shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-09 12:58:26 +03:00
Code

polkit: simplify bus_verify_polkit_async() + drop auth-by-cap dbus feature

Browse Source 
This simplifies bus_verify_polkit_async() and related calls quite a bit:

1. This removes any support for authentication-by-Linux-capability. This
   is ultimately a kdbus leftover: with classic AF_UNIX transports we
   cannot authenticate by capabilities securely (because we cannot
   acquire it from the peer without races), hence we never actually did.
   Since the necessary kernel work didn't materialize in the last 10y,
   and is unlikely to be added, let's just kill this context. We cannot
   quite remove the caps stuff from sd-bus for API compat, but for our
   polkit logic let's kill it.

2. The "good_uid" and "interactive" params are only necessary in very
   few cases, hence let's move them to a new call
   bus_verify_polkit_async_full() and make bus_verify_polkit_async() a
   wrapper around it without those two parameters.

This also fixes a bunch of wrong uses of the "interactive" bool. The
bool makes no sense today as the ALLOW_INTERACTIVE_AUTHORIZATION field
in the D-Bus message header replaces it fully. We only need it to
implement method calls we introduced prior to that header field becoming
available in D-Bus. And it should only be used on such old method calls,
and otherwise always be set to false.

This does not change behaviour in any way. Just simplifies stuff.

Fixes: #21586
This commit is contained in:
Lennart Poettering 2023-11-22 18:56:19 +01:00 committed by Yu Watanabe
parent 207aafe7e1
commit 7b36fb9f96
29 changed files with 365 additions and 450 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/core/dbus-service.c
View File

@ -166,9 +166,7 @@ static int bus_service_method_mount(sd_bus_message *message, void *userdata, sd_
r = bus_verify_manage_units_async_full(
u,
is_image ? "mount-image" : "bind-mount",
CAP_SYS_ADMIN,
N_("Authentication is required to mount on '$(unit)'."),
true,
message,
error);
if (r < 0)

18
src/core/dbus-unit.c
View File

@ -408,9 +408,7 @@ int bus_unit_method_start_generic(
r = bus_verify_manage_units_async_full(
u,
verb,
CAP_SYS_ADMIN,
polkit_message_for_job[job_type],
true,
message,
error);
if (r < 0)
@ -491,9 +489,7 @@ int bus_unit_method_enqueue_job(sd_bus_message *message, void *userdata, sd_bus_
r = bus_verify_manage_units_async_full(
u,
jtype,
CAP_SYS_ADMIN,
polkit_message_for_job[type],
true,
message,
error);
if (r < 0)
@ -549,9 +545,7 @@ int bus_unit_method_kill(sd_bus_message *message, void *userdata, sd_bus_error *
r = bus_verify_manage_units_async_full(
u,
"kill",
CAP_KILL,
N_("Authentication is required to send a UNIX signal to the processes of '$(unit)'."),
true,
message,
error);
if (r < 0)
@ -579,9 +573,7 @@ int bus_unit_method_reset_failed(sd_bus_message *message, void *userdata, sd_bus
r = bus_verify_manage_units_async_full(
u,
"reset-failed",
CAP_SYS_ADMIN,
N_("Authentication is required to reset the \"failed\" state of '$(unit)'."),
true,
message,
error);
if (r < 0)
@ -611,9 +603,7 @@ int bus_unit_method_set_properties(sd_bus_message *message, void *userdata, sd_b
r = bus_verify_manage_units_async_full(
u,
"set-property",
CAP_SYS_ADMIN,
N_("Authentication is required to set properties on '$(unit)'."),
true,
message,
error);
if (r < 0)
@ -641,9 +631,7 @@ int bus_unit_method_ref(sd_bus_message *message, void *userdata, sd_bus_error *e
r = bus_verify_manage_units_async_full(
u,
"ref",
CAP_SYS_ADMIN,
NULL,
false,
/* polkit_message= */ NULL,
message,
error);
if (r < 0)
@ -712,9 +700,7 @@ int bus_unit_method_clean(sd_bus_message *message, void *userdata, sd_bus_error
r = bus_verify_manage_units_async_full(
u,
"clean",
CAP_DAC_OVERRIDE,
N_("Authentication is required to delete files and directories associated with '$(unit)'."),
true,
message,
error);
if (r < 0)
@ -760,9 +746,7 @@ static int bus_unit_method_freezer_generic(sd_bus_message *message, void *userda
r = bus_verify_manage_units_async_full(
u,
perm,
CAP_SYS_ADMIN,
N_("Authentication is required to freeze or thaw the processes of '$(unit)' unit."),
true,
message,
error);
if (r < 0)

5
src/core/dbus-util.c
View File

@ -151,9 +151,7 @@ int bus_set_transient_usec_internal(
int bus_verify_manage_units_async_full(
Unit *u,
const char *verb,
int capability,
const char *polkit_message,
bool interactive,
sd_bus_message *call,
sd_bus_error *error) {
@ -171,11 +169,8 @@ int bus_verify_manage_units_async_full(
return bus_verify_polkit_async(
call,
capability,
"org.freedesktop.systemd1.manage-units",
details,
interactive,
UID_INVALID,
&u->manager->polkit_registry,
error);
}

2
src/core/dbus-util.h
View File

@ -249,7 +249,7 @@ static inline int bus_set_transient_usec(Unit *u, const char *name, usec_t *p, s
static inline int bus_set_transient_usec_fix_0(Unit *u, const char *name, usec_t *p, sd_bus_message *message, UnitWriteFlags flags, sd_bus_error *error) {
return bus_set_transient_usec_internal(u, name, p, true, message, flags, error);
}
int bus_verify_manage_units_async_full(Unit *u, const char *verb, int capability, const char *polkit_message, bool interactive, sd_bus_message *call, sd_bus_error *error);
int bus_verify_manage_units_async_full(Unit *u, const char *verb, const char *polkit_message, sd_bus_message *call, sd_bus_error *error);
int bus_read_mount_options(sd_bus_message *message, sd_bus_error *error, MountOptions **ret_options, char **ret_format_str, const char *separator);

34
src/core/dbus.c
View File

@ -1189,22 +1189,46 @@ int bus_track_coldplug(Manager *m, sd_bus_track **t, bool recursive, char **l) {
}
int bus_verify_manage_units_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-units", NULL, false, UID_INVALID, &m->polkit_registry, error);
return bus_verify_polkit_async(
call,
"org.freedesktop.systemd1.manage-units",
/* details= */ NULL,
&m->polkit_registry,
error);
}
int bus_verify_manage_unit_files_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-unit-files", NULL, false, UID_INVALID, &m->polkit_registry, error);
return bus_verify_polkit_async(
call,
"org.freedesktop.systemd1.manage-unit-files",
/* details= */ NULL,
&m->polkit_registry,
error);
}
int bus_verify_reload_daemon_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.reload-daemon", NULL, false, UID_INVALID, &m->polkit_registry, error);
return bus_verify_polkit_async(
call,
"org.freedesktop.systemd1.reload-daemon",
/* details= */ NULL,
&m->polkit_registry, error);
}
int bus_verify_set_environment_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.set-environment", NULL, false, UID_INVALID, &m->polkit_registry, error);
return bus_verify_polkit_async(
call,
"org.freedesktop.systemd1.set-environment",
/* details= */ NULL,
&m->polkit_registry,
error);
}
int bus_verify_bypass_dump_ratelimit_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.bypass-dump-ratelimit", NULL, false, UID_INVALID, &m->polkit_registry, error);
return bus_verify_polkit_async(
call,
"org.freedesktop.systemd1.bypass-dump-ratelimit",
/* details= */ NULL,
&m->polkit_registry,
error);
}
uint64_t manager_bus_n_queued_write(Manager *m) {

39
src/home/homed-home-bus.c
View File

@ -203,11 +203,8 @@ int bus_home_method_unregister(
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.home1.remove-home",
NULL,
true,
UID_INVALID,
/* details= */ NULL,
&h->manager->polkit_registry,
error);
if (r < 0)
@ -243,11 +240,8 @@ int bus_home_method_realize(
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.home1.create-home",
NULL,
true,
UID_INVALID,
/* details= */ NULL,
&h->manager->polkit_registry,
error);
if (r < 0)
@ -283,11 +277,8 @@ int bus_home_method_remove(
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.home1.remove-home",
NULL,
true,
UID_INVALID,
/* details= */ NULL,
&h->manager->polkit_registry,
error);
if (r < 0)
@ -354,12 +345,11 @@ int bus_home_method_authenticate(
if (r < 0)
return r;
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
message,
CAP_SYS_ADMIN,
"org.freedesktop.home1.authenticate-home",
NULL,
true,
/* details= */ NULL,
/* interactive= */ false,
h->uid,
&h->manager->polkit_registry,
error);
@ -395,11 +385,8 @@ int bus_home_method_update_record(Home *h, sd_bus_message *message, UserRecord *
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.home1.update-home",
NULL,
true,
UID_INVALID,
/* details= */ NULL,
&h->manager->polkit_registry,
error);
if (r < 0)
@ -461,11 +448,8 @@ int bus_home_method_resize(
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.home1.resize-home",
NULL,
true,
UID_INVALID,
/* details= */ NULL,
&h->manager->polkit_registry,
error);
if (r < 0)
@ -506,12 +490,11 @@ int bus_home_method_change_password(
if (r < 0)
return r;
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
message,
CAP_SYS_ADMIN,
"org.freedesktop.home1.passwd-home",
NULL,
true,
/* details= */ NULL,
/* interactive= */ false,
h->uid,
&h->manager->polkit_registry,
error);

10
src/home/homed-manager-bus.c
View File

@ -396,11 +396,8 @@ static int method_register_home(
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.home1.create-home",
NULL,
true,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@ -443,11 +440,8 @@ static int method_create_home(
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.home1.create-home",
NULL,
true,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)

43
src/hostname/hostnamed.c
View File

@ -1054,13 +1054,12 @@ static int method_set_hostname(sd_bus_message *m, void *userdata, sd_bus_error *
context_read_etc_hostname(c);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
m,
CAP_SYS_ADMIN,
"org.freedesktop.hostname1.set-hostname",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@ -1101,13 +1100,12 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_
if (name && !hostname_is_valid(name, 0))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid static hostname '%s'", name);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
m,
CAP_SYS_ADMIN,
"org.freedesktop.hostname1.set-static-hostname",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@ -1177,17 +1175,15 @@ static int set_machine_info(Context *c, sd_bus_message *m, int prop, sd_bus_mess
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid location '%s'", name);
}
/* Since the pretty hostname should always be changed at the
* same time as the static one, use the same policy action for
* both... */
/* Since the pretty hostname should always be changed at the same time as the static one, use the
* same policy action for both... */
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
m,
CAP_SYS_ADMIN,
prop == PROP_PRETTY_HOSTNAME ? "org.freedesktop.hostname1.set-static-hostname" : "org.freedesktop.hostname1.set-machine-info",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@ -1259,13 +1255,12 @@ static int method_get_product_uuid(sd_bus_message *m, void *userdata, sd_bus_err
if (r < 0)
return r;
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
m,
CAP_SYS_ADMIN,
"org.freedesktop.hostname1.get-product-uuid",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@ -1306,11 +1301,8 @@ static int method_get_hardware_serial(sd_bus_message *m, void *userdata, sd_bus_
r = bus_verify_polkit_async(
m,
CAP_SYS_ADMIN,
"org.freedesktop.hostname1.get-hardware-serial",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&c->polkit_registry,
error);
if (r < 0)
@ -1350,11 +1342,8 @@ static int method_describe(sd_bus_message *m, void *userdata, sd_bus_error *erro
r = bus_verify_polkit_async(
m,
CAP_SYS_ADMIN,
"org.freedesktop.hostname1.get-description",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&c->polkit_registry,
error);
if (r == 0)

30
src/import/importd.c
View File

@ -704,11 +704,8 @@ static int method_import_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_
r = bus_verify_polkit_async(
msg,
CAP_SYS_ADMIN,
"org.freedesktop.import1.import",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@ -775,11 +772,8 @@ static int method_import_fs(sd_bus_message *msg, void *userdata, sd_bus_error *e
r = bus_verify_polkit_async(
msg,
CAP_SYS_ADMIN,
"org.freedesktop.import1.import",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@ -843,11 +837,8 @@ static int method_export_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_
r = bus_verify_polkit_async(
msg,
CAP_SYS_ADMIN,
"org.freedesktop.import1.export",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@ -916,11 +907,8 @@ static int method_pull_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_er
r = bus_verify_polkit_async(
msg,
CAP_SYS_ADMIN,
"org.freedesktop.import1.pull",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@ -1036,11 +1024,8 @@ static int method_cancel(sd_bus_message *msg, void *userdata, sd_bus_error *erro
r = bus_verify_polkit_async(
msg,
CAP_SYS_ADMIN,
"org.freedesktop.import1.pull",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&t->manager->polkit_registry,
error);
if (r < 0)
@ -1065,11 +1050,8 @@ static int method_cancel_transfer(sd_bus_message *msg, void *userdata, sd_bus_er
r = bus_verify_polkit_async(
msg,
CAP_SYS_ADMIN,
"org.freedesktop.import1.pull",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)

21
src/locale/localed.c
View File

@ -281,13 +281,12 @@ static int method_set_locale(sd_bus_message *m, void *userdata, sd_bus_error *er
return sd_bus_reply_method_return(m, NULL);
}
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
m,
CAP_SYS_ADMIN,
"org.freedesktop.locale1.set-locale",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@ -386,13 +385,12 @@ static int method_set_vc_keyboard(sd_bus_message *m, void *userdata, sd_bus_erro
if (vc_context_equal(&c->vc, &in) && !x_needs_update)
return sd_bus_reply_method_return(m, NULL);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
m,
CAP_SYS_ADMIN,
"org.freedesktop.locale1.set-keyboard",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@ -506,13 +504,12 @@ static int method_set_x11_keyboard(sd_bus_message *m, void *userdata, sd_bus_err
if (x11_context_equal(&c->x11_from_vc, &in) && x11_context_equal(&c->x11_from_xorg, &in) && !convert)
return sd_bus_reply_method_return(m, NULL);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
m,
CAP_SYS_ADMIN,
"org.freedesktop.locale1.set-keyboard",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)

176
src/login/logind-dbus.c
View File

@ -236,7 +236,6 @@ int manager_get_seat_from_creds(
static int return_test_polkit(
sd_bus_message *message,
int capability,
const char *action,
const char **details,
uid_t good_user,
@ -246,7 +245,7 @@ static int return_test_polkit(
bool challenge;
int r;
r = bus_test_polkit(message, capability, action, details, good_user, &challenge, e);
r = bus_test_polkit(message, action, details, good_user, &challenge, e);
if (r < 0)
return r;
@ -1245,11 +1244,8 @@ static int method_lock_sessions(sd_bus_message *message, void *userdata, sd_bus_
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.lock-sessions",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@ -1397,14 +1393,13 @@ static int method_set_user_linger(sd_bus_message *message, void *userdata, sd_bu
if (!pw)
return errno_or_else(ENOENT);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
message,
CAP_SYS_ADMIN,
uid == auth_uid ? "org.freedesktop.login1.set-self-linger" :
"org.freedesktop.login1.set-user-linger",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@ -1565,13 +1560,12 @@ static int method_attach_device(sd_bus_message *message, void *userdata, sd_bus_
} else if (!seat_name_is_valid(seat)) /* Note that a seat does not have to exist yet for this operation to succeed */
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Seat name %s is not valid", seat);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.attach-device",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@ -1596,13 +1590,12 @@ static int method_flush_devices(sd_bus_message *message, void *userdata, sd_bus_
if (r < 0)
return r;
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.flush-devices",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@ -1938,13 +1931,12 @@ static int verify_shutdown_creds(
interactive = flags & SD_LOGIND_INTERACTIVE;
if (multiple_sessions) {
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
message,
CAP_SYS_BOOT,
a->polkit_action_multiple_sessions,
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@ -1959,12 +1951,12 @@ static int verify_shutdown_creds(
return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED,
"Access denied to root due to active block inhibitor");
r = bus_verify_polkit_async(message,
CAP_SYS_BOOT,
r = bus_verify_polkit_async_full(
message,
a->polkit_action_ignore_inhibit,
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@ -1974,12 +1966,12 @@ static int verify_shutdown_creds(
}
if (!multiple_sessions && !blocked) {
r = bus_verify_polkit_async(message,
CAP_SYS_BOOT,
r = bus_verify_polkit_async_full(
message,
a->polkit_action,
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@ -2529,11 +2521,8 @@ static int method_cancel_scheduled_shutdown(sd_bus_message *message, void *userd
r = bus_verify_polkit_async(
message,
CAP_SYS_BOOT,
a->polkit_action,
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@ -2640,7 +2629,13 @@ static int method_can_shutdown_or_sleep(
}
if (multiple_sessions) {
r = bus_test_polkit(message, CAP_SYS_BOOT, a->polkit_action_multiple_sessions, NULL, UID_INVALID, &challenge, error);
r = bus_test_polkit(
message,
a->polkit_action_multiple_sessions,
/* details= */ NULL,
/* good_user= */ UID_INVALID,
&challenge,
error);
if (r < 0)
return r;
@ -2653,7 +2648,13 @@ static int method_can_shutdown_or_sleep(
}
if (blocked) {
r = bus_test_polkit(message, CAP_SYS_BOOT, a->polkit_action_ignore_inhibit, NULL, UID_INVALID, &challenge, error);
r = bus_test_polkit(
message,
a->polkit_action_ignore_inhibit,
/* details= */ NULL,
/* good_user= */ UID_INVALID,
&challenge,
error);
if (r < 0)
return r;
@ -2671,7 +2672,13 @@ static int method_can_shutdown_or_sleep(
/* If neither inhibit nor multiple sessions
* apply then just check the normal policy */
r = bus_test_polkit(message, CAP_SYS_BOOT, a->polkit_action, NULL, UID_INVALID, &challenge, error);
r = bus_test_polkit(
message,
a->polkit_action,
/* details= */ NULL,
/* good_user= */ UID_INVALID,
&challenge,
error);
if (r < 0)
return r;
@ -2779,14 +2786,12 @@ static int method_set_reboot_parameter(
return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
"Reboot parameter not supported in containers, refusing.");
r = bus_verify_polkit_async(message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-parameter",
NULL,
false,
UID_INVALID,
&m->polkit_registry,
error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.login1.set-reboot-parameter",
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -2817,10 +2822,9 @@ static int method_can_reboot_parameter(
return return_test_polkit(
message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-parameter",
NULL,
UID_INVALID,
/* details= */ NULL,
/* good_user= */ UID_INVALID,
error);
}
@ -2898,14 +2902,12 @@ static int method_set_reboot_to_firmware_setup(
/* non-EFI case: $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP is set to on */
use_efi = false;
r = bus_verify_polkit_async(message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-to-firmware-setup",
NULL,
false,
UID_INVALID,
&m->polkit_registry,
error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.login1.set-reboot-to-firmware-setup",
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -2962,10 +2964,9 @@ static int method_can_reboot_to_firmware_setup(
return return_test_polkit(
message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-to-firmware-setup",
NULL,
UID_INVALID,
/* details= */ NULL,
/* good_user= */ UID_INVALID,
error);
}
@ -3062,14 +3063,12 @@ static int method_set_reboot_to_boot_loader_menu(
/* non-EFI case: $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU is set to on */
use_efi = false;
r = bus_verify_polkit_async(message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-to-boot-loader-menu",
NULL,
false,
UID_INVALID,
&m->polkit_registry,
error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.login1.set-reboot-to-boot-loader-menu",
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -3137,10 +3136,9 @@ static int method_can_reboot_to_boot_loader_menu(
return return_test_polkit(
message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-to-boot-loader-menu",
NULL,
UID_INVALID,
/* details= */ NULL,
/* good_user= */ UID_INVALID,
error);
}
@ -3261,14 +3259,12 @@ static int method_set_reboot_to_boot_loader_entry(
/* non-EFI case: $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY is set to on */
use_efi = false;
r = bus_verify_polkit_async(message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-to-boot-loader-entry",
NULL,
false,
UID_INVALID,
&m->polkit_registry,
error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.login1.set-reboot-to-boot-loader-entry",
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -3329,10 +3325,9 @@ static int method_can_reboot_to_boot_loader_entry(
return return_test_polkit(
message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-to-boot-loader-entry",
NULL,
UID_INVALID,
/* details= */ NULL,
/* good_user= */ UID_INVALID,
error);
}
@ -3403,14 +3398,12 @@ static int method_set_wall_message(
m->enable_wall_messages == enable_wall_messages)
goto done;
r = bus_verify_polkit_async(message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.set-wall-message",
NULL,
false,
UID_INVALID,
&m->polkit_registry,
error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.login1.set-wall-message",
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -3470,7 +3463,6 @@ static int method_inhibit(sd_bus_message *message, void *userdata, sd_bus_error
r = bus_verify_polkit_async(
message,
CAP_SYS_BOOT,
w == INHIBIT_SHUTDOWN ? (mm == INHIBIT_BLOCK ? "org.freedesktop.login1.inhibit-block-shutdown" : "org.freedesktop.login1.inhibit-delay-shutdown") :
w == INHIBIT_SLEEP ? (mm == INHIBIT_BLOCK ? "org.freedesktop.login1.inhibit-block-sleep" : "org.freedesktop.login1.inhibit-delay-sleep") :
w == INHIBIT_IDLE ? "org.freedesktop.login1.inhibit-block-idle" :
@ -3479,9 +3471,7 @@ static int method_inhibit(sd_bus_message *message, void *userdata, sd_bus_error
w == INHIBIT_HANDLE_REBOOT_KEY ? "org.freedesktop.login1.inhibit-handle-reboot-key" :
w == INHIBIT_HANDLE_HIBERNATE_KEY ? "org.freedesktop.login1.inhibit-handle-hibernate-key" :
"org.freedesktop.login1.inhibit-handle-lid-switch",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)

5
src/login/logind-polkit.c
View File

@ -9,11 +9,8 @@ int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *e
#if ENABLE_POLKIT
return bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.chvt",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&manager->polkit_registry,
error);
#else

5
src/login/logind-seat-dbus.c
View File

@ -134,11 +134,8 @@ int bus_seat_method_terminate(sd_bus_message *message, void *userdata, sd_bus_er
r = bus_verify_polkit_async(
message,
CAP_KILL,
"org.freedesktop.login1.manage",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&s->manager->polkit_registry,
error);
if (r < 0)

21
src/login/logind-session-dbus.c
View File

@ -158,12 +158,11 @@ int bus_session_method_terminate(sd_bus_message *message, void *userdata, sd_bus
assert(message);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
message,
CAP_KILL,
"org.freedesktop.login1.manage",
NULL,
false,
/* details= */ NULL,
/* interactive= */ false,
s->user->user_record->uid,
&s->manager->polkit_registry,
error);
@ -204,12 +203,11 @@ int bus_session_method_lock(sd_bus_message *message, void *userdata, sd_bus_erro
assert(message);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.lock-sessions",
NULL,
false,
/* details= */ NULL,
/* interactive= */ false,
s->user->user_record->uid,
&s->manager->polkit_registry,
error);
@ -309,12 +307,11 @@ int bus_session_method_kill(sd_bus_message *message, void *userdata, sd_bus_erro
if (!SIGNAL_VALID(signo))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid signal %i", signo);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
message,
CAP_KILL,
"org.freedesktop.login1.manage",
NULL,
false,
/* details= */ NULL,
/* interactive= */ false,
s->user->user_record->uid,
&s->manager->polkit_registry,
error);

14
src/login/logind-user-dbus.c
View File

@ -192,12 +192,11 @@ int bus_user_method_terminate(sd_bus_message *message, void *userdata, sd_bus_er
assert(message);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
message,
CAP_KILL,
"org.freedesktop.login1.manage",
NULL,
false,
/* details= */ NULL,
/* interactive= */ false,
u->user_record->uid,
&u->manager->polkit_registry,
error);
@ -220,12 +219,11 @@ int bus_user_method_kill(sd_bus_message *message, void *userdata, sd_bus_error *
assert(message);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
message,
CAP_KILL,
"org.freedesktop.login1.manage",
NULL,
false,
/* details= */ NULL,
/* interactive= */ false,
u->user_record->uid,
&u->manager->polkit_registry,
error);

15
src/machine/image-dbus.c
View File

@ -50,11 +50,8 @@ int bus_image_method_remove(
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images",
details,
false,
UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@ -121,11 +118,8 @@ int bus_image_method_rename(
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images",
details,
false,
UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@ -173,11 +167,8 @@ int bus_image_method_clone(
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images",
details,
false,
UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@ -240,11 +231,8 @@ int bus_image_method_mark_read_only(
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images",
details,
false,
UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@ -285,11 +273,8 @@ int bus_image_method_set_limit(
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images",
details,
false,
UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)

27
src/machine/machine-dbus.c
View File

@ -73,11 +73,8 @@ int bus_machine_method_unregister(sd_bus_message *message, void *userdata, sd_bu
r = bus_verify_polkit_async(
message,
CAP_KILL,
"org.freedesktop.machine1.manage-machines",
details,
false,
UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@ -106,11 +103,8 @@ int bus_machine_method_terminate(sd_bus_message *message, void *userdata, sd_bus
r = bus_verify_polkit_async(
message,
CAP_KILL,
"org.freedesktop.machine1.manage-machines",
details,
false,
UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@ -157,11 +151,8 @@ int bus_machine_method_kill(sd_bus_message *message, void *userdata, sd_bus_erro
r = bus_verify_polkit_async(
message,
CAP_KILL,
"org.freedesktop.machine1.manage-machines",
details,
false,
UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@ -449,11 +440,8 @@ int bus_machine_method_open_pty(sd_bus_message *message, void *userdata, sd_bus_
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-open-pty" : "org.freedesktop.machine1.open-pty",
details,
false,
UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@ -541,11 +529,8 @@ int bus_machine_method_open_login(sd_bus_message *message, void *userdata, sd_bu
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-login" : "org.freedesktop.machine1.login",
details,
false,
UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@ -656,11 +641,8 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-shell" : "org.freedesktop.machine1.shell",
details,
false,
UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@ -861,11 +843,8 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines",
details,
false,
UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@ -949,11 +928,8 @@ int bus_machine_method_copy(sd_bus_message *message, void *userdata, sd_bus_erro
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines",
details,
false,
UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@ -1070,11 +1046,8 @@ int bus_machine_method_open_root_directory(sd_bus_message *message, void *userda
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines",
details,
false,
UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)

6
src/machine/machined-dbus.c
View File

@ -720,11 +720,8 @@ static int method_clean_pool(sd_bus_message *message, void *userdata, sd_bus_err
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines",
details,
false,
UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@ -855,11 +852,8 @@ static int method_set_pool_limit(sd_bus_message *message, void *userdata, sd_bus
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines",
details,
false,
UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)

139
src/network/networkd-link-bus.c
View File

@ -100,10 +100,12 @@ int bus_link_method_set_ntp_servers(sd_bus_message *message, void *userdata, sd_
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NTP server: %s", *i);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.set-ntp-servers",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.set-ntp-servers",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -134,10 +136,12 @@ static int bus_link_method_set_dns_servers_internal(sd_bus_message *message, voi
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.set-dns-servers",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.set-dns-servers",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
goto finalize;
if (r == 0) {
@ -231,10 +235,12 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.set-domains",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.set-domains",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -266,10 +272,12 @@ int bus_link_method_set_default_route(sd_bus_message *message, void *userdata, s
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.set-default-route",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.set-default-route",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -310,10 +318,12 @@ int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_er
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid LLMNR setting: %s", llmnr);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.set-llmnr",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.set-llmnr",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -354,10 +364,12 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid MulticastDNS setting: %s", mdns);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.set-mdns",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.set-mdns",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -398,10 +410,12 @@ int bus_link_method_set_dns_over_tls(sd_bus_message *message, void *userdata, sd
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSOverTLS setting: %s", dns_over_tls);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.set-dns-over-tls",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.set-dns-over-tls",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -442,10 +456,12 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSSEC setting: %s", dnssec);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.set-dnssec",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.set-dnssec",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -496,10 +512,12 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v
return r;
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.set-dnssec-negative-trust-anchors",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.set-dnssec-negative-trust-anchors",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -525,10 +543,11 @@ int bus_link_method_revert_ntp(sd_bus_message *message, void *userdata, sd_bus_e
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.revert-ntp",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.revert-ntp",
/* details= */ NULL,
&l->manager->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
@ -553,10 +572,12 @@ int bus_link_method_revert_dns(sd_bus_message *message, void *userdata, sd_bus_e
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.revert-dns",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.revert-dns",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -580,10 +601,12 @@ int bus_link_method_force_renew(sd_bus_message *message, void *userdata, sd_bus_
"Interface %s is not managed by systemd-networkd",
l->ifname);
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.forcerenew",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.forcerenew",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -607,10 +630,12 @@ int bus_link_method_renew(sd_bus_message *message, void *userdata, sd_bus_error
"Interface %s is not managed by systemd-networkd",
l->ifname);
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.renew",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.renew",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -629,10 +654,12 @@ int bus_link_method_reconfigure(sd_bus_message *message, void *userdata, sd_bus_
assert(message);
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.reconfigure",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.reconfigure",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)

10
src/network/networkd-manager-bus.c
View File

@ -201,10 +201,12 @@ static int bus_method_reload(sd_bus_message *message, void *userdata, sd_bus_err
Manager *manager = userdata;
int r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.network1.reload",
NULL, true, UID_INVALID,
&manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.network1.reload",
/* details= */ NULL,
&manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)

10
src/portable/portabled-bus.c
View File

@ -320,11 +320,8 @@ static int method_detach_image(sd_bus_message *message, void *userdata, sd_bus_e
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.portable1.attach-images",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@ -377,11 +374,8 @@ static int method_set_pool_limit(sd_bus_message *message, void *userdata, sd_bus
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.portable1.manage-images",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)

15
src/portable/portabled-image-bus.c
View File

@ -451,11 +451,8 @@ static int bus_image_method_detach(
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.portable1.attach-images",
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@ -1010,11 +1007,8 @@ int bus_image_acquire(
if (mode == BUS_IMAGE_AUTHENTICATE_ALL) {
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
polkit_action,
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@ -1064,11 +1058,8 @@ int bus_image_acquire(
if (mode == BUS_IMAGE_AUTHENTICATE_BY_PATH) {
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
polkit_action,
NULL,
false,
UID_INVALID,
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)

10
src/resolve/resolved-bus.c
View File

@ -1988,10 +1988,12 @@ static int bus_method_register_service(sd_bus_message *message, void *userdata,
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_SYS_ADMIN,
"org.freedesktop.resolve1.register-service",
NULL, false, UID_INVALID,
&m->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.resolve1.register-service",
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)

12
src/resolve/resolved-dnssd-bus.c
View File

@ -20,10 +20,14 @@ int bus_dnssd_method_unregister(sd_bus_message *message, void *userdata, sd_bus_
m = s->manager;
r = bus_verify_polkit_async(message, CAP_SYS_ADMIN,
"org.freedesktop.resolve1.unregister-service",
NULL, false, s->originator,
&m->polkit_registry, error);
r = bus_verify_polkit_async_full(
message,
"org.freedesktop.resolve1.unregister-service",
/* details= */ NULL,
/* interactive= */ false,
/* good_user= */ s->originator,
&m->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)

89
src/resolve/resolved-link-bus.c
View File

@ -236,10 +236,11 @@ static int bus_link_method_set_dns_servers_internal(sd_bus_message *message, voi
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-dns-servers",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.resolve1.set-dns-servers",
/* details= */ NULL,
&l->manager->polkit_registry, error);
if (r < 0)
goto finalize;
if (r == 0) {
@ -368,10 +369,12 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-domains",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.resolve1.set-domains",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -446,10 +449,12 @@ int bus_link_method_set_default_route(sd_bus_message *message, void *userdata, s
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-default-route",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.resolve1.set-default-route",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -493,10 +498,12 @@ int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_er
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid LLMNR setting: %s", llmnr);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-llmnr",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.resolve1.set-llmnr",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -541,10 +548,12 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid MulticastDNS setting: %s", mdns);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-mdns",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.resolve1.set-mdns",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -589,10 +598,12 @@ int bus_link_method_set_dns_over_tls(sd_bus_message *message, void *userdata, sd
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSOverTLS setting: %s", dns_over_tls);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-dns-over-tls",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.resolve1.set-dns-over-tls",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -637,10 +648,12 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSSEC setting: %s", dnssec);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-dnssec",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.resolve1.set-dnssec",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -698,10 +711,12 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v
return -ENOMEM;
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.set-dnssec-negative-trust-anchors",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.resolve1.set-dnssec-negative-trust-anchors",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)
@ -734,10 +749,12 @@ int bus_link_method_revert(sd_bus_message *message, void *userdata, sd_bus_error
if (r < 0)
return r;
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.resolve1.revert",
NULL, true, UID_INVALID,
&l->manager->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.resolve1.revert",
/* details= */ NULL,
&l->manager->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)

10
src/shared/bus-polkit.c
View File

@ -102,7 +102,6 @@ static int bus_message_new_polkit_auth_call(
int bus_test_polkit(
sd_bus_message *call,
int capability,
const char *action,
const char **details,
uid_t good_user,
@ -120,7 +119,7 @@ int bus_test_polkit(
if (r != 0)
return r;
r = sd_bus_query_sender_privilege(call, capability);
r = sd_bus_query_sender_privilege(call, -1);
if (r < 0)
return r;
if (r > 0)
@ -465,12 +464,11 @@ static int async_polkit_query_check_action(
* <- async_polkit_defer(q)
*/
int bus_verify_polkit_async(
int bus_verify_polkit_async_full(
sd_bus_message *call,
int capability,
const char *action,
const char **details,
bool interactive,
bool interactive, /* Use only for legacy method calls that have a separate "allow_interactive_authentication" field */
uid_t good_user,
Hashmap **registry,
sd_bus_error *ret_error) {
@ -499,7 +497,7 @@ int bus_verify_polkit_async(
}
#endif
r = sd_bus_query_sender_privilege(call, capability);
r = sd_bus_query_sender_privilege(call, -1);
if (r < 0)
return r;
if (r > 0)

9
src/shared/bus-polkit.h
View File

@ -4,8 +4,13 @@
#include "sd-bus.h"
#include "hashmap.h"
#include "user-util.h"
int bus_test_polkit(sd_bus_message *call, int capability, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e);
int bus_test_polkit(sd_bus_message *call, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e);
int bus_verify_polkit_async_full(sd_bus_message *call, const char *action, const char **details, bool interactive, uid_t good_user, Hashmap **registry, sd_bus_error *error);
static inline int bus_verify_polkit_async(sd_bus_message *call, const char *action, const char **details, Hashmap **registry, sd_bus_error *ret_error) {
return bus_verify_polkit_async_full(call, action, details, false, UID_INVALID, registry, ret_error);
}
int bus_verify_polkit_async(sd_bus_message *call, int capability, const char *action, const char **details, bool interactive, uid_t good_user, Hashmap **registry, sd_bus_error *error);
Hashmap *bus_verify_polkit_async_registry_free(Hashmap *registry);

28
src/timedate/timedated.c
View File

@ -665,13 +665,12 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error *
if (streq_ptr(z, c->zone))
return sd_bus_reply_method_return(m, NULL);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
m,
CAP_SYS_TIME,
"org.freedesktop.timedate1.set-timezone",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@ -740,13 +739,12 @@ static int method_set_local_rtc(sd_bus_message *m, void *userdata, sd_bus_error
if (lrtc == c->local_rtc && !fix_system)
return sd_bus_reply_method_return(m, NULL);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
m,
CAP_SYS_TIME,
"org.freedesktop.timedate1.set-local-rtc",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@ -860,13 +858,12 @@ static int method_set_time(sd_bus_message *m, void *userdata, sd_bus_error *erro
} else
timespec_store(&ts, (usec_t) utc);
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
m,
CAP_SYS_TIME,
"org.freedesktop.timedate1.set-time",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@ -924,13 +921,12 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
if (context_ntp_service_exists(c) <= 0)
return sd_bus_error_set(error, BUS_ERROR_NO_NTP_SUPPORT, "NTP not supported");
r = bus_verify_polkit_async(
r = bus_verify_polkit_async_full(
m,
CAP_SYS_TIME,
"org.freedesktop.timedate1.set-ntp",
NULL,
/* details= */ NULL,
interactive,
UID_INVALID,
/* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)

10
src/timesync/timesyncd-bus.c
View File

@ -67,10 +67,12 @@ static int method_set_runtime_servers(sd_bus_message *message, void *userdata, s
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NTP server name or address, refusing: %s", *name);
}
r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
"org.freedesktop.timesync1.set-runtime-servers",
NULL, true, UID_INVALID,
&m->polkit_registry, error);
r = bus_verify_polkit_async(
message,
"org.freedesktop.timesync1.set-runtime-servers",
/* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
return r;
if (r == 0)