summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2023-11-22 18:56:19 +0100
committerYu Watanabe <watanabe.yu+github@gmail.com>2023-12-21 21:27:36 +0100
commit7b36fb9f96fd5c1f63b9f0f9e75194e3e4dd6a8d (patch)
tree44961376a5e0a1da8e3614bfb7531acbc6dd0912
parentMerge pull request #30567 from yuwata/hashmap_isempty (diff)
downloadsystemd-7b36fb9f96fd5c1f63b9f0f9e75194e3e4dd6a8d.tar.xz
systemd-7b36fb9f96fd5c1f63b9f0f9e75194e3e4dd6a8d.zip
polkit: simplify bus_verify_polkit_async() + drop auth-by-cap dbus feature
This simplifies bus_verify_polkit_async() and related calls quite a bit: 1. This removes any support for authentication-by-Linux-capability. This is ultimately a kdbus leftover: with classic AF_UNIX transports we cannot authenticate by capabilities securely (because we cannot acquire it from the peer without races), hence we never actually did. Since the necessary kernel work didn't materialize in the last 10y, and is unlikely to be added, let's just kill this context. We cannot quite remove the caps stuff from sd-bus for API compat, but for our polkit logic let's kill it. 2. The "good_uid" and "interactive" params are only necessary in very few cases, hence let's move them to a new call bus_verify_polkit_async_full() and make bus_verify_polkit_async() a wrapper around it without those two parameters. This also fixes a bunch of wrong uses of the "interactive" bool. The bool makes no sense today as the ALLOW_INTERACTIVE_AUTHORIZATION field in the D-Bus message header replaces it fully. We only need it to implement method calls we introduced prior to that header field becoming available in D-Bus. And it should only be used on such old method calls, and otherwise always be set to false. This does not change behaviour in any way. Just simplifies stuff. Fixes: #21586
Diffstat
-rw-r--r--src/core/dbus-service.c2
-rw-r--r--src/core/dbus-unit.c18
-rw-r--r--src/core/dbus-util.c5
-rw-r--r--src/core/dbus-util.h2
-rw-r--r--src/core/dbus.c34
-rw-r--r--src/home/homed-home-bus.c39
-rw-r--r--src/home/homed-manager-bus.c10
-rw-r--r--src/hostname/hostnamed.c43
-rw-r--r--src/import/importd.c30
-rw-r--r--src/locale/localed.c21
-rw-r--r--src/login/logind-dbus.c176
-rw-r--r--src/login/logind-polkit.c5
-rw-r--r--src/login/logind-seat-dbus.c5
-rw-r--r--src/login/logind-session-dbus.c21
-rw-r--r--src/login/logind-user-dbus.c14
-rw-r--r--src/machine/image-dbus.c15
-rw-r--r--src/machine/machine-dbus.c27
-rw-r--r--src/machine/machined-dbus.c6
-rw-r--r--src/network/networkd-link-bus.c139
-rw-r--r--src/network/networkd-manager-bus.c10
-rw-r--r--src/portable/portabled-bus.c10
-rw-r--r--src/portable/portabled-image-bus.c15
-rw-r--r--src/resolve/resolved-bus.c10
-rw-r--r--src/resolve/resolved-dnssd-bus.c12
-rw-r--r--src/resolve/resolved-link-bus.c89
-rw-r--r--src/shared/bus-polkit.c10
-rw-r--r--src/shared/bus-polkit.h9
-rw-r--r--src/timedate/timedated.c28
-rw-r--r--src/timesync/timesyncd-bus.c10
29 files changed, 365 insertions, 450 deletions
diff --git a/src/core/dbus-service.c b/src/core/dbus-service.c
index 41f4ee399e..77cf6f003d 100644
--- a/src/core/dbus-service.c
+++ b/src/core/dbus-service.c
@@ -166,9 +166,7 @@ static int bus_service_method_mount(sd_bus_message *message, void *userdata, sd_
r = bus_verify_manage_units_async_full(
u,
is_image ? "mount-image" : "bind-mount",
- CAP_SYS_ADMIN,
N_("Authentication is required to mount on '$(unit)'."),
- true,
message,
error);
if (r < 0)
diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
index 48b7e10ea5..8b4983dcb5 100644
--- a/src/core/dbus-unit.c
+++ b/src/core/dbus-unit.c
@@ -408,9 +408,7 @@ int bus_unit_method_start_generic(
r = bus_verify_manage_units_async_full(
u,
verb,
- CAP_SYS_ADMIN,
polkit_message_for_job[job_type],
- true,
message,
error);
if (r < 0)
@@ -491,9 +489,7 @@ int bus_unit_method_enqueue_job(sd_bus_message *message, void *userdata, sd_bus_
r = bus_verify_manage_units_async_full(
u,
jtype,
- CAP_SYS_ADMIN,
polkit_message_for_job[type],
- true,
message,
error);
if (r < 0)
@@ -549,9 +545,7 @@ int bus_unit_method_kill(sd_bus_message *message, void *userdata, sd_bus_error *
r = bus_verify_manage_units_async_full(
u,
"kill",
- CAP_KILL,
N_("Authentication is required to send a UNIX signal to the processes of '$(unit)'."),
- true,
message,
error);
if (r < 0)
@@ -579,9 +573,7 @@ int bus_unit_method_reset_failed(sd_bus_message *message, void *userdata, sd_bus
r = bus_verify_manage_units_async_full(
u,
"reset-failed",
- CAP_SYS_ADMIN,
N_("Authentication is required to reset the \"failed\" state of '$(unit)'."),
- true,
message,
error);
if (r < 0)
@@ -611,9 +603,7 @@ int bus_unit_method_set_properties(sd_bus_message *message, void *userdata, sd_b
r = bus_verify_manage_units_async_full(
u,
"set-property",
- CAP_SYS_ADMIN,
N_("Authentication is required to set properties on '$(unit)'."),
- true,
message,
error);
if (r < 0)
@@ -641,9 +631,7 @@ int bus_unit_method_ref(sd_bus_message *message, void *userdata, sd_bus_error *e
r = bus_verify_manage_units_async_full(
u,
"ref",
- CAP_SYS_ADMIN,
- NULL,
- false,
+ /* polkit_message= */ NULL,
message,
error);
if (r < 0)
@@ -712,9 +700,7 @@ int bus_unit_method_clean(sd_bus_message *message, void *userdata, sd_bus_error
r = bus_verify_manage_units_async_full(
u,
"clean",
- CAP_DAC_OVERRIDE,
N_("Authentication is required to delete files and directories associated with '$(unit)'."),
- true,
message,
error);
if (r < 0)
@@ -760,9 +746,7 @@ static int bus_unit_method_freezer_generic(sd_bus_message *message, void *userda
r = bus_verify_manage_units_async_full(
u,
perm,
- CAP_SYS_ADMIN,
N_("Authentication is required to freeze or thaw the processes of '$(unit)' unit."),
- true,
message,
error);
if (r < 0)
diff --git a/src/core/dbus-util.c b/src/core/dbus-util.c
index d680a64268..822a17e49f 100644
--- a/src/core/dbus-util.c
+++ b/src/core/dbus-util.c
@@ -151,9 +151,7 @@ int bus_set_transient_usec_internal(
int bus_verify_manage_units_async_full(
Unit *u,
const char *verb,
- int capability,
const char *polkit_message,
- bool interactive,
sd_bus_message *call,
sd_bus_error *error) {
@@ -171,11 +169,8 @@ int bus_verify_manage_units_async_full(
return bus_verify_polkit_async(
call,
- capability,
"org.freedesktop.systemd1.manage-units",
details,
- interactive,
- UID_INVALID,
&u->manager->polkit_registry,
error);
}
diff --git a/src/core/dbus-util.h b/src/core/dbus-util.h
index 9464b25516..ee944c166c 100644
--- a/src/core/dbus-util.h
+++ b/src/core/dbus-util.h
@@ -249,7 +249,7 @@ static inline int bus_set_transient_usec(Unit *u, const char *name, usec_t *p, s
static inline int bus_set_transient_usec_fix_0(Unit *u, const char *name, usec_t *p, sd_bus_message *message, UnitWriteFlags flags, sd_bus_error *error) {
return bus_set_transient_usec_internal(u, name, p, true, message, flags, error);
}
-int bus_verify_manage_units_async_full(Unit *u, const char *verb, int capability, const char *polkit_message, bool interactive, sd_bus_message *call, sd_bus_error *error);
+int bus_verify_manage_units_async_full(Unit *u, const char *verb, const char *polkit_message, sd_bus_message *call, sd_bus_error *error);
int bus_read_mount_options(sd_bus_message *message, sd_bus_error *error, MountOptions **ret_options, char **ret_format_str, const char *separator);
diff --git a/src/core/dbus.c b/src/core/dbus.c
index ba2cec4d77..f7d4a97096 100644
--- a/src/core/dbus.c
+++ b/src/core/dbus.c
@@ -1189,22 +1189,46 @@ int bus_track_coldplug(Manager *m, sd_bus_track **t, bool recursive, char **l) {
}
int bus_verify_manage_units_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
- return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-units", NULL, false, UID_INVALID, &m->polkit_registry, error);
+ return bus_verify_polkit_async(
+ call,
+ "org.freedesktop.systemd1.manage-units",
+ /* details= */ NULL,
+ &m->polkit_registry,
+ error);
}
int bus_verify_manage_unit_files_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
- return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-unit-files", NULL, false, UID_INVALID, &m->polkit_registry, error);
+ return bus_verify_polkit_async(
+ call,
+ "org.freedesktop.systemd1.manage-unit-files",
+ /* details= */ NULL,
+ &m->polkit_registry,
+ error);
}
int bus_verify_reload_daemon_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
- return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.reload-daemon", NULL, false, UID_INVALID, &m->polkit_registry, error);
+ return bus_verify_polkit_async(
+ call,
+ "org.freedesktop.systemd1.reload-daemon",
+ /* details= */ NULL,
+ &m->polkit_registry, error);
}
int bus_verify_set_environment_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
- return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.set-environment", NULL, false, UID_INVALID, &m->polkit_registry, error);
+ return bus_verify_polkit_async(
+ call,
+ "org.freedesktop.systemd1.set-environment",
+ /* details= */ NULL,
+ &m->polkit_registry,
+ error);
}
int bus_verify_bypass_dump_ratelimit_async(Manager *m, sd_bus_message *call, sd_bus_error *error) {
- return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.bypass-dump-ratelimit", NULL, false, UID_INVALID, &m->polkit_registry, error);
+ return bus_verify_polkit_async(
+ call,
+ "org.freedesktop.systemd1.bypass-dump-ratelimit",
+ /* details= */ NULL,
+ &m->polkit_registry,
+ error);
}
uint64_t manager_bus_n_queued_write(Manager *m) {
diff --git a/src/home/homed-home-bus.c b/src/home/homed-home-bus.c
index a47f4d8a84..413a706f4c 100644
--- a/src/home/homed-home-bus.c
+++ b/src/home/homed-home-bus.c
@@ -203,11 +203,8 @@ int bus_home_method_unregister(
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.home1.remove-home",
- NULL,
- true,
- UID_INVALID,
+ /* details= */ NULL,
&h->manager->polkit_registry,
error);
if (r < 0)
@@ -243,11 +240,8 @@ int bus_home_method_realize(
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.home1.create-home",
- NULL,
- true,
- UID_INVALID,
+ /* details= */ NULL,
&h->manager->polkit_registry,
error);
if (r < 0)
@@ -283,11 +277,8 @@ int bus_home_method_remove(
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.home1.remove-home",
- NULL,
- true,
- UID_INVALID,
+ /* details= */ NULL,
&h->manager->polkit_registry,
error);
if (r < 0)
@@ -354,12 +345,11 @@ int bus_home_method_authenticate(
if (r < 0)
return r;
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.home1.authenticate-home",
- NULL,
- true,
+ /* details= */ NULL,
+ /* interactive= */ false,
h->uid,
&h->manager->polkit_registry,
error);
@@ -395,11 +385,8 @@ int bus_home_method_update_record(Home *h, sd_bus_message *message, UserRecord *
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.home1.update-home",
- NULL,
- true,
- UID_INVALID,
+ /* details= */ NULL,
&h->manager->polkit_registry,
error);
if (r < 0)
@@ -461,11 +448,8 @@ int bus_home_method_resize(
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.home1.resize-home",
- NULL,
- true,
- UID_INVALID,
+ /* details= */ NULL,
&h->manager->polkit_registry,
error);
if (r < 0)
@@ -506,12 +490,11 @@ int bus_home_method_change_password(
if (r < 0)
return r;
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.home1.passwd-home",
- NULL,
- true,
+ /* details= */ NULL,
+ /* interactive= */ false,
h->uid,
&h->manager->polkit_registry,
error);
diff --git a/src/home/homed-manager-bus.c b/src/home/homed-manager-bus.c
index 7cf543922f..b5dffb2c69 100644
--- a/src/home/homed-manager-bus.c
+++ b/src/home/homed-manager-bus.c
@@ -396,11 +396,8 @@ static int method_register_home(
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.home1.create-home",
- NULL,
- true,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@@ -443,11 +440,8 @@ static int method_create_home(
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.home1.create-home",
- NULL,
- true,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
index fc7a97fb99..893eb4cc0f 100644
--- a/src/hostname/hostnamed.c
+++ b/src/hostname/hostnamed.c
@@ -1054,13 +1054,12 @@ static int method_set_hostname(sd_bus_message *m, void *userdata, sd_bus_error *
context_read_etc_hostname(c);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
m,
- CAP_SYS_ADMIN,
"org.freedesktop.hostname1.set-hostname",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@@ -1101,13 +1100,12 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_
if (name && !hostname_is_valid(name, 0))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid static hostname '%s'", name);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
m,
- CAP_SYS_ADMIN,
"org.freedesktop.hostname1.set-static-hostname",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@@ -1177,17 +1175,15 @@ static int set_machine_info(Context *c, sd_bus_message *m, int prop, sd_bus_mess
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid location '%s'", name);
}
- /* Since the pretty hostname should always be changed at the
- * same time as the static one, use the same policy action for
- * both... */
+ /* Since the pretty hostname should always be changed at the same time as the static one, use the
+ * same policy action for both... */
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
m,
- CAP_SYS_ADMIN,
prop == PROP_PRETTY_HOSTNAME ? "org.freedesktop.hostname1.set-static-hostname" : "org.freedesktop.hostname1.set-machine-info",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@@ -1259,13 +1255,12 @@ static int method_get_product_uuid(sd_bus_message *m, void *userdata, sd_bus_err
if (r < 0)
return r;
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
m,
- CAP_SYS_ADMIN,
"org.freedesktop.hostname1.get-product-uuid",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@@ -1306,11 +1301,8 @@ static int method_get_hardware_serial(sd_bus_message *m, void *userdata, sd_bus_
r = bus_verify_polkit_async(
m,
- CAP_SYS_ADMIN,
"org.freedesktop.hostname1.get-hardware-serial",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&c->polkit_registry,
error);
if (r < 0)
@@ -1350,11 +1342,8 @@ static int method_describe(sd_bus_message *m, void *userdata, sd_bus_error *erro
r = bus_verify_polkit_async(
m,
- CAP_SYS_ADMIN,
"org.freedesktop.hostname1.get-description",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&c->polkit_registry,
error);
if (r == 0)
diff --git a/src/import/importd.c b/src/import/importd.c
index e1a1ddc2ee..e9bbbb628d 100644
--- a/src/import/importd.c
+++ b/src/import/importd.c
@@ -704,11 +704,8 @@ static int method_import_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_
r = bus_verify_polkit_async(
msg,
- CAP_SYS_ADMIN,
"org.freedesktop.import1.import",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@@ -775,11 +772,8 @@ static int method_import_fs(sd_bus_message *msg, void *userdata, sd_bus_error *e
r = bus_verify_polkit_async(
msg,
- CAP_SYS_ADMIN,
"org.freedesktop.import1.import",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@@ -843,11 +837,8 @@ static int method_export_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_
r = bus_verify_polkit_async(
msg,
- CAP_SYS_ADMIN,
"org.freedesktop.import1.export",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@@ -916,11 +907,8 @@ static int method_pull_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_er
r = bus_verify_polkit_async(
msg,
- CAP_SYS_ADMIN,
"org.freedesktop.import1.pull",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@@ -1036,11 +1024,8 @@ static int method_cancel(sd_bus_message *msg, void *userdata, sd_bus_error *erro
r = bus_verify_polkit_async(
msg,
- CAP_SYS_ADMIN,
"org.freedesktop.import1.pull",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&t->manager->polkit_registry,
error);
if (r < 0)
@@ -1065,11 +1050,8 @@ static int method_cancel_transfer(sd_bus_message *msg, void *userdata, sd_bus_er
r = bus_verify_polkit_async(
msg,
- CAP_SYS_ADMIN,
"org.freedesktop.import1.pull",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
diff --git a/src/locale/localed.c b/src/locale/localed.c
index 5d96237fae..8ce8c0d08f 100644
--- a/src/locale/localed.c
+++ b/src/locale/localed.c
@@ -281,13 +281,12 @@ static int method_set_locale(sd_bus_message *m, void *userdata, sd_bus_error *er
return sd_bus_reply_method_return(m, NULL);
}
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
m,
- CAP_SYS_ADMIN,
"org.freedesktop.locale1.set-locale",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@@ -386,13 +385,12 @@ static int method_set_vc_keyboard(sd_bus_message *m, void *userdata, sd_bus_erro
if (vc_context_equal(&c->vc, &in) && !x_needs_update)
return sd_bus_reply_method_return(m, NULL);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
m,
- CAP_SYS_ADMIN,
"org.freedesktop.locale1.set-keyboard",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@@ -506,13 +504,12 @@ static int method_set_x11_keyboard(sd_bus_message *m, void *userdata, sd_bus_err
if (x11_context_equal(&c->x11_from_vc, &in) && x11_context_equal(&c->x11_from_xorg, &in) && !convert)
return sd_bus_reply_method_return(m, NULL);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
m,
- CAP_SYS_ADMIN,
"org.freedesktop.locale1.set-keyboard",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index 34992b5681..898c6f752b 100644
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -236,7 +236,6 @@ int manager_get_seat_from_creds(
static int return_test_polkit(
sd_bus_message *message,
- int capability,
const char *action,
const char **details,
uid_t good_user,
@@ -246,7 +245,7 @@ static int return_test_polkit(
bool challenge;
int r;
- r = bus_test_polkit(message, capability, action, details, good_user, &challenge, e);
+ r = bus_test_polkit(message, action, details, good_user, &challenge, e);
if (r < 0)
return r;
@@ -1245,11 +1244,8 @@ static int method_lock_sessions(sd_bus_message *message, void *userdata, sd_bus_
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.login1.lock-sessions",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@@ -1397,14 +1393,13 @@ static int method_set_user_linger(sd_bus_message *message, void *userdata, sd_bu
if (!pw)
return errno_or_else(ENOENT);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
message,
- CAP_SYS_ADMIN,
uid == auth_uid ? "org.freedesktop.login1.set-self-linger" :
"org.freedesktop.login1.set-user-linger",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@@ -1565,13 +1560,12 @@ static int method_attach_device(sd_bus_message *message, void *userdata, sd_bus_
} else if (!seat_name_is_valid(seat)) /* Note that a seat does not have to exist yet for this operation to succeed */
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Seat name %s is not valid", seat);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.login1.attach-device",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@@ -1596,13 +1590,12 @@ static int method_flush_devices(sd_bus_message *message, void *userdata, sd_bus_
if (r < 0)
return r;
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.login1.flush-devices",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@@ -1938,13 +1931,12 @@ static int verify_shutdown_creds(
interactive = flags & SD_LOGIND_INTERACTIVE;
if (multiple_sessions) {
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
message,
- CAP_SYS_BOOT,
a->polkit_action_multiple_sessions,
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@@ -1959,12 +1951,12 @@ static int verify_shutdown_creds(
return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED,
"Access denied to root due to active block inhibitor");
- r = bus_verify_polkit_async(message,
- CAP_SYS_BOOT,
+ r = bus_verify_polkit_async_full(
+ message,
a->polkit_action_ignore_inhibit,
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@@ -1974,12 +1966,12 @@ static int verify_shutdown_creds(
}
if (!multiple_sessions && !blocked) {
- r = bus_verify_polkit_async(message,
- CAP_SYS_BOOT,
+ r = bus_verify_polkit_async_full(
+ message,
a->polkit_action,
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@@ -2529,11 +2521,8 @@ static int method_cancel_scheduled_shutdown(sd_bus_message *message, void *userd
r = bus_verify_polkit_async(
message,
- CAP_SYS_BOOT,
a->polkit_action,
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@@ -2640,7 +2629,13 @@ static int method_can_shutdown_or_sleep(
}
if (multiple_sessions) {
- r = bus_test_polkit(message, CAP_SYS_BOOT, a->polkit_action_multiple_sessions, NULL, UID_INVALID, &challenge, error);
+ r = bus_test_polkit(
+ message,
+ a->polkit_action_multiple_sessions,
+ /* details= */ NULL,
+ /* good_user= */ UID_INVALID,
+ &challenge,
+ error);
if (r < 0)
return r;
@@ -2653,7 +2648,13 @@ static int method_can_shutdown_or_sleep(
}
if (blocked) {
- r = bus_test_polkit(message, CAP_SYS_BOOT, a->polkit_action_ignore_inhibit, NULL, UID_INVALID, &challenge, error);
+ r = bus_test_polkit(
+ message,
+ a->polkit_action_ignore_inhibit,
+ /* details= */ NULL,
+ /* good_user= */ UID_INVALID,
+ &challenge,
+ error);
if (r < 0)
return r;
@@ -2671,7 +2672,13 @@ static int method_can_shutdown_or_sleep(
/* If neither inhibit nor multiple sessions
* apply then just check the normal policy */
- r = bus_test_polkit(message, CAP_SYS_BOOT, a->polkit_action, NULL, UID_INVALID, &challenge, error);
+ r = bus_test_polkit(
+ message,
+ a->polkit_action,
+ /* details= */ NULL,
+ /* good_user= */ UID_INVALID,
+ &challenge,
+ error);
if (r < 0)
return r;
@@ -2779,14 +2786,12 @@ static int method_set_reboot_parameter(
return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
"Reboot parameter not supported in containers, refusing.");
- r = bus_verify_polkit_async(message,
- CAP_SYS_ADMIN,
- "org.freedesktop.login1.set-reboot-parameter",
- NULL,
- false,
- UID_INVALID,
- &m->polkit_registry,
- error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.login1.set-reboot-parameter",
+ /* details= */ NULL,
+ &m->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -2817,10 +2822,9 @@ static int method_can_reboot_parameter(
return return_test_polkit(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-parameter",
- NULL,
- UID_INVALID,
+ /* details= */ NULL,
+ /* good_user= */ UID_INVALID,
error);
}
@@ -2898,14 +2902,12 @@ static int method_set_reboot_to_firmware_setup(
/* non-EFI case: $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP is set to on */
use_efi = false;
- r = bus_verify_polkit_async(message,
- CAP_SYS_ADMIN,
- "org.freedesktop.login1.set-reboot-to-firmware-setup",
- NULL,
- false,
- UID_INVALID,
- &m->polkit_registry,
- error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.login1.set-reboot-to-firmware-setup",
+ /* details= */ NULL,
+ &m->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -2962,10 +2964,9 @@ static int method_can_reboot_to_firmware_setup(
return return_test_polkit(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-to-firmware-setup",
- NULL,
- UID_INVALID,
+ /* details= */ NULL,
+ /* good_user= */ UID_INVALID,
error);
}
@@ -3062,14 +3063,12 @@ static int method_set_reboot_to_boot_loader_menu(
/* non-EFI case: $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU is set to on */
use_efi = false;
- r = bus_verify_polkit_async(message,
- CAP_SYS_ADMIN,
- "org.freedesktop.login1.set-reboot-to-boot-loader-menu",
- NULL,
- false,
- UID_INVALID,
- &m->polkit_registry,
- error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.login1.set-reboot-to-boot-loader-menu",
+ /* details= */ NULL,
+ &m->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -3137,10 +3136,9 @@ static int method_can_reboot_to_boot_loader_menu(
return return_test_polkit(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-to-boot-loader-menu",
- NULL,
- UID_INVALID,
+ /* details= */ NULL,
+ /* good_user= */ UID_INVALID,
error);
}
@@ -3261,14 +3259,12 @@ static int method_set_reboot_to_boot_loader_entry(
/* non-EFI case: $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY is set to on */
use_efi = false;
- r = bus_verify_polkit_async(message,
- CAP_SYS_ADMIN,
- "org.freedesktop.login1.set-reboot-to-boot-loader-entry",
- NULL,
- false,
- UID_INVALID,
- &m->polkit_registry,
- error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.login1.set-reboot-to-boot-loader-entry",
+ /* details= */ NULL,
+ &m->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -3329,10 +3325,9 @@ static int method_can_reboot_to_boot_loader_entry(
return return_test_polkit(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.login1.set-reboot-to-boot-loader-entry",
- NULL,
- UID_INVALID,
+ /* details= */ NULL,
+ /* good_user= */ UID_INVALID,
error);
}
@@ -3403,14 +3398,12 @@ static int method_set_wall_message(
m->enable_wall_messages == enable_wall_messages)
goto done;
- r = bus_verify_polkit_async(message,
- CAP_SYS_ADMIN,
- "org.freedesktop.login1.set-wall-message",
- NULL,
- false,
- UID_INVALID,
- &m->polkit_registry,
- error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.login1.set-wall-message",
+ /* details= */ NULL,
+ &m->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -3470,7 +3463,6 @@ static int method_inhibit(sd_bus_message *message, void *userdata, sd_bus_error
r = bus_verify_polkit_async(
message,
- CAP_SYS_BOOT,
w == INHIBIT_SHUTDOWN ? (mm == INHIBIT_BLOCK ? "org.freedesktop.login1.inhibit-block-shutdown" : "org.freedesktop.login1.inhibit-delay-shutdown") :
w == INHIBIT_SLEEP ? (mm == INHIBIT_BLOCK ? "org.freedesktop.login1.inhibit-block-sleep" : "org.freedesktop.login1.inhibit-delay-sleep") :
w == INHIBIT_IDLE ? "org.freedesktop.login1.inhibit-block-idle" :
@@ -3479,9 +3471,7 @@ static int method_inhibit(sd_bus_message *message, void *userdata, sd_bus_error
w == INHIBIT_HANDLE_REBOOT_KEY ? "org.freedesktop.login1.inhibit-handle-reboot-key" :
w == INHIBIT_HANDLE_HIBERNATE_KEY ? "org.freedesktop.login1.inhibit-handle-hibernate-key" :
"org.freedesktop.login1.inhibit-handle-lid-switch",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c
index e4efd64616..2f1523ae04 100644
--- a/src/login/logind-polkit.c
+++ b/src/login/logind-polkit.c
@@ -9,11 +9,8 @@ int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *e
#if ENABLE_POLKIT
return bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.login1.chvt",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&manager->polkit_registry,
error);
#else
diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
index 877b9c1af1..0a395c6509 100644
--- a/src/login/logind-seat-dbus.c
+++ b/src/login/logind-seat-dbus.c
@@ -134,11 +134,8 @@ int bus_seat_method_terminate(sd_bus_message *message, void *userdata, sd_bus_er
r = bus_verify_polkit_async(
message,
- CAP_KILL,
"org.freedesktop.login1.manage",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&s->manager->polkit_registry,
error);
if (r < 0)
diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
index a136ae418c..9348ccc4dd 100644
--- a/src/login/logind-session-dbus.c
+++ b/src/login/logind-session-dbus.c
@@ -158,12 +158,11 @@ int bus_session_method_terminate(sd_bus_message *message, void *userdata, sd_bus
assert(message);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
message,
- CAP_KILL,
"org.freedesktop.login1.manage",
- NULL,
- false,
+ /* details= */ NULL,
+ /* interactive= */ false,
s->user->user_record->uid,
&s->manager->polkit_registry,
error);
@@ -204,12 +203,11 @@ int bus_session_method_lock(sd_bus_message *message, void *userdata, sd_bus_erro
assert(message);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.login1.lock-sessions",
- NULL,
- false,
+ /* details= */ NULL,
+ /* interactive= */ false,
s->user->user_record->uid,
&s->manager->polkit_registry,
error);
@@ -309,12 +307,11 @@ int bus_session_method_kill(sd_bus_message *message, void *userdata, sd_bus_erro
if (!SIGNAL_VALID(signo))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid signal %i", signo);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
message,
- CAP_KILL,
"org.freedesktop.login1.manage",
- NULL,
- false,
+ /* details= */ NULL,
+ /* interactive= */ false,
s->user->user_record->uid,
&s->manager->polkit_registry,
error);
diff --git a/src/login/logind-user-dbus.c b/src/login/logind-user-dbus.c
index 88649b2f4b..0763a5b03f 100644
--- a/src/login/logind-user-dbus.c
+++ b/src/login/logind-user-dbus.c
@@ -192,12 +192,11 @@ int bus_user_method_terminate(sd_bus_message *message, void *userdata, sd_bus_er
assert(message);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
message,
- CAP_KILL,
"org.freedesktop.login1.manage",
- NULL,
- false,
+ /* details= */ NULL,
+ /* interactive= */ false,
u->user_record->uid,
&u->manager->polkit_registry,
error);
@@ -220,12 +219,11 @@ int bus_user_method_kill(sd_bus_message *message, void *userdata, sd_bus_error *
assert(message);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
message,
- CAP_KILL,
"org.freedesktop.login1.manage",
- NULL,
- false,
+ /* details= */ NULL,
+ /* interactive= */ false,
u->user_record->uid,
&u->manager->polkit_registry,
error);
diff --git a/src/machine/image-dbus.c b/src/machine/image-dbus.c
index aa4525ddbd..69039de2e6 100644
--- a/src/machine/image-dbus.c
+++ b/src/machine/image-dbus.c
@@ -50,11 +50,8 @@ int bus_image_method_remove(
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images",
details,
- false,
- UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@@ -121,11 +118,8 @@ int bus_image_method_rename(
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images",
details,
- false,
- UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@@ -173,11 +167,8 @@ int bus_image_method_clone(
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images",
details,
- false,
- UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@@ -240,11 +231,8 @@ int bus_image_method_mark_read_only(
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images",
details,
- false,
- UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@@ -285,11 +273,8 @@ int bus_image_method_set_limit(
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-images",
details,
- false,
- UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c
index 4620f32d62..6c2c2232fe 100644
--- a/src/machine/machine-dbus.c
+++ b/src/machine/machine-dbus.c
@@ -73,11 +73,8 @@ int bus_machine_method_unregister(sd_bus_message *message, void *userdata, sd_bu
r = bus_verify_polkit_async(
message,
- CAP_KILL,
"org.freedesktop.machine1.manage-machines",
details,
- false,
- UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@@ -106,11 +103,8 @@ int bus_machine_method_terminate(sd_bus_message *message, void *userdata, sd_bus
r = bus_verify_polkit_async(
message,
- CAP_KILL,
"org.freedesktop.machine1.manage-machines",
details,
- false,
- UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@@ -157,11 +151,8 @@ int bus_machine_method_kill(sd_bus_message *message, void *userdata, sd_bus_erro
r = bus_verify_polkit_async(
message,
- CAP_KILL,
"org.freedesktop.machine1.manage-machines",
details,
- false,
- UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@@ -449,11 +440,8 @@ int bus_machine_method_open_pty(sd_bus_message *message, void *userdata, sd_bus_
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-open-pty" : "org.freedesktop.machine1.open-pty",
details,
- false,
- UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@@ -541,11 +529,8 @@ int bus_machine_method_open_login(sd_bus_message *message, void *userdata, sd_bu
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-login" : "org.freedesktop.machine1.login",
details,
- false,
- UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@@ -656,11 +641,8 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-shell" : "org.freedesktop.machine1.shell",
details,
- false,
- UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@@ -861,11 +843,8 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines",
details,
- false,
- UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@@ -949,11 +928,8 @@ int bus_machine_method_copy(sd_bus_message *message, void *userdata, sd_bus_erro
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines",
details,
- false,
- UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
@@ -1070,11 +1046,8 @@ int bus_machine_method_open_root_directory(sd_bus_message *message, void *userda
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines",
details,
- false,
- UID_INVALID,
&m->manager->polkit_registry,
error);
if (r < 0)
diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c
index 9fec047385..6b108dc009 100644
--- a/src/machine/machined-dbus.c
+++ b/src/machine/machined-dbus.c
@@ -720,11 +720,8 @@ static int method_clean_pool(sd_bus_message *message, void *userdata, sd_bus_err
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines",
details,
- false,
- UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
@@ -855,11 +852,8 @@ static int method_set_pool_limit(sd_bus_message *message, void *userdata, sd_bus
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.machine1.manage-machines",
details,
- false,
- UID_INVALID,
&m->polkit_registry,
error);
if (r < 0)
diff --git a/src/network/networkd-link-bus.c b/src/network/networkd-link-bus.c
index 58d487570a..743957d27c 100644
--- a/src/network/networkd-link-bus.c
+++ b/src/network/networkd-link-bus.c
@@ -100,10 +100,12 @@ int bus_link_method_set_ntp_servers(sd_bus_message *message, void *userdata, sd_
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NTP server: %s", *i);
}
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.set-ntp-servers",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.set-ntp-servers",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -134,10 +136,12 @@ static int bus_link_method_set_dns_servers_internal(sd_bus_message *message, voi
if (r < 0)
return r;
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.set-dns-servers",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.set-dns-servers",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
goto finalize;
if (r == 0) {
@@ -231,10 +235,12 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_
if (r < 0)
return r;
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.set-domains",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.set-domains",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -266,10 +272,12 @@ int bus_link_method_set_default_route(sd_bus_message *message, void *userdata, s
if (r < 0)
return r;
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.set-default-route",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.set-default-route",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -310,10 +318,12 @@ int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_er
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid LLMNR setting: %s", llmnr);
}
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.set-llmnr",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.set-llmnr",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -354,10 +364,12 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid MulticastDNS setting: %s", mdns);
}
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.set-mdns",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.set-mdns",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -398,10 +410,12 @@ int bus_link_method_set_dns_over_tls(sd_bus_message *message, void *userdata, sd
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSOverTLS setting: %s", dns_over_tls);
}
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.set-dns-over-tls",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.set-dns-over-tls",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -442,10 +456,12 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSSEC setting: %s", dnssec);
}
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.set-dnssec",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.set-dnssec",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -496,10 +512,12 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v
return r;
}
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.set-dnssec-negative-trust-anchors",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.set-dnssec-negative-trust-anchors",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -525,10 +543,11 @@ int bus_link_method_revert_ntp(sd_bus_message *message, void *userdata, sd_bus_e
if (r < 0)
return r;
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.revert-ntp",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.revert-ntp",
+ /* details= */ NULL,
+ &l->manager->polkit_registry, error);
if (r < 0)
return r;
if (r == 0)
@@ -553,10 +572,12 @@ int bus_link_method_revert_dns(sd_bus_message *message, void *userdata, sd_bus_e
if (r < 0)
return r;
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.revert-dns",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.revert-dns",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -580,10 +601,12 @@ int bus_link_method_force_renew(sd_bus_message *message, void *userdata, sd_bus_
"Interface %s is not managed by systemd-networkd",
l->ifname);
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.forcerenew",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.forcerenew",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -607,10 +630,12 @@ int bus_link_method_renew(sd_bus_message *message, void *userdata, sd_bus_error
"Interface %s is not managed by systemd-networkd",
l->ifname);
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.renew",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.renew",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -629,10 +654,12 @@ int bus_link_method_reconfigure(sd_bus_message *message, void *userdata, sd_bus_
assert(message);
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.reconfigure",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.reconfigure",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
diff --git a/src/network/networkd-manager-bus.c b/src/network/networkd-manager-bus.c
index aecbc1d67c..a8906f81c1 100644
--- a/src/network/networkd-manager-bus.c
+++ b/src/network/networkd-manager-bus.c
@@ -201,10 +201,12 @@ static int bus_method_reload(sd_bus_message *message, void *userdata, sd_bus_err
Manager *manager = userdata;
int r;
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.network1.reload",
- NULL, true, UID_INVALID,
- &manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.network1.reload",
+ /* details= */ NULL,
+ &manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
diff --git a/src/portable/portabled-bus.c b/src/portable/portabled-bus.c
index 0d5518060e..4f239e2b12 100644
--- a/src/portable/portabled-bus.c
+++ b/src/portable/portabled-bus.c
@@ -320,11 +320,8 @@ static int method_detach_image(sd_bus_message *message, void *userdata, sd_bus_e
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.portable1.attach-images",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@@ -377,11 +374,8 @@ static int method_set_pool_limit(sd_bus_message *message, void *userdata, sd_bus
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.portable1.manage-images",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
diff --git a/src/portable/portabled-image-bus.c b/src/portable/portabled-image-bus.c
index 1f61c3b8c4..63f177eb74 100644
--- a/src/portable/portabled-image-bus.c
+++ b/src/portable/portabled-image-bus.c
@@ -451,11 +451,8 @@ static int bus_image_method_detach(
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
"org.freedesktop.portable1.attach-images",
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@@ -1010,11 +1007,8 @@ int bus_image_acquire(
if (mode == BUS_IMAGE_AUTHENTICATE_ALL) {
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
polkit_action,
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
@@ -1064,11 +1058,8 @@ int bus_image_acquire(
if (mode == BUS_IMAGE_AUTHENTICATE_BY_PATH) {
r = bus_verify_polkit_async(
message,
- CAP_SYS_ADMIN,
polkit_action,
- NULL,
- false,
- UID_INVALID,
+ /* details= */ NULL,
&m->polkit_registry,
error);
if (r < 0)
diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c
index d0304318c4..ef3f5237a9 100644
--- a/src/resolve/resolved-bus.c
+++ b/src/resolve/resolved-bus.c
@@ -1988,10 +1988,12 @@ static int bus_method_register_service(sd_bus_message *message, void *userdata,
if (r < 0)
return r;
- r = bus_verify_polkit_async(message, CAP_SYS_ADMIN,
- "org.freedesktop.resolve1.register-service",
- NULL, false, UID_INVALID,
- &m->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.resolve1.register-service",
+ /* details= */ NULL,
+ &m->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
diff --git a/src/resolve/resolved-dnssd-bus.c b/src/resolve/resolved-dnssd-bus.c
index 0f0d4786ef..0ae24fbf02 100644
--- a/src/resolve/resolved-dnssd-bus.c
+++ b/src/resolve/resolved-dnssd-bus.c
@@ -20,10 +20,14 @@ int bus_dnssd_method_unregister(sd_bus_message *message, void *userdata, sd_bus_
m = s->manager;
- r = bus_verify_polkit_async(message, CAP_SYS_ADMIN,
- "org.freedesktop.resolve1.unregister-service",
- NULL, false, s->originator,
- &m->polkit_registry, error);
+ r = bus_verify_polkit_async_full(
+ message,
+ "org.freedesktop.resolve1.unregister-service",
+ /* details= */ NULL,
+ /* interactive= */ false,
+ /* good_user= */ s->originator,
+ &m->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c
index 4f8f591306..7ca3214b06 100644
--- a/src/resolve/resolved-link-bus.c
+++ b/src/resolve/resolved-link-bus.c
@@ -236,10 +236,11 @@ static int bus_link_method_set_dns_servers_internal(sd_bus_message *message, voi
if (r < 0)
return r;
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.resolve1.set-dns-servers",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.resolve1.set-dns-servers",
+ /* details= */ NULL,
+ &l->manager->polkit_registry, error);
if (r < 0)
goto finalize;
if (r == 0) {
@@ -368,10 +369,12 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_
if (r < 0)
return r;
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.resolve1.set-domains",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.resolve1.set-domains",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -446,10 +449,12 @@ int bus_link_method_set_default_route(sd_bus_message *message, void *userdata, s
if (r < 0)
return r;
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.resolve1.set-default-route",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.resolve1.set-default-route",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -493,10 +498,12 @@ int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_er
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid LLMNR setting: %s", llmnr);
}
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.resolve1.set-llmnr",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.resolve1.set-llmnr",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -541,10 +548,12 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid MulticastDNS setting: %s", mdns);
}
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.resolve1.set-mdns",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.resolve1.set-mdns",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -589,10 +598,12 @@ int bus_link_method_set_dns_over_tls(sd_bus_message *message, void *userdata, sd
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSOverTLS setting: %s", dns_over_tls);
}
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.resolve1.set-dns-over-tls",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.resolve1.set-dns-over-tls",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -637,10 +648,12 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSSEC setting: %s", dnssec);
}
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.resolve1.set-dnssec",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.resolve1.set-dnssec",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -698,10 +711,12 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v
return -ENOMEM;
}
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.resolve1.set-dnssec-negative-trust-anchors",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.resolve1.set-dnssec-negative-trust-anchors",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
@@ -734,10 +749,12 @@ int bus_link_method_revert(sd_bus_message *message, void *userdata, sd_bus_error
if (r < 0)
return r;
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.resolve1.revert",
- NULL, true, UID_INVALID,
- &l->manager->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.resolve1.revert",
+ /* details= */ NULL,
+ &l->manager->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
diff --git a/src/shared/bus-polkit.c b/src/shared/bus-polkit.c
index 904b897984..9f923372a4 100644
--- a/src/shared/bus-polkit.c
+++ b/src/shared/bus-polkit.c
@@ -102,7 +102,6 @@ static int bus_message_new_polkit_auth_call(
int bus_test_polkit(
sd_bus_message *call,
- int capability,
const char *action,
const char **details,
uid_t good_user,
@@ -120,7 +119,7 @@ int bus_test_polkit(
if (r != 0)
return r;
- r = sd_bus_query_sender_privilege(call, capability);
+ r = sd_bus_query_sender_privilege(call, -1);
if (r < 0)
return r;
if (r > 0)
@@ -465,12 +464,11 @@ static int async_polkit_query_check_action(
* <- async_polkit_defer(q)
*/
-int bus_verify_polkit_async(
+int bus_verify_polkit_async_full(
sd_bus_message *call,
- int capability,
const char *action,
const char **details,
- bool interactive,
+ bool interactive, /* Use only for legacy method calls that have a separate "allow_interactive_authentication" field */
uid_t good_user,
Hashmap **registry,
sd_bus_error *ret_error) {
@@ -499,7 +497,7 @@ int bus_verify_polkit_async(
}
#endif
- r = sd_bus_query_sender_privilege(call, capability);
+ r = sd_bus_query_sender_privilege(call, -1);
if (r < 0)
return r;
if (r > 0)
diff --git a/src/shared/bus-polkit.h b/src/shared/bus-polkit.h
index e2a3b7eef6..d82ac4679c 100644
--- a/src/shared/bus-polkit.h
+++ b/src/shared/bus-polkit.h
@@ -4,8 +4,13 @@
#include "sd-bus.h"
#include "hashmap.h"
+#include "user-util.h"
-int bus_test_polkit(sd_bus_message *call, int capability, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e);
+int bus_test_polkit(sd_bus_message *call, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e);
+
+int bus_verify_polkit_async_full(sd_bus_message *call, const char *action, const char **details, bool interactive, uid_t good_user, Hashmap **registry, sd_bus_error *error);
+static inline int bus_verify_polkit_async(sd_bus_message *call, const char *action, const char **details, Hashmap **registry, sd_bus_error *ret_error) {
+ return bus_verify_polkit_async_full(call, action, details, false, UID_INVALID, registry, ret_error);
+}
-int bus_verify_polkit_async(sd_bus_message *call, int capability, const char *action, const char **details, bool interactive, uid_t good_user, Hashmap **registry, sd_bus_error *error);
Hashmap *bus_verify_polkit_async_registry_free(Hashmap *registry);
diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
index c7be30f563..53c2a6fb71 100644
--- a/src/timedate/timedated.c
+++ b/src/timedate/timedated.c
@@ -665,13 +665,12 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error *
if (streq_ptr(z, c->zone))
return sd_bus_reply_method_return(m, NULL);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
m,
- CAP_SYS_TIME,
"org.freedesktop.timedate1.set-timezone",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@@ -740,13 +739,12 @@ static int method_set_local_rtc(sd_bus_message *m, void *userdata, sd_bus_error
if (lrtc == c->local_rtc && !fix_system)
return sd_bus_reply_method_return(m, NULL);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
m,
- CAP_SYS_TIME,
"org.freedesktop.timedate1.set-local-rtc",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@@ -860,13 +858,12 @@ static int method_set_time(sd_bus_message *m, void *userdata, sd_bus_error *erro
} else
timespec_store(&ts, (usec_t) utc);
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
m,
- CAP_SYS_TIME,
"org.freedesktop.timedate1.set-time",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
@@ -924,13 +921,12 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
if (context_ntp_service_exists(c) <= 0)
return sd_bus_error_set(error, BUS_ERROR_NO_NTP_SUPPORT, "NTP not supported");
- r = bus_verify_polkit_async(
+ r = bus_verify_polkit_async_full(
m,
- CAP_SYS_TIME,
"org.freedesktop.timedate1.set-ntp",
- NULL,
+ /* details= */ NULL,
interactive,
- UID_INVALID,
+ /* good_user= */ UID_INVALID,
&c->polkit_registry,
error);
if (r < 0)
diff --git a/src/timesync/timesyncd-bus.c b/src/timesync/timesyncd-bus.c
index 7237080f32..d1d2a14c0f 100644
--- a/src/timesync/timesyncd-bus.c
+++ b/src/timesync/timesyncd-bus.c
@@ -67,10 +67,12 @@ static int method_set_runtime_servers(sd_bus_message *message, void *userdata, s
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NTP server name or address, refusing: %s", *name);
}
- r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
- "org.freedesktop.timesync1.set-runtime-servers",
- NULL, true, UID_INVALID,
- &m->polkit_registry, error);
+ r = bus_verify_polkit_async(
+ message,
+ "org.freedesktop.timesync1.set-runtime-servers",
+ /* details= */ NULL,
+ &m->polkit_registry,
+ error);
if (r < 0)
return r;
if (r == 0)
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-29 16:47:30 +0100