shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-05 13:18:06 +03:00
Code

resolve: support polkit authentication for io.systemd.Resolve.Monitor

Browse Source 
Then, non-privilege user can call e.g. 'resolvectl monitor' with
authentication.
This commit is contained in:
Yu Watanabe 2024-08-16 09:27:46 +09:00
parent 302cc03cc8
commit cf01bbb7a4
4 changed files with 138 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
src/resolve/org.freedesktop.resolve1.policy
View File

@ -139,4 +139,59 @@
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.subscribe-query-results">
<description gettext-domain="systemd">Subscribe query results</description>
<message gettext-domain="systemd">Authentication is required to subscribe query results.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.dump-cache">
<description gettext-domain="systemd">Dump cache</description>
<message gettext-domain="systemd">Authentication is required to dump cache.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.dump-server-state">
<description gettext-domain="systemd">Dump server state</description>
<message gettext-domain="systemd">Authentication is required to dump server state.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.dump-statistics">
<description gettext-domain="systemd">Dump statistics</description>
<message gettext-domain="systemd">Authentication is required to dump statistics.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
<action id="org.freedesktop.resolve1.reset-statistics">
<description gettext-domain="systemd">Reset statistics</description>
<message gettext-domain="systemd">Authentication is required to reset statistics.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
</policyconfig>

39
src/resolve/resolvectl.c
View File

@ -1137,11 +1137,17 @@ static int show_statistics(int argc, char **argv, void *userdata) {
_cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
int r;
(void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
r = sd_varlink_connect_address(&vl, "/run/systemd/resolve/io.systemd.Resolve.Monitor");
if (r < 0)
return log_error_errno(r, "Failed to connect to query monitoring service /run/systemd/resolve/io.systemd.Resolve.Monitor: %m");
r = varlink_call_and_log(vl, "io.systemd.Resolve.Monitor.DumpStatistics", /* parameters= */ NULL, &reply);
r = varlink_callbo_and_log(
vl,
"io.systemd.Resolve.Monitor.DumpStatistics",
&reply,
SD_JSON_BUILD_PAIR_BOOLEAN("allowInteractiveAuthentication", arg_ask_password));
if (r < 0)
return r;
@ -1295,11 +1301,17 @@ static int reset_statistics(int argc, char **argv, void *userdata) {
_cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
int r;
(void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
r = sd_varlink_connect_address(&vl, "/run/systemd/resolve/io.systemd.Resolve.Monitor");
if (r < 0)
return log_error_errno(r, "Failed to connect to query monitoring service /run/systemd/resolve/io.systemd.Resolve.Monitor: %m");
r = varlink_call_and_log(vl, "io.systemd.Resolve.Monitor.ResetStatistics", /* parameters= */ NULL, &reply);
r = varlink_callbo_and_log(
vl,
"io.systemd.Resolve.Monitor.ResetStatistics",
&reply,
SD_JSON_BUILD_PAIR_BOOLEAN("allowInteractiveAuthentication", arg_ask_password));
if (r < 0)
return r;
@ -2941,6 +2953,8 @@ static int verb_monitor(int argc, char *argv[], void *userdata) {
_cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
int r, c;
(void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
r = sd_event_default(&event);
if (r < 0)
return log_error_errno(r, "Failed to get event loop: %m");
@ -2965,7 +2979,10 @@ static int verb_monitor(int argc, char *argv[], void *userdata) {
if (r < 0)
return log_error_errno(r, "Failed to bind reply callback to varlink connection: %m");
r = sd_varlink_observe(vl, "io.systemd.Resolve.Monitor.SubscribeQueryResults", NULL);
r = sd_varlink_observebo(
vl,
"io.systemd.Resolve.Monitor.SubscribeQueryResults",
SD_JSON_BUILD_PAIR_BOOLEAN("allowInteractiveAuthentication", arg_ask_password));
if (r < 0)
return log_error_errno(r, "Failed to issue SubscribeQueryResults() varlink call: %m");
@ -3099,11 +3116,17 @@ static int verb_show_cache(int argc, char *argv[], void *userdata) {
_cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
int r;
(void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
r = sd_varlink_connect_address(&vl, "/run/systemd/resolve/io.systemd.Resolve.Monitor");
if (r < 0)
return log_error_errno(r, "Failed to connect to query monitoring service /run/systemd/resolve/io.systemd.Resolve.Monitor: %m");
r = varlink_call_and_log(vl, "io.systemd.Resolve.Monitor.DumpCache", /* parameters= */ NULL, &reply);
r = varlink_callbo_and_log(
vl,
"io.systemd.Resolve.Monitor.DumpCache",
&reply,
SD_JSON_BUILD_PAIR_BOOLEAN("allowInteractiveAuthentication", arg_ask_password));
if (r < 0)
return r;
@ -3273,11 +3296,17 @@ static int verb_show_server_state(int argc, char *argv[], void *userdata) {
_cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
int r;
(void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
r = sd_varlink_connect_address(&vl, "/run/systemd/resolve/io.systemd.Resolve.Monitor");
if (r < 0)
return log_error_errno(r, "Failed to connect to query monitoring service /run/systemd/resolve/io.systemd.Resolve.Monitor: %m");
r = varlink_call_and_log(vl, "io.systemd.Resolve.Monitor.DumpServerState", /* parameters= */ NULL, &reply);
r = varlink_callbo_and_log(
vl,
"io.systemd.Resolve.Monitor.DumpServerState",
&reply,
SD_JSON_BUILD_PAIR_BOOLEAN("allowInteractiveAuthentication", arg_ask_password));
if (r < 0)
return r;

54
src/resolve/resolved-varlink.c
View File

@ -1,5 +1,6 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "bus-polkit.h"
#include "glyph-util.h"
#include "in-addr-util.h"
#include "json-util.h"
@ -1233,6 +1234,29 @@ static int vl_method_resolve_record(sd_varlink *link, sd_json_variant *parameter
return 1;
}
static int verify_polkit(sd_varlink *link, sd_json_variant *parameters, const char *action) {
static const sd_json_dispatch_field dispatch_table[] = {
VARLINK_DISPATCH_POLKIT_FIELD,
{}
};
int r;
Manager *m = ASSERT_PTR(sd_varlink_server_get_userdata(sd_varlink_get_server(ASSERT_PTR(link))));
assert(action);
r = sd_varlink_dispatch(link, parameters, dispatch_table, /* userdata = */ NULL);
if (r != 0)
return r;
return varlink_verify_polkit_async(
link,
m->bus,
action,
/* details= */ NULL,
&m->polkit_registry);
}
static int vl_method_subscribe_query_results(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
Manager *m;
int r;
@ -1245,8 +1269,9 @@ static int vl_method_subscribe_query_results(sd_varlink *link, sd_json_variant *
if (!FLAGS_SET(flags, SD_VARLINK_METHOD_MORE))
return sd_varlink_error(link, SD_VARLINK_ERROR_EXPECTED_MORE, NULL);
if (sd_json_variant_elements(parameters) > 0)
return sd_varlink_error_invalid_parameter(link, parameters);
r = verify_polkit(link, parameters, "org.freedesktop.resolve1.subscribe-query-results");
if (r <= 0)
return r;
/* Send a ready message to the connecting client, to indicate that we are now listinening, and all
* queries issued after the point the client sees this will also be reported to the client. */
@ -1271,8 +1296,9 @@ static int vl_method_dump_cache(sd_varlink *link, sd_json_variant *parameters, s
assert(link);
if (sd_json_variant_elements(parameters) > 0)
return sd_varlink_error_invalid_parameter(link, parameters);
r = verify_polkit(link, parameters, "org.freedesktop.resolve1.dump-cache");
if (r <= 0)
return r;
m = ASSERT_PTR(sd_varlink_server_get_userdata(sd_varlink_get_server(link)));
@ -1319,8 +1345,9 @@ static int vl_method_dump_server_state(sd_varlink *link, sd_json_variant *parame
assert(link);
if (sd_json_variant_elements(parameters) > 0)
return sd_varlink_error_invalid_parameter(link, parameters);
r = verify_polkit(link, parameters, "org.freedesktop.resolve1.dump-server-state");
if (r <= 0)
return r;
m = ASSERT_PTR(sd_varlink_server_get_userdata(sd_varlink_get_server(link)));
@ -1359,8 +1386,9 @@ static int vl_method_dump_statistics(sd_varlink *link, sd_json_variant *paramete
assert(link);
if (sd_json_variant_elements(parameters) > 0)
return sd_varlink_error_invalid_parameter(link, parameters);
r = verify_polkit(link, parameters, "org.freedesktop.resolve1.dump-statistics");
if (r <= 0)
return r;
m = ASSERT_PTR(sd_varlink_server_get_userdata(sd_varlink_get_server(link)));
@ -1373,11 +1401,13 @@ static int vl_method_dump_statistics(sd_varlink *link, sd_json_variant *paramete
static int vl_method_reset_statistics(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
Manager *m;
int r;
assert(link);
if (sd_json_variant_elements(parameters) > 0)
return sd_varlink_error_invalid_parameter(link, parameters);
r = verify_polkit(link, parameters, "org.freedesktop.resolve1.reset-statistics");
if (r <= 0)
return r;
m = ASSERT_PTR(sd_varlink_server_get_userdata(sd_varlink_get_server(link)));
@ -1395,7 +1425,7 @@ static int varlink_monitor_server_init(Manager *m) {
if (m->varlink_monitor_server)
return 0;
r = sd_varlink_server_new(&server, SD_VARLINK_SERVER_ROOT_ONLY);
r = sd_varlink_server_new(&server, SD_VARLINK_SERVER_ACCOUNT_UID);
if (r < 0)
return log_error_errno(r, "Failed to allocate varlink server object: %m");
@ -1419,7 +1449,7 @@ static int varlink_monitor_server_init(Manager *m) {
if (r < 0)
return log_error_errno(r, "Failed to register varlink disconnect handler: %m");
r = sd_varlink_server_listen_address(server, "/run/systemd/resolve/io.systemd.Resolve.Monitor", 0600);
r = sd_varlink_server_listen_address(server, "/run/systemd/resolve/io.systemd.Resolve.Monitor", 0666);
if (r < 0)
return log_error_errno(r, "Failed to bind to varlink socket: %m");

8
src/shared/varlink-io.systemd.Resolve.Monitor.c
View File

@ -19,6 +19,7 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
static SD_VARLINK_DEFINE_METHOD(
SubscribeQueryResults,
SD_VARLINK_DEFINE_INPUT(allowInteractiveAuthentication, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
/* First reply */
SD_VARLINK_DEFINE_OUTPUT(ready, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
/* Subsequent replies */
@ -49,6 +50,7 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
static SD_VARLINK_DEFINE_METHOD(
DumpCache,
SD_VARLINK_DEFINE_INPUT(allowInteractiveAuthentication, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
SD_VARLINK_DEFINE_OUTPUT_BY_TYPE(dump, ScopeCache, SD_VARLINK_ARRAY));
static SD_VARLINK_DEFINE_STRUCT_TYPE(
@ -72,6 +74,7 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
static SD_VARLINK_DEFINE_METHOD(
DumpServerState,
SD_VARLINK_DEFINE_INPUT(allowInteractiveAuthentication, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
SD_VARLINK_DEFINE_OUTPUT_BY_TYPE(dump, ServerState, SD_VARLINK_ARRAY));
static SD_VARLINK_DEFINE_STRUCT_TYPE(
@ -98,11 +101,14 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
static SD_VARLINK_DEFINE_METHOD(
DumpStatistics,
SD_VARLINK_DEFINE_INPUT(allowInteractiveAuthentication, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
SD_VARLINK_DEFINE_OUTPUT_BY_TYPE(transactions, TransactionStatistics, 0),
SD_VARLINK_DEFINE_OUTPUT_BY_TYPE(cache, CacheStatistics, 0),
SD_VARLINK_DEFINE_OUTPUT_BY_TYPE(dnssec, DnssecStatistics, 0));
static SD_VARLINK_DEFINE_METHOD(ResetStatistics);
static SD_VARLINK_DEFINE_METHOD(
ResetStatistics,
SD_VARLINK_DEFINE_INPUT(allowInteractiveAuthentication, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE));
SD_VARLINK_DEFINE_INTERFACE(
io_systemd_Resolve_Monitor,