mirror of
https://github.com/systemd/systemd.git
synced 2024-12-23 21:35:11 +03:00
polkit: map POLKIT_ALWAYS_QUERY to new polkit flag
polkitd by default just waves through requests from a root process. A new POLKIT_CHECK_AUTHORIZATION_FLAGS_ALWAYS_CHECK flag was added to main (will be part of v125 when it ships) that forces it to go through the policy checks for root too. Previous versions will just ignore it. Change the flags handling slightly so that we pass this or the interactive flags through, as the values match what polkit expects.
This commit is contained in:
parent
4698411ff3
commit
5c48335ef4
@ -56,7 +56,7 @@ static int bus_message_new_polkit_auth_call_for_bus(
|
|||||||
sd_bus_message *m,
|
sd_bus_message *m,
|
||||||
const char *action,
|
const char *action,
|
||||||
const char **details,
|
const char **details,
|
||||||
bool interactive,
|
PolkitFlags flags,
|
||||||
sd_bus_message **ret) {
|
sd_bus_message **ret) {
|
||||||
|
|
||||||
_cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL;
|
_cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL;
|
||||||
@ -89,7 +89,7 @@ static int bus_message_new_polkit_auth_call_for_bus(
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = sd_bus_message_append(c, "us", interactive, NULL);
|
r = sd_bus_message_append(c, "us", (uint32_t) (flags & _POLKIT_MASK_PUBLIC), NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
@ -569,16 +569,14 @@ int bus_verify_polkit_async_full(
|
|||||||
}
|
}
|
||||||
|
|
||||||
#if ENABLE_POLKIT
|
#if ENABLE_POLKIT
|
||||||
bool interactive = FLAGS_SET(flags, POLKIT_ALLOW_INTERACTIVE);
|
|
||||||
|
|
||||||
int c = sd_bus_message_get_allow_interactive_authorization(call);
|
int c = sd_bus_message_get_allow_interactive_authorization(call);
|
||||||
if (c < 0)
|
if (c < 0)
|
||||||
return c;
|
return c;
|
||||||
if (c > 0)
|
if (c > 0)
|
||||||
interactive = true;
|
flags |= POLKIT_ALLOW_INTERACTIVE;
|
||||||
|
|
||||||
_cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
|
_cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
|
||||||
r = bus_message_new_polkit_auth_call_for_bus(call, action, details, interactive, &pk);
|
r = bus_message_new_polkit_auth_call_for_bus(call, action, details, flags, &pk);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
@ -663,7 +661,7 @@ static int bus_message_new_polkit_auth_call_for_varlink(
|
|||||||
sd_varlink *link,
|
sd_varlink *link,
|
||||||
const char *action,
|
const char *action,
|
||||||
const char **details,
|
const char **details,
|
||||||
bool interactive,
|
PolkitFlags flags,
|
||||||
sd_bus_message **ret) {
|
sd_bus_message **ret) {
|
||||||
|
|
||||||
_cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL;
|
_cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL;
|
||||||
@ -710,7 +708,7 @@ static int bus_message_new_polkit_auth_call_for_varlink(
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = sd_bus_message_append(c, "us", interactive, NULL);
|
r = sd_bus_message_append(c, "us", (uint32_t) (flags & _POLKIT_MASK_PUBLIC), NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
@ -814,12 +812,11 @@ int varlink_verify_polkit_async_full(
|
|||||||
bus = mybus;
|
bus = mybus;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool interactive =
|
if (varlink_allow_interactive_authentication(link))
|
||||||
FLAGS_SET(flags, POLKIT_ALLOW_INTERACTIVE) ||
|
flags |= POLKIT_ALLOW_INTERACTIVE;
|
||||||
varlink_allow_interactive_authentication(link);
|
|
||||||
|
|
||||||
_cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
|
_cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
|
||||||
r = bus_message_new_polkit_auth_call_for_varlink(bus, link, action, details, interactive, &pk);
|
r = bus_message_new_polkit_auth_call_for_varlink(bus, link, action, details, flags, &pk);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
@ -12,6 +12,7 @@ typedef enum PolkitFLags {
|
|||||||
POLKIT_ALWAYS_QUERY = 1 << 1, /* Query polkit even if client is privileged */
|
POLKIT_ALWAYS_QUERY = 1 << 1, /* Query polkit even if client is privileged */
|
||||||
POLKIT_DEFAULT_ALLOW = 1 << 2, /* If polkit is not around, assume "allow" rather than the usual "deny" */
|
POLKIT_DEFAULT_ALLOW = 1 << 2, /* If polkit is not around, assume "allow" rather than the usual "deny" */
|
||||||
POLKIT_DONT_REPLY = 1 << 3, /* Varlink: don't immediately propagate polkit error to the Varlink client */
|
POLKIT_DONT_REPLY = 1 << 3, /* Varlink: don't immediately propagate polkit error to the Varlink client */
|
||||||
|
_POLKIT_MASK_PUBLIC = POLKIT_ALLOW_INTERACTIVE | POLKIT_ALWAYS_QUERY, /* polkit accepts these flags verbatim */
|
||||||
} PolkitFlags;
|
} PolkitFlags;
|
||||||
|
|
||||||
int bus_test_polkit(sd_bus_message *call, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e);
|
int bus_test_polkit(sd_bus_message *call, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e);
|
||||||
|
Loading…
Reference in New Issue
Block a user