summaryrefslogtreecommitdiff
path: root/src/machine/image-dbus.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-02-18 11:41:28 +0100
committerLennart Poettering <lennart@poettering.net>2015-02-18 11:43:18 +0100
commit70244d1d25eb80b57e160ea004d0e6bf793d4caf (patch)
tree426754a172acd4d9fadf46e120afc9e26e653e08 /src/machine/image-dbus.c
parentc0765ddb74f20046c406a3ac99f34719d767f151 (diff)
machined: open up most of machined's commands to unprivileged clients via PolicyKit
Diffstat (limited to 'src/machine/image-dbus.c')
-rw-r--r--src/machine/image-dbus.c62
1 files changed, 58 insertions, 4 deletions
diff --git a/src/machine/image-dbus.c b/src/machine/image-dbus.c
index f5c7d4d880..0d4ebde92b 100644
--- a/src/machine/image-dbus.c
+++ b/src/machine/image-dbus.c
@@ -35,12 +35,25 @@ int bus_image_method_remove(
sd_bus_error *error) {
Image *image = userdata;
+ Manager *m = image->userdata;
int r;
assert(bus);
assert(message);
assert(image);
+ r = bus_verify_polkit_async(
+ message,
+ CAP_SYS_ADMIN,
+ "org.freedesktop.machine1.manage-images",
+ false,
+ &m->polkit_registry,
+ error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ return 1; /* Will call us back */
+
r = image_remove(image);
if (r < 0)
return r;
@@ -55,6 +68,7 @@ int bus_image_method_rename(
sd_bus_error *error) {
Image *image = userdata;
+ Manager *m = image->userdata;
const char *new_name;
int r;
@@ -69,6 +83,18 @@ int bus_image_method_rename(
if (!image_name_is_valid(new_name))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Image name '%s' is invalid.", new_name);
+ r = bus_verify_polkit_async(
+ message,
+ CAP_SYS_ADMIN,
+ "org.freedesktop.machine1.manage-images",
+ false,
+ &m->polkit_registry,
+ error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ return 1; /* Will call us back */
+
r = image_rename(image, new_name);
if (r < 0)
return r;
@@ -83,6 +109,7 @@ int bus_image_method_clone(
sd_bus_error *error) {
Image *image = userdata;
+ Manager *m = image->userdata;
const char *new_name;
int r, read_only;
@@ -97,6 +124,18 @@ int bus_image_method_clone(
if (!image_name_is_valid(new_name))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Image name '%s' is invalid.", new_name);
+ r = bus_verify_polkit_async(
+ message,
+ CAP_SYS_ADMIN,
+ "org.freedesktop.machine1.manage-images",
+ false,
+ &m->polkit_registry,
+ error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ return 1; /* Will call us back */
+
r = image_clone(image, new_name, read_only);
if (r < 0)
return r;
@@ -111,6 +150,7 @@ int bus_image_method_mark_read_only(
sd_bus_error *error) {
Image *image = userdata;
+ Manager *m = image->userdata;
int r, read_only;
assert(bus);
@@ -120,6 +160,18 @@ int bus_image_method_mark_read_only(
if (r < 0)
return r;
+ r = bus_verify_polkit_async(
+ message,
+ CAP_SYS_ADMIN,
+ "org.freedesktop.machine1.manage-images",
+ false,
+ &m->polkit_registry,
+ error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ return 1; /* Will call us back */
+
r = image_read_only(image, read_only);
if (r < 0)
return r;
@@ -139,10 +191,10 @@ const sd_bus_vtable image_vtable[] = {
SD_BUS_PROPERTY("Limit", "t", NULL, offsetof(Image, limit), 0),
SD_BUS_PROPERTY("UsageExclusive", "t", NULL, offsetof(Image, usage_exclusive), 0),
SD_BUS_PROPERTY("LimitExclusive", "t", NULL, offsetof(Image, limit_exclusive), 0),
- SD_BUS_METHOD("Remove", NULL, NULL, bus_image_method_remove, 0),
- SD_BUS_METHOD("Rename", "s", NULL, bus_image_method_rename, 0),
- SD_BUS_METHOD("Clone", "sb", NULL, bus_image_method_clone, 0),
- SD_BUS_METHOD("MarkReadOnly", "b", NULL, bus_image_method_mark_read_only, 0),
+ SD_BUS_METHOD("Remove", NULL, NULL, bus_image_method_remove, SD_BUS_VTABLE_UNPRIVILEGED),
+ SD_BUS_METHOD("Rename", "s", NULL, bus_image_method_rename, SD_BUS_VTABLE_UNPRIVILEGED),
+ SD_BUS_METHOD("Clone", "sb", NULL, bus_image_method_clone, SD_BUS_VTABLE_UNPRIVILEGED),
+ SD_BUS_METHOD("MarkReadOnly", "b", NULL, bus_image_method_mark_read_only, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_VTABLE_END
};
@@ -207,6 +259,8 @@ int image_object_find(sd_bus *bus, const char *path, const char *interface, void
if (r <= 0)
return r;
+ image->userdata = m;
+
r = hashmap_put(m->image_cache, image->name, image);
if (r < 0) {
image_unref(image);