, bus_link_method_set_domains, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetDefaultRoute", "b", NULL, bus_link_method_set_default_route, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetLLMNR", "s", NULL, bus_link_method_set_llmnr, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetMulticastDNS", "s", NULL, bus_link_method_set_mdns, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetDNSOverTLS", "s", NULL, bus_link_method_set_dns_over_tls, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetDNSSEC", "s", NULL, bus_link_method_set_dnssec, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetDNSSECNegativeTrustAnchors", "as", NULL, bus_link_method_set_dnssec_negative_trust_anchors, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("Revert", NULL, NULL, bus_link_method_revert, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_VTABLE_END
};

View File

@ -1681,7 +1681,8 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri
assert(ret);
/* Match like sd_bus_open_system(), but with the "watch_bind" feature and the Connected() signal turned on. */
/* Match like sd_bus_open_system(), but with the "watch_bind" feature and the Connected() signal
* turned on. */
r = sd_bus_new(&bus);
if (r < 0)
@ -1705,10 +1706,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri
if (r < 0)
return r;
r = sd_bus_set_trusted(bus, true);
if (r < 0)
return r;
r = sd_bus_negotiate_creds(bus, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS);
if (r < 0)
return r;
@ -1737,8 +1734,8 @@ int bus_reply_pair_array(sd_bus_message *m, char **l) {
assert(m);
/* Reply to the specified message with a message containing a dictionary put together from the specified
* strv */
/* Reply to the specified message with a message containing a dictionary put together from the
* specified strv */
r = sd_bus_message_new_method_return(m, &reply);
if (r < 0)