shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Code

polkit: map POLKIT_ALWAYS_QUERY to new polkit flag

Browse Source 
polkitd by default just waves through requests from a root process.
A new POLKIT_CHECK_AUTHORIZATION_FLAGS_ALWAYS_CHECK flag was added
to main (will be part of v125 when it ships) that forces it to go
through the policy checks for root too. Previous versions will just
ignore it.

Change the flags handling slightly so that we pass this or the
interactive flags through, as the values match what polkit expects.
This commit is contained in:
Luca Boccassi 2024-06-27 20:55:34 +01:00
parent 4698411ff3
commit 5c48335ef4
2 changed files with 10 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/shared/bus-polkit.c
View File

@ -56,7 +56,7 @@ static int bus_message_new_polkit_auth_call_for_bus(
sd_bus_message *m,
const char *action,
const char **details,
bool interactive,
PolkitFlags flags,
sd_bus_message **ret) {
_cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL;
@ -89,7 +89,7 @@ static int bus_message_new_polkit_auth_call_for_bus(
if (r < 0)
return r;
r = sd_bus_message_append(c, "us", interactive, NULL);
r = sd_bus_message_append(c, "us", (uint32_t) (flags & _POLKIT_MASK_PUBLIC), NULL);
if (r < 0)
return r;
@ -569,16 +569,14 @@ int bus_verify_polkit_async_full(
}
#if ENABLE_POLKIT
bool interactive = FLAGS_SET(flags, POLKIT_ALLOW_INTERACTIVE);
int c = sd_bus_message_get_allow_interactive_authorization(call);
if (c < 0)
return c;
if (c > 0)
interactive = true;
flags |= POLKIT_ALLOW_INTERACTIVE;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
r = bus_message_new_polkit_auth_call_for_bus(call, action, details, interactive, &pk);
r = bus_message_new_polkit_auth_call_for_bus(call, action, details, flags, &pk);
if (r < 0)
return r;
@ -663,7 +661,7 @@ static int bus_message_new_polkit_auth_call_for_varlink(
sd_varlink *link,
const char *action,
const char **details,
bool interactive,
PolkitFlags flags,
sd_bus_message **ret) {
_cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL;
@ -710,7 +708,7 @@ static int bus_message_new_polkit_auth_call_for_varlink(
if (r < 0)
return r;
r = sd_bus_message_append(c, "us", interactive, NULL);
r = sd_bus_message_append(c, "us", (uint32_t) (flags & _POLKIT_MASK_PUBLIC), NULL);
if (r < 0)
return r;
@ -814,12 +812,11 @@ int varlink_verify_polkit_async_full(
bus = mybus;
}
bool interactive =
FLAGS_SET(flags, POLKIT_ALLOW_INTERACTIVE) ||
varlink_allow_interactive_authentication(link);
if (varlink_allow_interactive_authentication(link))
flags |= POLKIT_ALLOW_INTERACTIVE;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
r = bus_message_new_polkit_auth_call_for_varlink(bus, link, action, details, interactive, &pk);
r = bus_message_new_polkit_auth_call_for_varlink(bus, link, action, details, flags, &pk);
if (r < 0)
return r;

1
src/shared/bus-polkit.h
View File

@ -12,6 +12,7 @@ typedef enum PolkitFLags {
POLKIT_ALWAYS_QUERY = 1 << 1, /* Query polkit even if client is privileged */
POLKIT_DEFAULT_ALLOW = 1 << 2, /* If polkit is not around, assume "allow" rather than the usual "deny" */
POLKIT_DONT_REPLY = 1 << 3, /* Varlink: don't immediately propagate polkit error to the Varlink client */
_POLKIT_MASK_PUBLIC = POLKIT_ALLOW_INTERACTIVE | POLKIT_ALWAYS_QUERY, /* polkit accepts these flags verbatim */
} PolkitFlags;
int bus_test_polkit(sd_bus_message *call, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e);