shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-10 05:18:17 +03:00
Code

Merge pull request #31733 from poettering/polkit-more-flags

Browse Source 
add two more flags to polkit client wrapper
This commit is contained in:
Lennart Poettering 2024-03-13 12:11:27 +01:00 committed by GitHub
commit b7ab1fe5ba
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 106 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

144
src/shared/bus-polkit.c
View File

@ -185,20 +185,21 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(AsyncPolkitQueryAction*, async_polkit_query_action_f
typedef struct AsyncPolkitQuery {
unsigned n_ref;
AsyncPolkitQueryAction *action;
AsyncPolkitQueryAction *action; /* action currently being processed */
sd_bus *bus;
sd_bus_message *request; /* the original bus method call that triggered the polkit auth, NULL in case of varlink */
sd_bus_message *request; /* the original bus method call that triggered the polkit auth, NULL in case of varlink */
sd_bus_slot *slot;
Varlink *link; /* the original varlink method call that triggered the polkit auth, NULL in case of bus */
Varlink *link; /* the original varlink method call that triggered the polkit auth, NULL in case of bus */
Hashmap *registry;
sd_event_source *defer_event_source;
LIST_HEAD(AsyncPolkitQueryAction, authorized_actions);
AsyncPolkitQueryAction *denied_action;
AsyncPolkitQueryAction *error_action;
sd_bus_error error;
LIST_HEAD(AsyncPolkitQueryAction, authorized_actions); /* actions we successfully were authorized for */
AsyncPolkitQueryAction *denied_action; /* if we received denial for an action, it's this one */
AsyncPolkitQueryAction *absent_action; /* If polkit was absent for some action, it's this one */
AsyncPolkitQueryAction *error_action; /* if we encountered any other error, it's this one */
sd_bus_error error; /* the precise error, in case error_action is set */
} AsyncPolkitQuery;
static AsyncPolkitQuery *async_polkit_query_free(AsyncPolkitQuery *q) {
@ -226,6 +227,7 @@ static AsyncPolkitQuery *async_polkit_query_free(AsyncPolkitQuery *q) {
LIST_CLEAR(authorized, q->authorized_actions, async_polkit_query_action_free);
async_polkit_query_action_free(q->denied_action);
async_polkit_query_action_free(q->absent_action);
async_polkit_query_action_free(q->error_action);
sd_bus_error_free(&q->error);
@ -265,28 +267,34 @@ static int async_polkit_read_reply(sd_bus_message *reply, AsyncPolkitQuery *q) {
/* Processing of a PolicyKit checks is canceled on the first auth. error. */
assert(!q->denied_action);
assert(!q->absent_action);
assert(!q->error_action);
assert(!sd_bus_error_is_set(&q->error));
assert(q->action);
a = TAKE_PTR(q->action);
a = ASSERT_PTR(TAKE_PTR(q->action));
if (sd_bus_message_is_method_error(reply, NULL)) {
const sd_bus_error *e;
e = sd_bus_message_get_error(reply);
if (bus_error_is_unknown_service(e) ||
sd_bus_error_has_names(
e,
"org.freedesktop.PolicyKit1.Error.Failed",
"org.freedesktop.PolicyKit1.Error.Cancelled",
"org.freedesktop.PolicyKit1.Error.NotAuthorized"))
/* Treat no PK available as access denied. Also treat some of the well-known PK errors as such. */
if (bus_error_is_unknown_service(e)) {
/* If PK is absent, then store this away, as it depends on the callers flags whether
* this means deny or allow */
log_debug("Polkit found to be unavailable while trying to authorize action '%s'.", a->action);
q->absent_action = TAKE_PTR(a);
} else if (sd_bus_error_has_names(
e,
"org.freedesktop.PolicyKit1.Error.Failed",
"org.freedesktop.PolicyKit1.Error.Cancelled",
"org.freedesktop.PolicyKit1.Error.NotAuthorized")) {
/* Treat some of the well-known PK errors as denial. */
log_debug("Polkit authorization for action '%s' failed with an polkit error: %s", a->action, e->name);
q->denied_action = TAKE_PTR(a);
else {
} else {
/* Save error from polkit reply, so it can be returned when the same authorization
* is attempted for second time */
log_debug("Polkit authorization for action '%s' failed with an unexpected error: %s", a->action, e->name);
q->error_action = TAKE_PTR(a);
r = sd_bus_error_copy(&q->error, e);
if (r == -ENOMEM)
@ -302,13 +310,17 @@ static int async_polkit_read_reply(sd_bus_message *reply, AsyncPolkitQuery *q) {
if (r < 0)
return r;
if (authorized)
if (authorized) {
log_debug("Polkit authorization for action '%s' succeeded.", a->action);
LIST_PREPEND(authorized, q->authorized_actions, TAKE_PTR(a));
else if (challenge) {
} else if (challenge) {
log_debug("Polkit authorization for action requires '%s' interactive authentication, which we didn't allow.", a->action);
q->error_action = TAKE_PTR(a);
sd_bus_error_set_const(&q->error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED, "Interactive authentication required.");
} else
} else {
log_debug("Polkit authorization for action '%s' denied.", a->action);
q->denied_action = TAKE_PTR(a);
}
return 0;
}
@ -388,28 +400,45 @@ static int async_polkit_callback(sd_bus_message *reply, void *userdata, sd_bus_e
return r;
}
static int async_polkit_query_check_action(
static bool async_polkit_query_have_action(
AsyncPolkitQuery *q,
const char *action,
const char **details,
sd_bus_error *ret_error) {
const char **details) {
assert(q);
assert(action);
LIST_FOREACH(authorized, a, q->authorized_actions)
if (streq(a->action, action) && strv_equal(a->details, (char**) details))
return 1; /* Allow! */
return true;
return false;
}
static int async_polkit_query_check_action(
AsyncPolkitQuery *q,
const char *action,
const char **details,
PolkitFlags flags,
sd_bus_error *ret_error) {
assert(q);
assert(action);
if (async_polkit_query_have_action(q, action, details))
return 1; /* Allow! */
if (q->error_action && streq(q->error_action->action, action))
return sd_bus_error_copy(ret_error, &q->error);
if (q->denied_action && streq(q->denied_action->action, action))
return -EACCES;
return -EACCES; /* Deny! */
return 0;
if (q->absent_action)
return FLAGS_SET(flags, POLKIT_DEFAULT_ALLOW) ? 1 /* Allow! */ : -EACCES /* Deny! */;
return 0; /* no reply yet */
}
#endif
/* bus_verify_polkit_async() handles verification of D-Bus calls with polkit. Because the polkit API
@ -509,6 +538,8 @@ int bus_verify_polkit_async_full(
assert(registry);
assert(ret_error);
log_debug("Trying to acquire polkit authentication for '%s'.", action);
r = bus_message_check_good_user(call, good_user);
if (r != 0)
return r;
@ -520,17 +551,22 @@ int bus_verify_polkit_async_full(
/* This is a repeated invocation of this function, hence let's check if we've already got
* a response from polkit for this action */
if (q) {
r = async_polkit_query_check_action(q, action, details, ret_error);
if (r != 0)
r = async_polkit_query_check_action(q, action, details, flags, ret_error);
if (r != 0) {
log_debug("Found matching previous polkit authentication for '%s'.", action);
return r;
}
}
#endif
r = sd_bus_query_sender_privilege(call, -1);
if (r < 0)
return r;
if (r > 0)
return 1;
if (!FLAGS_SET(flags, POLKIT_ALWAYS_QUERY)) {
/* Don't query PK if client is privileged */
r = sd_bus_query_sender_privilege(call, /* capability= */ -1);
if (r < 0)
return r;
if (r > 0)
return 1;
}
#if ENABLE_POLKIT
bool interactive = FLAGS_SET(flags, POLKIT_ALLOW_INTERACTIVE);
@ -585,9 +621,9 @@ int bus_verify_polkit_async_full(
TAKE_PTR(q);
return 0;
#else
return FLAGS_SET(flags, POLKIT_DEFAULT_ALLOW) ? 1 : -EACCES;
#endif
return -EACCES;
}
static int varlink_check_good_user(Varlink *link, uid_t good_user) {
@ -722,6 +758,8 @@ int varlink_verify_polkit_async_full(
assert(link);
assert(registry);
log_debug("Trying to acquire polkit authentication for '%s'.", action);
/* This is the same as bus_verify_polkit_async_full(), but authenticates the peer of a varlink
* connection rather than the sender of a bus message. */
@ -729,9 +767,11 @@ int varlink_verify_polkit_async_full(
if (r != 0)
return r;
r = varlink_check_peer_privilege(link);
if (r != 0)
return r;
if (!FLAGS_SET(flags, POLKIT_ALWAYS_QUERY)) {
r = varlink_check_peer_privilege(link);
if (r != 0)
return r;
}
#if ENABLE_POLKIT
_cleanup_(async_polkit_query_unrefp) AsyncPolkitQuery *q = NULL;
@ -741,7 +781,9 @@ int varlink_verify_polkit_async_full(
* a response from polkit for this action */
if (q) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
r = async_polkit_query_check_action(q, action, details, &error);
r = async_polkit_query_check_action(q, action, details, flags, &error);
if (r != 0)
log_debug("Found matching previous polkit authentication for '%s'.", action);
if (r < 0) {
/* Reply with a nice error */
if (sd_bus_error_has_name(&error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED))
@ -816,7 +858,25 @@ int varlink_verify_polkit_async_full(
TAKE_PTR(q);
return 0;
#else
return FLAGS_SET(flags, POLKIT_DEFAULT_ALLOW) ? 1 : -EACCES;
#endif
}
bool varlink_has_polkit_action(Varlink *link, const char *action, const char **details, Hashmap **registry) {
assert(link);
assert(action);
assert(registry);
/* Checks if we already have acquired some action previously */
#if ENABLE_POLKIT
AsyncPolkitQuery *q = hashmap_get(*registry, link);
if (!q)
return false;
return async_polkit_query_have_action(q, action, details);
#else
return false;
#endif
return -EACCES;
}

4
src/shared/bus-polkit.h
View File

@ -9,6 +9,8 @@
typedef enum PolkitFLags {
POLKIT_ALLOW_INTERACTIVE = 1 << 0, /* Allow interactive auth (typically not required, because can be derived from bus message/link automatically) */
POLKIT_ALWAYS_QUERY = 1 << 1, /* Query polkit even if client is privileged */
POLKIT_DEFAULT_ALLOW = 1 << 2, /* If polkit is not around, assume "allow" rather than the usual "deny" */
} PolkitFlags;
int bus_test_polkit(sd_bus_message *call, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e);
@ -30,3 +32,5 @@ static inline int varlink_verify_polkit_async(Varlink *link, sd_bus *bus, const
.name = "allowInteractiveAuthentication", \
.type = JSON_VARIANT_BOOLEAN, \
}
bool varlink_has_polkit_action(Varlink *link, const char *action, const char **details, Hashmap **registry);