summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-04-06 20:25:56 +0200
committerLennart Poettering <lennart@poettering.net>2015-04-07 15:42:25 +0200
commitceb242292630b4633aa707b565585a1e8bcbfeb8 (patch)
treeb46791f8fb0f05668140c3a16bd3f8e450b9bb4c
parent527b7a421ff3927d4f3f170b1b143452e88ae1dc (diff)
polkit: rename bus_verify_polkit() to bus_test_polkit() and make it strictly non-interactive
Interactive authorization should only happen asynchronously, hence disallow it in synchronous bus_verify_polkit(), and rename it to bus_test_polkit(). This way even if the bus message header asks for interactive authorization, we'll ask for non-interactive authorization which is actually the desired behaviour if CanSuspend, CanHibernate and friends, which call this function.
-rw-r--r--src/libsystemd/sd-bus/bus-util.c15
-rw-r--r--src/libsystemd/sd-bus/bus-util.h2
-rw-r--r--src/login/logind-dbus.c6
3 files changed, 9 insertions, 14 deletions
diff --git a/src/libsystemd/sd-bus/bus-util.c b/src/libsystemd/sd-bus/bus-util.c
index dcad701980..6498769260 100644
--- a/src/libsystemd/sd-bus/bus-util.c
+++ b/src/libsystemd/sd-bus/bus-util.c
@@ -211,11 +211,10 @@ static int check_good_user(sd_bus_message *m, uid_t good_user) {
return sender_uid == good_user;
}
-int bus_verify_polkit(
+int bus_test_polkit(
sd_bus_message *call,
int capability,
const char *action,
- bool interactive,
uid_t good_user,
bool *_challenge,
sd_bus_error *e) {
@@ -225,6 +224,8 @@ int bus_verify_polkit(
assert(call);
assert(action);
+ /* Tests non-interactively! */
+
r = check_good_user(call, good_user);
if (r != 0)
return r;
@@ -237,19 +238,13 @@ int bus_verify_polkit(
#ifdef ENABLE_POLKIT
else {
_cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
- int authorized = false, challenge = false, c;
+ int authorized = false, challenge = false;
const char *sender;
sender = sd_bus_message_get_sender(call);
if (!sender)
return -EBADMSG;
- c = sd_bus_message_get_allow_interactive_authorization(call);
- if (c < 0)
- return c;
- if (c > 0)
- interactive = true;
-
r = sd_bus_call_method(
call->bus,
"org.freedesktop.PolicyKit1",
@@ -262,7 +257,7 @@ int bus_verify_polkit(
"system-bus-name", 1, "name", "s", sender,
action,
0,
- !!interactive,
+ 0,
"");
if (r < 0) {
diff --git a/src/libsystemd/sd-bus/bus-util.h b/src/libsystemd/sd-bus/bus-util.h
index 9f048711de..cc16a9d694 100644
--- a/src/libsystemd/sd-bus/bus-util.h
+++ b/src/libsystemd/sd-bus/bus-util.h
@@ -69,7 +69,7 @@ int bus_name_has_owner(sd_bus *c, const char *name, sd_bus_error *error);
int bus_check_peercred(sd_bus *c);
-int bus_verify_polkit(sd_bus_message *call, int capability, const char *action, bool interactive, uid_t good_user, bool *_challenge, sd_bus_error *e);
+int bus_test_polkit(sd_bus_message *call, int capability, const char *action, uid_t good_user, bool *_challenge, sd_bus_error *e);
int bus_verify_polkit_async(sd_bus_message *call, int capability, const char *action, bool interactive, uid_t good_user, Hashmap **registry, sd_bus_error *error);
void bus_verify_polkit_async_registry_free(Hashmap *registry);
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index a3d49efbdd..1571dd0a8a 100644
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -1741,7 +1741,7 @@ static int method_can_shutdown_or_sleep(
blocked = manager_is_inhibited(m, w, INHIBIT_BLOCK, NULL, false, true, uid, NULL);
if (multiple_sessions) {
- r = bus_verify_polkit(message, CAP_SYS_BOOT, action_multiple_sessions, false, UID_INVALID, &challenge, error);
+ r = bus_test_polkit(message, CAP_SYS_BOOT, action_multiple_sessions, UID_INVALID, &challenge, error);
if (r < 0)
return r;
@@ -1754,7 +1754,7 @@ static int method_can_shutdown_or_sleep(
}
if (blocked) {
- r = bus_verify_polkit(message, CAP_SYS_BOOT, action_ignore_inhibit, false, UID_INVALID, &challenge, error);
+ r = bus_test_polkit(message, CAP_SYS_BOOT, action_ignore_inhibit, UID_INVALID, &challenge, error);
if (r < 0)
return r;
@@ -1770,7 +1770,7 @@ static int method_can_shutdown_or_sleep(
/* If neither inhibit nor multiple sessions
* apply then just check the normal policy */
- r = bus_verify_polkit(message, CAP_SYS_BOOT, action, false, UID_INVALID, &challenge, error);
+ r = bus_test_polkit(message, CAP_SYS_BOOT, action, UID_INVALID, &challenge, error);
if (r < 0)
return r;