diff options
author | Luca Boccassi <bluca@debian.org> | 2024-06-27 21:55:34 +0200 |
---|---|---|
committer | Luca Boccassi <bluca@debian.org> | 2024-07-18 17:11:26 +0200 |
commit | 5c48335ef4cc1c930c86c6e893f3ab3e5472f7f6 (patch) | |
tree | 8cdb5d2da5c470ba268d9bdd1b8f7f814e6c36f5 /src/shared | |
parent | Merge pull request #33763 from DaanDeMeyer/mkosi (diff) | |
download | systemd-5c48335ef4cc1c930c86c6e893f3ab3e5472f7f6.tar.xz systemd-5c48335ef4cc1c930c86c6e893f3ab3e5472f7f6.zip |
polkit: map POLKIT_ALWAYS_QUERY to new polkit flag
polkitd by default just waves through requests from a root process.
A new POLKIT_CHECK_AUTHORIZATION_FLAGS_ALWAYS_CHECK flag was added
to main (will be part of v125 when it ships) that forces it to go
through the policy checks for root too. Previous versions will just
ignore it.
Change the flags handling slightly so that we pass this or the
interactive flags through, as the values match what polkit expects.
Diffstat (limited to 'src/shared')
-rw-r--r-- | src/shared/bus-polkit.c | 21 | ||||
-rw-r--r-- | src/shared/bus-polkit.h | 1 |
2 files changed, 10 insertions, 12 deletions
diff --git a/src/shared/bus-polkit.c b/src/shared/bus-polkit.c index ed884c3001..03870df2b4 100644 --- a/src/shared/bus-polkit.c +++ b/src/shared/bus-polkit.c @@ -56,7 +56,7 @@ static int bus_message_new_polkit_auth_call_for_bus( sd_bus_message *m, const char *action, const char **details, - bool interactive, + PolkitFlags flags, sd_bus_message **ret) { _cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL; @@ -89,7 +89,7 @@ static int bus_message_new_polkit_auth_call_for_bus( if (r < 0) return r; - r = sd_bus_message_append(c, "us", interactive, NULL); + r = sd_bus_message_append(c, "us", (uint32_t) (flags & _POLKIT_MASK_PUBLIC), NULL); if (r < 0) return r; @@ -569,16 +569,14 @@ int bus_verify_polkit_async_full( } #if ENABLE_POLKIT - bool interactive = FLAGS_SET(flags, POLKIT_ALLOW_INTERACTIVE); - int c = sd_bus_message_get_allow_interactive_authorization(call); if (c < 0) return c; if (c > 0) - interactive = true; + flags |= POLKIT_ALLOW_INTERACTIVE; _cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL; - r = bus_message_new_polkit_auth_call_for_bus(call, action, details, interactive, &pk); + r = bus_message_new_polkit_auth_call_for_bus(call, action, details, flags, &pk); if (r < 0) return r; @@ -663,7 +661,7 @@ static int bus_message_new_polkit_auth_call_for_varlink( sd_varlink *link, const char *action, const char **details, - bool interactive, + PolkitFlags flags, sd_bus_message **ret) { _cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL; @@ -710,7 +708,7 @@ static int bus_message_new_polkit_auth_call_for_varlink( if (r < 0) return r; - r = sd_bus_message_append(c, "us", interactive, NULL); + r = sd_bus_message_append(c, "us", (uint32_t) (flags & _POLKIT_MASK_PUBLIC), NULL); if (r < 0) return r; @@ -814,12 +812,11 @@ int varlink_verify_polkit_async_full( bus = mybus; } - bool interactive = - FLAGS_SET(flags, POLKIT_ALLOW_INTERACTIVE) || - varlink_allow_interactive_authentication(link); + if (varlink_allow_interactive_authentication(link)) + flags |= POLKIT_ALLOW_INTERACTIVE; _cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL; - r = bus_message_new_polkit_auth_call_for_varlink(bus, link, action, details, interactive, &pk); + r = bus_message_new_polkit_auth_call_for_varlink(bus, link, action, details, flags, &pk); if (r < 0) return r; diff --git a/src/shared/bus-polkit.h b/src/shared/bus-polkit.h index 3ee9a41d39..64340dc338 100644 --- a/src/shared/bus-polkit.h +++ b/src/shared/bus-polkit.h @@ -12,6 +12,7 @@ typedef enum PolkitFLags { POLKIT_ALWAYS_QUERY = 1 << 1, /* Query polkit even if client is privileged */ POLKIT_DEFAULT_ALLOW = 1 << 2, /* If polkit is not around, assume "allow" rather than the usual "deny" */ POLKIT_DONT_REPLY = 1 << 3, /* Varlink: don't immediately propagate polkit error to the Varlink client */ + _POLKIT_MASK_PUBLIC = POLKIT_ALLOW_INTERACTIVE | POLKIT_ALWAYS_QUERY, /* polkit accepts these flags verbatim */ } PolkitFlags; int bus_test_polkit(sd_bus_message *call, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e); |