diff options
author | Lennart Poettering <lennart@poettering.net> | 2015-04-06 20:25:56 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2015-04-07 15:42:25 +0200 |
commit | ceb242292630b4633aa707b565585a1e8bcbfeb8 (patch) | |
tree | b46791f8fb0f05668140c3a16bd3f8e450b9bb4c | |
parent | 527b7a421ff3927d4f3f170b1b143452e88ae1dc (diff) |
polkit: rename bus_verify_polkit() to bus_test_polkit() and make it strictly non-interactive
Interactive authorization should only happen asynchronously, hence
disallow it in synchronous bus_verify_polkit(), and rename it to
bus_test_polkit(). This way even if the bus message header asks for
interactive authorization, we'll ask for non-interactive authorization
which is actually the desired behaviour if CanSuspend, CanHibernate and
friends, which call this function.
-rw-r--r-- | src/libsystemd/sd-bus/bus-util.c | 15 | ||||
-rw-r--r-- | src/libsystemd/sd-bus/bus-util.h | 2 | ||||
-rw-r--r-- | src/login/logind-dbus.c | 6 |
3 files changed, 9 insertions, 14 deletions
diff --git a/src/libsystemd/sd-bus/bus-util.c b/src/libsystemd/sd-bus/bus-util.c index dcad701980..6498769260 100644 --- a/src/libsystemd/sd-bus/bus-util.c +++ b/src/libsystemd/sd-bus/bus-util.c @@ -211,11 +211,10 @@ static int check_good_user(sd_bus_message *m, uid_t good_user) { return sender_uid == good_user; } -int bus_verify_polkit( +int bus_test_polkit( sd_bus_message *call, int capability, const char *action, - bool interactive, uid_t good_user, bool *_challenge, sd_bus_error *e) { @@ -225,6 +224,8 @@ int bus_verify_polkit( assert(call); assert(action); + /* Tests non-interactively! */ + r = check_good_user(call, good_user); if (r != 0) return r; @@ -237,19 +238,13 @@ int bus_verify_polkit( #ifdef ENABLE_POLKIT else { _cleanup_bus_message_unref_ sd_bus_message *reply = NULL; - int authorized = false, challenge = false, c; + int authorized = false, challenge = false; const char *sender; sender = sd_bus_message_get_sender(call); if (!sender) return -EBADMSG; - c = sd_bus_message_get_allow_interactive_authorization(call); - if (c < 0) - return c; - if (c > 0) - interactive = true; - r = sd_bus_call_method( call->bus, "org.freedesktop.PolicyKit1", @@ -262,7 +257,7 @@ int bus_verify_polkit( "system-bus-name", 1, "name", "s", sender, action, 0, - !!interactive, + 0, ""); if (r < 0) { diff --git a/src/libsystemd/sd-bus/bus-util.h b/src/libsystemd/sd-bus/bus-util.h index 9f048711de..cc16a9d694 100644 --- a/src/libsystemd/sd-bus/bus-util.h +++ b/src/libsystemd/sd-bus/bus-util.h @@ -69,7 +69,7 @@ int bus_name_has_owner(sd_bus *c, const char *name, sd_bus_error *error); int bus_check_peercred(sd_bus *c); -int bus_verify_polkit(sd_bus_message *call, int capability, const char *action, bool interactive, uid_t good_user, bool *_challenge, sd_bus_error *e); +int bus_test_polkit(sd_bus_message *call, int capability, const char *action, uid_t good_user, bool *_challenge, sd_bus_error *e); int bus_verify_polkit_async(sd_bus_message *call, int capability, const char *action, bool interactive, uid_t good_user, Hashmap **registry, sd_bus_error *error); void bus_verify_polkit_async_registry_free(Hashmap *registry); diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c index a3d49efbdd..1571dd0a8a 100644 --- a/src/login/logind-dbus.c +++ b/src/login/logind-dbus.c @@ -1741,7 +1741,7 @@ static int method_can_shutdown_or_sleep( blocked = manager_is_inhibited(m, w, INHIBIT_BLOCK, NULL, false, true, uid, NULL); if (multiple_sessions) { - r = bus_verify_polkit(message, CAP_SYS_BOOT, action_multiple_sessions, false, UID_INVALID, &challenge, error); + r = bus_test_polkit(message, CAP_SYS_BOOT, action_multiple_sessions, UID_INVALID, &challenge, error); if (r < 0) return r; @@ -1754,7 +1754,7 @@ static int method_can_shutdown_or_sleep( } if (blocked) { - r = bus_verify_polkit(message, CAP_SYS_BOOT, action_ignore_inhibit, false, UID_INVALID, &challenge, error); + r = bus_test_polkit(message, CAP_SYS_BOOT, action_ignore_inhibit, UID_INVALID, &challenge, error); if (r < 0) return r; @@ -1770,7 +1770,7 @@ static int method_can_shutdown_or_sleep( /* If neither inhibit nor multiple sessions * apply then just check the normal policy */ - r = bus_verify_polkit(message, CAP_SYS_BOOT, action, false, UID_INVALID, &challenge, error); + r = bus_test_polkit(message, CAP_SYS_BOOT, action, UID_INVALID, &challenge, error); if (r < 0) return r; |