shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-09-07 09:44:44 +03:00
Code Activity

Merge pull request #31733 from poettering/polkit-more-flags

Browse Source 
add two more flags to polkit client wrapper
This commit is contained in:
Lennart Poettering
2024-03-13 12:11:27 +01:00
committed by GitHub
parent 54b0e05ed0 91180a1eec
commit b7ab1fe5ba
2 changed files with 106 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
src/shared/bus-polkit.c
View File

@@ -185,20 +185,21 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(AsyncPolkitQueryAction*, async_polkit_query_action_f
typedef struct AsyncPolkitQuery { typedef struct AsyncPolkitQuery {
unsigned n_ref; unsigned n_ref;
AsyncPolkitQueryAction *action; AsyncPolkitQueryAction *action; /* action currently being processed */
sd_bus *bus; sd_bus *bus;
sd_bus_message *request; /* the original bus method call that triggered the polkit auth, NULL in case of varlink */ sd_bus_message *request; /* the original bus method call that triggered the polkit auth, NULL in case of varlink */
sd_bus_slot *slot; sd_bus_slot *slot;
Varlink *link; /* the original varlink method call that triggered the polkit auth, NULL in case of bus */ Varlink *link; /* the original varlink method call that triggered the polkit auth, NULL in case of bus */
Hashmap *registry; Hashmap *registry;
sd_event_source *defer_event_source; sd_event_source *defer_event_source;
LIST_HEAD(AsyncPolkitQueryAction, authorized_actions); LIST_HEAD(AsyncPolkitQueryAction, authorized_actions); /* actions we successfully were authorized for */
AsyncPolkitQueryAction *denied_action; AsyncPolkitQueryAction *denied_action; /* if we received denial for an action, it's this one */
AsyncPolkitQueryAction *error_action; AsyncPolkitQueryAction *absent_action; /* If polkit was absent for some action, it's this one */
sd_bus_error error; AsyncPolkitQueryAction *error_action; /* if we encountered any other error, it's this one */
sd_bus_error error; /* the precise error, in case error_action is set */
} AsyncPolkitQuery; } AsyncPolkitQuery;
static AsyncPolkitQuery *async_polkit_query_free(AsyncPolkitQuery *q) { static AsyncPolkitQuery *async_polkit_query_free(AsyncPolkitQuery *q) {
@@ -226,6 +227,7 @@ static AsyncPolkitQuery *async_polkit_query_free(AsyncPolkitQuery *q) {
LIST_CLEAR(authorized, q->authorized_actions, async_polkit_query_action_free); LIST_CLEAR(authorized, q->authorized_actions, async_polkit_query_action_free);
async_polkit_query_action_free(q->denied_action); async_polkit_query_action_free(q->denied_action);
async_polkit_query_action_free(q->absent_action);
async_polkit_query_action_free(q->error_action); async_polkit_query_action_free(q->error_action);
sd_bus_error_free(&q->error); sd_bus_error_free(&q->error);
@@ -265,28 +267,34 @@ static int async_polkit_read_reply(sd_bus_message *reply, AsyncPolkitQuery *q) {
/* Processing of a PolicyKit checks is canceled on the first auth. error. */ /* Processing of a PolicyKit checks is canceled on the first auth. error. */
assert(!q->denied_action); assert(!q->denied_action);
assert(!q->absent_action);
assert(!q->error_action); assert(!q->error_action);
assert(!sd_bus_error_is_set(&q->error)); assert(!sd_bus_error_is_set(&q->error));
assert(q->action); a = ASSERT_PTR(TAKE_PTR(q->action));
a = TAKE_PTR(q->action);
if (sd_bus_message_is_method_error(reply, NULL)) { if (sd_bus_message_is_method_error(reply, NULL)) {
const sd_bus_error *e; const sd_bus_error *e;
e = sd_bus_message_get_error(reply); e = sd_bus_message_get_error(reply);
if (bus_error_is_unknown_service(e) || if (bus_error_is_unknown_service(e)) {
sd_bus_error_has_names( /* If PK is absent, then store this away, as it depends on the callers flags whether
e, * this means deny or allow */
"org.freedesktop.PolicyKit1.Error.Failed", log_debug("Polkit found to be unavailable while trying to authorize action '%s'.", a->action);
"org.freedesktop.PolicyKit1.Error.Cancelled", q->absent_action = TAKE_PTR(a);
"org.freedesktop.PolicyKit1.Error.NotAuthorized")) } else if (sd_bus_error_has_names(
/* Treat no PK available as access denied. Also treat some of the well-known PK errors as such. */ e,
"org.freedesktop.PolicyKit1.Error.Failed",
"org.freedesktop.PolicyKit1.Error.Cancelled",
"org.freedesktop.PolicyKit1.Error.NotAuthorized")) {
/* Treat some of the well-known PK errors as denial. */
log_debug("Polkit authorization for action '%s' failed with an polkit error: %s", a->action, e->name);
q->denied_action = TAKE_PTR(a); q->denied_action = TAKE_PTR(a);
else { } else {
/* Save error from polkit reply, so it can be returned when the same authorization /* Save error from polkit reply, so it can be returned when the same authorization
* is attempted for second time */ * is attempted for second time */
log_debug("Polkit authorization for action '%s' failed with an unexpected error: %s", a->action, e->name);
q->error_action = TAKE_PTR(a); q->error_action = TAKE_PTR(a);
r = sd_bus_error_copy(&q->error, e); r = sd_bus_error_copy(&q->error, e);
if (r == -ENOMEM) if (r == -ENOMEM)
@@ -302,13 +310,17 @@ static int async_polkit_read_reply(sd_bus_message *reply, AsyncPolkitQuery *q) {
if (r < 0) if (r < 0)
return r; return r;
if (authorized) if (authorized) {
log_debug("Polkit authorization for action '%s' succeeded.", a->action);
LIST_PREPEND(authorized, q->authorized_actions, TAKE_PTR(a)); LIST_PREPEND(authorized, q->authorized_actions, TAKE_PTR(a));
else if (challenge) { } else if (challenge) {
log_debug("Polkit authorization for action requires '%s' interactive authentication, which we didn't allow.", a->action);
q->error_action = TAKE_PTR(a); q->error_action = TAKE_PTR(a);
sd_bus_error_set_const(&q->error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED, "Interactive authentication required."); sd_bus_error_set_const(&q->error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED, "Interactive authentication required.");
} else } else {
log_debug("Polkit authorization for action '%s' denied.", a->action);
q->denied_action = TAKE_PTR(a); q->denied_action = TAKE_PTR(a);
}
return 0; return 0;
} }
@@ -388,28 +400,45 @@ static int async_polkit_callback(sd_bus_message *reply, void *userdata, sd_bus_e
return r; return r;
} }
static int async_polkit_query_check_action( static bool async_polkit_query_have_action(
AsyncPolkitQuery *q, AsyncPolkitQuery *q,
const char *action, const char *action,
const char **details, const char **details) {
sd_bus_error *ret_error) {
assert(q); assert(q);
assert(action); assert(action);
LIST_FOREACH(authorized, a, q->authorized_actions) LIST_FOREACH(authorized, a, q->authorized_actions)
if (streq(a->action, action) && strv_equal(a->details, (char**) details)) if (streq(a->action, action) && strv_equal(a->details, (char**) details))
return 1; /* Allow! */ return true;
return false;
}
static int async_polkit_query_check_action(
AsyncPolkitQuery *q,
const char *action,
const char **details,
PolkitFlags flags,
sd_bus_error *ret_error) {
assert(q);
assert(action);
if (async_polkit_query_have_action(q, action, details))
return 1; /* Allow! */
if (q->error_action && streq(q->error_action->action, action)) if (q->error_action && streq(q->error_action->action, action))
return sd_bus_error_copy(ret_error, &q->error); return sd_bus_error_copy(ret_error, &q->error);
if (q->denied_action && streq(q->denied_action->action, action)) if (q->denied_action && streq(q->denied_action->action, action))
return -EACCES; return -EACCES; /* Deny! */
return 0; if (q->absent_action)
return FLAGS_SET(flags, POLKIT_DEFAULT_ALLOW) ? 1 /* Allow! */ : -EACCES /* Deny! */;
return 0; /* no reply yet */
} }
#endif #endif
/* bus_verify_polkit_async() handles verification of D-Bus calls with polkit. Because the polkit API /* bus_verify_polkit_async() handles verification of D-Bus calls with polkit. Because the polkit API
@@ -509,6 +538,8 @@ int bus_verify_polkit_async_full(
assert(registry); assert(registry);
assert(ret_error); assert(ret_error);
log_debug("Trying to acquire polkit authentication for '%s'.", action);
r = bus_message_check_good_user(call, good_user); r = bus_message_check_good_user(call, good_user);
if (r != 0) if (r != 0)
return r; return r;
@@ -520,17 +551,22 @@ int bus_verify_polkit_async_full(
/* This is a repeated invocation of this function, hence let's check if we've already got /* This is a repeated invocation of this function, hence let's check if we've already got
* a response from polkit for this action */ * a response from polkit for this action */
if (q) { if (q) {
r = async_polkit_query_check_action(q, action, details, ret_error); r = async_polkit_query_check_action(q, action, details, flags, ret_error);
if (r != 0) if (r != 0) {
log_debug("Found matching previous polkit authentication for '%s'.", action);
return r; return r;
}
} }
#endif #endif
r = sd_bus_query_sender_privilege(call, -1); if (!FLAGS_SET(flags, POLKIT_ALWAYS_QUERY)) {
if (r < 0) /* Don't query PK if client is privileged */
return r; r = sd_bus_query_sender_privilege(call, /* capability= */ -1);
if (r > 0) if (r < 0)
return 1; return r;
if (r > 0)
return 1;
}
#if ENABLE_POLKIT #if ENABLE_POLKIT
bool interactive = FLAGS_SET(flags, POLKIT_ALLOW_INTERACTIVE); bool interactive = FLAGS_SET(flags, POLKIT_ALLOW_INTERACTIVE);
@@ -585,9 +621,9 @@ int bus_verify_polkit_async_full(
TAKE_PTR(q); TAKE_PTR(q);
return 0; return 0;
#else
return FLAGS_SET(flags, POLKIT_DEFAULT_ALLOW) ? 1 : -EACCES;
#endif #endif
return -EACCES;
} }
static int varlink_check_good_user(Varlink *link, uid_t good_user) { static int varlink_check_good_user(Varlink *link, uid_t good_user) {
@@ -722,6 +758,8 @@ int varlink_verify_polkit_async_full(
assert(link); assert(link);
assert(registry); assert(registry);
log_debug("Trying to acquire polkit authentication for '%s'.", action);
/* This is the same as bus_verify_polkit_async_full(), but authenticates the peer of a varlink /* This is the same as bus_verify_polkit_async_full(), but authenticates the peer of a varlink
* connection rather than the sender of a bus message. */ * connection rather than the sender of a bus message. */
@@ -729,9 +767,11 @@ int varlink_verify_polkit_async_full(
if (r != 0) if (r != 0)
return r; return r;
r = varlink_check_peer_privilege(link); if (!FLAGS_SET(flags, POLKIT_ALWAYS_QUERY)) {
if (r != 0) r = varlink_check_peer_privilege(link);
return r; if (r != 0)
return r;
}
#if ENABLE_POLKIT #if ENABLE_POLKIT
_cleanup_(async_polkit_query_unrefp) AsyncPolkitQuery *q = NULL; _cleanup_(async_polkit_query_unrefp) AsyncPolkitQuery *q = NULL;
@@ -741,7 +781,9 @@ int varlink_verify_polkit_async_full(
* a response from polkit for this action */ * a response from polkit for this action */
if (q) { if (q) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
r = async_polkit_query_check_action(q, action, details, &error); r = async_polkit_query_check_action(q, action, details, flags, &error);
if (r != 0)
log_debug("Found matching previous polkit authentication for '%s'.", action);
if (r < 0) { if (r < 0) {
/* Reply with a nice error */ /* Reply with a nice error */
if (sd_bus_error_has_name(&error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED)) if (sd_bus_error_has_name(&error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED))
@@ -816,7 +858,25 @@ int varlink_verify_polkit_async_full(
TAKE_PTR(q); TAKE_PTR(q);
return 0; return 0;
#else
return FLAGS_SET(flags, POLKIT_DEFAULT_ALLOW) ? 1 : -EACCES;
#endif
}
bool varlink_has_polkit_action(Varlink *link, const char *action, const char **details, Hashmap **registry) {
assert(link);
assert(action);
assert(registry);
/* Checks if we already have acquired some action previously */
#if ENABLE_POLKIT
AsyncPolkitQuery *q = hashmap_get(*registry, link);
if (!q)
return false;
return async_polkit_query_have_action(q, action, details);
#else
return false;
#endif #endif
return -EACCES;
} }

4
src/shared/bus-polkit.h
View File

@@ -9,6 +9,8 @@
typedef enum PolkitFLags { typedef enum PolkitFLags {
POLKIT_ALLOW_INTERACTIVE = 1 << 0, /* Allow interactive auth (typically not required, because can be derived from bus message/link automatically) */ POLKIT_ALLOW_INTERACTIVE = 1 << 0, /* Allow interactive auth (typically not required, because can be derived from bus message/link automatically) */
POLKIT_ALWAYS_QUERY = 1 << 1, /* Query polkit even if client is privileged */
POLKIT_DEFAULT_ALLOW = 1 << 2, /* If polkit is not around, assume "allow" rather than the usual "deny" */
} PolkitFlags; } PolkitFlags;
int bus_test_polkit(sd_bus_message *call, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e); int bus_test_polkit(sd_bus_message *call, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e);
@@ -30,3 +32,5 @@ static inline int varlink_verify_polkit_async(Varlink *link, sd_bus *bus, const
.name = "allowInteractiveAuthentication", \ .name = "allowInteractiveAuthentication", \
.type = JSON_VARIANT_BOOLEAN, \ .type = JSON_VARIANT_BOOLEAN, \
} }
bool varlink_has_polkit_action(Varlink *link, const char *action, const char **details, Hashmap **registry);