diff options
| author | Stef Walter <stef@thewalter.net> | 2014-08-06 11:45:36 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-08-18 18:08:28 +0200 |
| commit | 283868e1dcd8ea7475850d9c6e7d4722c473dd50 (patch) | |
| tree | 6334ed9b79e0c3c6242acfc050c00da4284ed7d1 /src/core/dbus-job.c | |
| parent | f38857914ab5c9cc55aac05795e1886963a5fd04 (diff) | |
core: Verify systemd1 DBus method callers via polkit
DBus methods that retrieve information can be called by anyone.
DBus methods that modify state of units are verified via polkit
action: org.freedesktop.systemd1.manage-units
DBus methods that modify state of unit files are verified via polkit
action: org.freedesktop.systemd1.manage-unit-files
DBus methods that reload the entire daemon state are verified via polkit
action: org.freedesktop.systemd1.reload-daemon
DBus methods that modify job state are callable from the clients
that started the job.
root (ie: CAP_SYS_ADMIN) can continue to perform all calls, property
access etc. There are several DBus methods that can only be
called by root.
Open up the dbus1 policy for the above methods.
(Heavily modified by Lennart, making use of the new
bus_verify_polkit_async() version that doesn't force us to always
pass the original callback around. Also, interactive auhentication must
be opt-in, not unconditional, hence I turned this off.)
Diffstat (limited to 'src/core/dbus-job.c')
| -rw-r--r-- | src/core/dbus-job.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/src/core/dbus-job.c b/src/core/dbus-job.c index 747f633f85..eb7257d681 100644 --- a/src/core/dbus-job.c +++ b/src/core/dbus-job.c @@ -29,6 +29,23 @@ static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_type, job_type, JobType); static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_state, job_state, JobState); +static int verify_sys_admin_or_owner_sync(sd_bus_message *message, Job *j, sd_bus_error *error) { + _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL; + int r; + + if (sd_bus_track_contains(j->clients, sd_bus_message_get_sender(message))) + return 0; /* One of the job owners is calling us */ + + r = sd_bus_query_sender_privilege(message, CAP_SYS_ADMIN); + if (r < 0) + return r; + if (r == 0) + return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Access denied to perform action"); + + /* Root has called us */ + return 0; +} + static int property_get_unit( sd_bus *bus, const char *path, @@ -60,6 +77,10 @@ int bus_job_method_cancel(sd_bus *bus, sd_bus_message *message, void *userdata, assert(message); assert(j); + r = verify_sys_admin_or_owner_sync(message, j, error); + if (r < 0) + return r; + r = selinux_unit_access_check(j->unit, message, "stop", error); if (r < 0) return r; @@ -71,7 +92,7 @@ int bus_job_method_cancel(sd_bus *bus, sd_bus_message *message, void *userdata, const sd_bus_vtable bus_job_vtable[] = { SD_BUS_VTABLE_START(0), - SD_BUS_METHOD("Cancel", NULL, NULL, bus_job_method_cancel, 0), + SD_BUS_METHOD("Cancel", NULL, NULL, bus_job_method_cancel, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_PROPERTY("Id", "u", NULL, offsetof(Job, id), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("Unit", "(so)", property_get_unit, 0, SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("JobType", "s", property_get_type, offsetof(Job, type), SD_BUS_VTABLE_PROPERTY_CONST), |