diff options
| -rw-r--r-- | CODING_STYLE | 28 | ||||
| -rw-r--r-- | NEWS | 241 | ||||
| -rw-r--r-- | README | 4 | ||||
| -rw-r--r-- | configure.ac | 1 | ||||
| -rw-r--r-- | po/POTFILES.in | 1 | ||||
| -rw-r--r-- | po/pl.po | 38 | ||||
| -rw-r--r-- | src/analyze/analyze.c | 49 | ||||
| -rw-r--r-- | src/basic/util.h | 1 | ||||
| -rw-r--r-- | src/core/dbus-unit.c | 70 | ||||
| -rw-r--r-- | src/core/dbus.c | 13 | ||||
| -rw-r--r-- | src/core/dbus.h | 1 | ||||
| -rw-r--r-- | src/hostname/hostnamed.c | 3 | ||||
| -rw-r--r-- | src/import/importd.c | 6 | ||||
| -rw-r--r-- | src/libsystemd/sd-bus/bus-objects.c | 22 | ||||
| -rw-r--r-- | src/libsystemd/sd-bus/sd-bus.c | 10 | ||||
| -rw-r--r-- | src/libsystemd/sd-event/sd-event.c | 2 | ||||
| -rw-r--r-- | src/locale/localed.c | 3 | ||||
| -rw-r--r-- | src/login/logind-dbus.c | 20 | ||||
| -rw-r--r-- | src/login/logind-seat-dbus.c | 1 | ||||
| -rw-r--r-- | src/login/logind-session-dbus.c | 3 | ||||
| -rw-r--r-- | src/login/logind-user-dbus.c | 2 | ||||
| -rw-r--r-- | src/machine/image-dbus.c | 5 | ||||
| -rw-r--r-- | src/machine/machine-dbus.c | 7 | ||||
| -rw-r--r-- | src/machine/machined-dbus.c | 1 | ||||
| -rw-r--r-- | src/shared/bus-util.c | 72 | ||||
| -rw-r--r-- | src/shared/bus-util.h | 4 | ||||
| -rw-r--r-- | src/timedate/timedated.c | 4 |
27 files changed, 468 insertions, 144 deletions
diff --git a/CODING_STYLE b/CODING_STYLE index a96ddd3598..f13f9becbc 100644 --- a/CODING_STYLE +++ b/CODING_STYLE @@ -295,25 +295,15 @@ EXIT_FAILURE and EXIT_SUCCESS as defined by libc. - The order in which header files are included doesn't matter too - much. However, please try to include the headers of external - libraries first (these are all headers enclosed in <>), followed by - the headers of our own public headers (these are all headers - starting with "sd-"), internal utility libraries from src/shared/, - followed by the headers of the specific component. Or in other - words: - - #include <stdio.h> - #include "sd-daemon.h" - #include "util.h" - #include "frobnicator.h" - - Where stdio.h is a public glibc API, sd-daemon.h is a public API of - our own, util.h is a utility library header from src/shared, and - frobnicator.h is an placeholder name for any systemd component. The - benefit of following this ordering is that more local definitions - are always defined after more global ones. Thus, our local - definitions will never "leak" into the global header files, possibly - altering their effect due to #ifdeffery. + much. systemd-internal headers must not rely on an include order, so + it is safe to include them in any order possible. + However, to not clutter global includes, and to make sure internal + definitions will not affect global headers, please always include the + headers of external components first (these are all headers enclosed + in <>), followed by our own exported headers (usually everything + that's prefixed by "sd-"), and then followed by internal headers. + Furthermore, in all three groups, order all includes alphabetically + so duplicate includes can easily be detected. - To implement an endless loop, use "for (;;)" rather than "while (1)". The latter is a bit ugly anyway, since you probably really @@ -2,55 +2,106 @@ systemd System and Service Manager CHANGES WITH 226: - * The DHCP implementation of systemd-networkd gained a set of new - features: - - - Server and client now support transmission and reception of - timezone information. It can be configured via the newly introduced - network options 'DHCP.UseTimezone=', 'DHCPServer.EmitTimezone=', - and 'DHCPServer.Timezone='. - Transmission of timezone information is enabled for containers by - default now. Furthermore, if systemd-timesyncd is running, it will - be updated with the received information. - - - The DHCP server now supports emitting DNS and NTP information. It - can be enabled and configured via 'EmitDNS=', 'DNS=', 'EmitNTP=', - and 'NTP='. - If transmission of DNS and NTP information is enabled, but no - specific data-set is configured, the uplink information is used. - - - Lease timeouts can now be configured via 'MaxLeaseTimeSec=' and - 'DefaultLeaseTimeSec='. - - - The DHCP server now supports improved predictability of leases. - Clients are more likely to get the same lease information back, - even if the server loses state. - - - The DHCP server supports two new configuration options to specify - the lease pool, 'PoolOffset=' and 'PoolSize='. - - * The encapsulation limit of tunnels in systemd-networkd can now be - configured via 'EncapsulationLimit='. It allows modifying the maximum - additional levels of encapsulation that are permitted to be prepended - to a packet. - - * systemd now supports the concept of user-buses over session-buses, if - used with dbus-1.10 (and enabled via dbus --enable-user-session). - - * systemd-networkd now supports predictable interface names for virtio - devices. - - * systemd now optionally supports the unified cgroup hierarchy. If - enabled via the kernel command-line option - 'systemd.unified_cgroup_hierarchy=1', systemd will try to mount the - unified cgroup hierarchy directly on /sys/fs/cgroup. If not enabled, - or not available, systemd will fall back to legacy cgroups. - Host system and containers can mix and match legacy and unified - hierarchies as they wish. By default, nspawn will use the same - hierarchy as the host. - Please note that the unified hierarchy is an experimental kernel - feature and is likely to change in one of the next kernel releases. - Therefore, it should not be enabled by default. + * The DHCP implementation of systemd-networkd gained a set of + new features: + + - The DHCP server now supports emitting DNS and NTP + information. It may be enabled and configured via + EmitDNS=, DNS=, EmitNTP=, and NTP=. If transmission of DNS + and NTP information is enabled, but no servers are + configured, the corresponding uplink information (if there + is any) is propagated. + + - Server and client now support transmission and reception + of timezone information. It can be configured via the + newly introduced network options UseTimezone=, + EmitTimezone=, and Timezone=. Transmission of timezone + information is enabled between host and containers by + default now: the container will change its local timezone + to what the host has set. + + - Lease timeouts can now be configured via + MaxLeaseTimeSec= and DefaultLeaseTimeSec=. + + - The DHCP server improved on the stability of + leases. Clients are more likely to get the same lease + information back, even if the server loses state. + + - The DHCP server supports two new configuration options to + control the lease address pool metrics, PoolOffset= and + PoolSize=. + + * The encapsulation limit of tunnels in systemd-networkd may + now be configured via 'EncapsulationLimit='. It allows + modifying the maximum additional levels of encapsulation + that are permitted to be prepended to a packet. + + * systemd now supports the concept of user buses replacing + session buses, if used with dbus-1.10 (and enabled via dbus + --enable-user-session). It previously only supported this on + kdbus-enabled systems, and this release expands this to + 'dbus-daemon' systems. + + * systemd-networkd now supports predictable interface names + for virtio devices. + + * systemd now optionally supports the new Linux kernel + "unified" control group hierarchy. If enabled via the kernel + command-line option 'systemd.unified_cgroup_hierarchy=1', + systemd will try to mount the unified cgroup hierarchy + directly on /sys/fs/cgroup. If not enabled, or not + available, systemd will fall back to the legacy cgroup + hierarchy setup, as before. Host system and containers can + mix and match legacy and unified hierarchies as they + wish. nspawn understands the $UNIFIED_CROUP_HIERARCHY + environment variable to individually select the hierarchy to + use for executed containers. By default, nspawn will use the + unified hierarchy for the containers if the host uses the + unified hierarchy, and the legacy hierarchy otherwise. + Please note that at this point the unified hierarchy is an + experimental kernel feature and is likely to change in one + of the next kernel releases. Therefore, it should not be + enabled by default in downstream distributions yet. The + minimum required kernel version for the unified hierarchy to + work is 4.2. Note that when the unified hierarchy is used + for the first time delegated access to controllers is + safe. Because of this systemd-nspawn containers will get + access to controllers now, as will systemd user + sessions. This means containers and user sessions may now + manage their own resources, partitioning up what the system + grants them. + + * A new special scope unit "init.scope" has been introduced + that encapsulates PID 1 of the system. It may be used to + determine resource usage and enforce resource limits on PID + 1 itself. PID 1 hence moved out of the root of the control + group tree. + + * The cgtop tool gained support for filtering out kernel + threads when counting tasks in a control group. Also, the + count of processes is now recursively summed up by + default. Two options -k and --recursive= have been added to + revert to old behaviour. The tool has also been updated to + work correctly in containers now. + + * systemd-nspawn's --bind= and --bind-ro= options have been + extended to allow creation of non-recursive bind mounts. + + * libsystemd gained two new calls sd_pid_get_cgroup() an + sd_peer_get_cgroup() which returns the control group path of + a process or peer of a connected AF_UNIX socket. This + function call is particularly useful when implementing + delegated subtrees support in the control group hierarchy. + + * The "sd-event" event loop API of libsystemd now supports + correct dequeuing of real-time signals, without losing + signal events. + + * When systemd requests a PolicyKit decision when managing + units it will now add additional fields to the request, + including unit name and desired operation. This enables more + powerful PolicyKit policies, that make decisions depending + on these parameters. Contributions from: Cristian Rodríguez, Daniel Mack, David Herrmann, Eugene Yakubovich, Evgeny Vereshchagin, Filipe Brandenburger, Jan @@ -63,26 +114,74 @@ CHANGES WITH 226: CHANGES WITH 225: - * machinectl gained a new verb 'shell' which opens a fresh shell on the - target machine. It is similar to 'login', but spawns the shell - directly. The pseudo machine '.host' now refers to the local host and - is used by default. Hence, 'machinectl shell' can be used as - replacement for 'su' which spawns the session as a fresh systemd - unit. - - * systemd-networkd learned to cope with private-zone DHCP options and - allows other programs to query the values. + * machinectl gained a new verb 'shell' which opens a fresh + shell on the target container or the host. It is similar to + the existing 'login' command of machinectl, but spawns the + shell directly without prompting for username or + password. The pseudo machine '.host' now refers to the local + host and is used by default. Hence, 'machinectl shell' can + be used as replacement for 'su -' which spawns a session as + a fresh systemd unit in a way that is fully isolated from + the originating session. + + * systemd-networkd learned to cope with private-zone DHCP + options and allows other programs to query the values. + + * SELinux access control when enabling/disabling units is no + longer enforced with this release. The previous + implementation was incorrect, and a new corrected + implementation is not yet available. As unit file operations + are still protected via PolicyKit and D-Bus policy this is + not a security problem. Yet, distributions which care about + optimal SELinux support should probably not stabilize on + this release. + + * sd-bus gained support for matches of type "arg0has=", that + test for membership of strings in string arrays sent in bus + messages. - Contributions from: Alastair Hughes, Alex Crawford, Daniel Mack, David - Herrmann, Dimitri John Ledkov, Eric Kostrowski, Evgeny Vereshchagin, - Felipe Sateler, HATAYAMA Daisuke, Jan Pokorný, Jan Synacek, Johnny - Robeson, Karel Zak, Kay Sievers, Kefeng Wang, Lennart Poettering, Major - Hayden, Marcel Holtmann, Markus Elfring, Martin Mikkelsen, Martin Pitt, - Matt Turner, Maxim Mikityanskiy, Michael Biebl, Namhyung Kim, Nicolas - Cornu, Owen W. Taylor, Patrik Flykt, Peter Hutterer, reverendhomer, - Richard Maw, Ronny Chevalier, Seth Jennings, Stef Walter, Susant Sahani, - Thomas Blume, Thomas Hindoe Paaboel Andersen, Thomas Meyer, Tom - Gundersen, Vincent Batts, WaLyong Cho, Zbigniew Jędrzejewski-Szmek + * systemd-resolved now dumps the contents of its DNS and LLMNR + caches to the logs on reception of the SIGUSR1 signal. This + is useful to debug DNS behaviour. + + * The coredumpctl tool gained a new --directory= option to + operate on journal files in a specific directory. + + * "systemctl reboot" and related commands gained a new + "--message=" option which may be used to set a free-text + wall message when shutting down or rebooting the + system. This message is also logged, which is useful for + figuring out the reason for a reboot or shutdown a + posteriori. + + * The "systemd-resolve-host" tool's -i switch now takes + network interface numbers as alternative to interface names. + + * A new unit file setting for services has been introduced: + UtmpMode= allows configuration of how precisely systemd + handles utmp and wtmp entries for the service if this is + enabled. This allows writing services that appear similar to + user sessions in the output of the "w", "who", "last" and + "lastlog" tools. + + * systemd-resolved will now locally synthesize DNS resource + records for the "localhost" and "gateway" domains as well as + the local hostname. This should ensure that clients querying + RRs via resolved will get similar results as those going via + NSS, if nss-myhostname is enabled. + + Contributions from: Alastair Hughes, Alex Crawford, Daniel + Mack, David Herrmann, Dimitri John Ledkov, Eric Kostrowski, + Evgeny Vereshchagin, Felipe Sateler, HATAYAMA Daisuke, Jan + Pokorný, Jan Synacek, Johnny Robeson, Karel Zak, Kay Sievers, + Kefeng Wang, Lennart Poettering, Major Hayden, Marcel + Holtmann, Markus Elfring, Martin Mikkelsen, Martin Pitt, Matt + Turner, Maxim Mikityanskiy, Michael Biebl, Namhyung Kim, + Nicolas Cornu, Owen W. Taylor, Patrik Flykt, Peter Hutterer, + reverendhomer, Richard Maw, Ronny Chevalier, Seth Jennings, + Stef Walter, Susant Sahani, Thomas Blume, Thomas Hindoe + Paaboel Andersen, Thomas Meyer, Tom Gundersen, Vincent Batts, + WaLyong Cho, Zbigniew Jędrzejewski-Szmek -- Berlin, 2015-08-27 @@ -91,9 +190,9 @@ CHANGES WITH 224: * The systemd-efi-boot-generator functionality was merged into systemd-gpt-auto-generator. - * systemd-networkd now supports Group Policy for vxlan devices. It can - be enabled via the new boolean configuration option called - 'GroupPolicyExtension='. + * systemd-networkd now supports Group Policy for vxlan + devices. It can be enabled via the new boolean configuration + option called 'GroupPolicyExtension='. Contributions from: Andreas Kempf, Christian Hesse, Daniel Mack, David Herrmann, Herman Fries, Johannes Nixdorf, Kay Sievers, Lennart @@ -36,8 +36,8 @@ LICENSE: - except src/udev/* which is (currently still) GPLv2, GPLv2+ REQUIREMENTS: - Linux kernel >= 3.7 - Linux kernel >= 3.8 for Smack support + Linux kernel >= 3.11 + Linux kernel >= 4.2 for unified cgroup hierarchy support Kernel Config Options: CONFIG_DEVTMPFS diff --git a/configure.ac b/configure.ac index 10e42c07be..a7070916fe 100644 --- a/configure.ac +++ b/configure.ac @@ -1555,7 +1555,6 @@ AC_MSG_RESULT([ SysV init scripts: ${SYSTEM_SYSVINIT_PATH} SysV rc?.d directories: ${SYSTEM_SYSVRCND_PATH} Build Python: ${PYTHON} - sphinx binary: ${SPHINX_BUILD} PAM modules dir: ${with_pamlibdir} PAM configuration dir: ${with_pamconfdir} D-Bus policy dir: ${with_dbuspolicydir} diff --git a/po/POTFILES.in b/po/POTFILES.in index b4c1121d1c..f33c53fb4a 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -5,3 +5,4 @@ src/locale/org.freedesktop.locale1.policy.in src/login/org.freedesktop.login1.policy.in src/machine/org.freedesktop.machine1.policy.in src/timedate/org.freedesktop.timedate1.policy.in +src/core/dbus-unit.c @@ -6,8 +6,8 @@ msgid "" msgstr "" "Project-Id-Version: systemd\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2015-08-29 20:29+0200\n" -"PO-Revision-Date: 2015-08-29 20:30+0200\n" +"POT-Creation-Date: 2015-09-06 20:39+0200\n" +"PO-Revision-Date: 2015-09-06 20:40+0200\n" "Last-Translator: Piotr Drąg <piotrdrag@gmail.com>\n" "Language-Team: Polish <trans-pl@lists.fedoraproject.org>\n" "Language: pl\n" @@ -557,6 +557,40 @@ msgstr "" "Wymagane jest uwierzytelnienie, aby kontrolować, czy włączyć synchronizację " "czasu przez sieć." +#: ../src/core/dbus-unit.c:428 +msgid "Authentication is required to start '$(unit)'." +msgstr "Wymagane jest uwierzytelnienie, aby uruchomić jednostkę „$(unit)”." + +#: ../src/core/dbus-unit.c:429 +msgid "Authentication is required to stop '$(unit)'." +msgstr "Wymagane jest uwierzytelnienie, aby zatrzymać jednostkę „$(unit)”." + +#: ../src/core/dbus-unit.c:430 +msgid "Authentication is required to reload '$(unit)'." +msgstr "" +"Wymagane jest uwierzytelnienie, aby ponownie wczytać jednostkę „$(unit)”." + +#: ../src/core/dbus-unit.c:431 ../src/core/dbus-unit.c:432 +msgid "Authentication is required to restart '$(unit)'." +msgstr "" +"Wymagane jest uwierzytelnienie, aby ponownie uruchomić jednostkę „$(unit)”." + +#: ../src/core/dbus-unit.c:535 +msgid "Authentication is required to kill '$(unit)'." +msgstr "" +"Wymagane jest uwierzytelnienie, aby wymusić wyłączenie jednostki „$(unit)”." + +#: ../src/core/dbus-unit.c:565 +msgid "Authentication is required to reset the \"failed\" state of '$(unit)'." +msgstr "" +"Wymagane jest uwierzytelnienie, aby przywrócić stan „failed” (niepowodzenia) " +"jednostki „$(unit)”." + +#: ../src/core/dbus-unit.c:597 +msgid "Authentication is required to set properties on '$(unit)'." +msgstr "" +"Wymagane jest uwierzytelnienie, aby ustawić właściwości jednostki „$(unit)”." + #~ msgid "Press Ctrl+C to cancel all filesystem checks in progress" #~ msgstr "" #~ "Naciśnięcie klawiszy Ctrl+C anuluje wszystkie trwające procesy " diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c index db1e7f3f37..ab7fb53269 100644 --- a/src/analyze/analyze.c +++ b/src/analyze/analyze.c @@ -1092,12 +1092,59 @@ static int graph_one(sd_bus *bus, const UnitInfo *u, char *patterns[]) { return 0; } +static int expand_patterns(sd_bus *bus, char **patterns, char ***ret) { + _cleanup_strv_free_ char **expanded_patterns = NULL; + char **pattern; + int r; + + STRV_FOREACH(pattern, patterns) { + _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL; + _cleanup_free_ char *unit = NULL, *unit_id = NULL; + + if (strv_extend(&expanded_patterns, *pattern) < 0) + return log_oom(); + + if (string_is_glob(*pattern)) + continue; + + unit = unit_dbus_path_from_name(*pattern); + if (!unit) + return log_oom(); + + r = sd_bus_get_property_string( + bus, + "org.freedesktop.systemd1", + unit, + "org.freedesktop.systemd1.Unit", + "Id", + &error, + &unit_id); + if (r < 0) + return log_error_errno(r, "Failed to get ID: %s", bus_error_message(&error, r)); + + if (!streq(*pattern, unit_id)) { + if (strv_extend(&expanded_patterns, unit_id) < 0) + return log_oom(); + } + } + + *ret = expanded_patterns; + expanded_patterns = NULL; /* do not free */ + + return 0; +} + static int dot(sd_bus *bus, char* patterns[]) { _cleanup_bus_message_unref_ sd_bus_message *reply = NULL; _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL; + _cleanup_strv_free_ char **expanded_patterns = NULL; int r; UnitInfo u; + r = expand_patterns(bus, patterns, &expanded_patterns); + if (r < 0) + return r; + r = sd_bus_call_method( bus, "org.freedesktop.systemd1", @@ -1120,7 +1167,7 @@ static int dot(sd_bus *bus, char* patterns[]) { while ((r = bus_parse_unit_info(reply, &u)) > 0) { - r = graph_one(bus, &u, patterns); + r = graph_one(bus, &u, expanded_patterns); if (r < 0) return r; } diff --git a/src/basic/util.h b/src/basic/util.h index f8e32360f0..0fafebd52d 100644 --- a/src/basic/util.h +++ b/src/basic/util.h @@ -567,6 +567,7 @@ void *xbsearch_r(const void *key, const void *base, size_t nmemb, size_t size, void *arg); #define _(String) gettext (String) +#define N_(String) String void init_gettext(void); bool is_locale_utf8(void); diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c index 31016b6c4a..f9275ed935 100644 --- a/src/core/dbus-unit.c +++ b/src/core/dbus-unit.c @@ -391,6 +391,29 @@ static int property_get_load_error( return sd_bus_message_append(reply, "(ss)", e.name, e.message); } +static int bus_verify_manage_units_async_full( + Unit *u, + const char *verb, + int capability, + const char *polkit_message, + sd_bus_message *call, + sd_bus_error *error) { + + const char *details[9] = { + "unit", u->id, + "verb", verb, + }; + + if (polkit_message) { + details[4] = "polkit.message"; + details[5] = polkit_message; + details[6] = "polkit.gettext_domain"; + details[7] = GETTEXT_PACKAGE; + } + + return bus_verify_polkit_async(call, capability, "org.freedesktop.systemd1.manage-units", details, false, UID_INVALID, &u->manager->polkit_registry, error); +} + int bus_unit_method_start_generic( sd_bus_message *message, Unit *u, @@ -400,6 +423,14 @@ int bus_unit_method_start_generic( const char *smode; JobMode mode; + _cleanup_free_ char *verb = NULL; + static const char *const polkit_message_for_job[_JOB_TYPE_MAX] = { + [JOB_START] = N_("Authentication is required to start '$(unit)'."), + [JOB_STOP] = N_("Authentication is required to stop '$(unit)'."), + [JOB_RELOAD] = N_("Authentication is required to reload '$(unit)'."), + [JOB_RESTART] = N_("Authentication is required to restart '$(unit)'."), + [JOB_TRY_RESTART] = N_("Authentication is required to restart '$(unit)'."), + }; int r; assert(message); @@ -418,7 +449,20 @@ int bus_unit_method_start_generic( if (mode < 0) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Job mode %s invalid", smode); - r = bus_verify_manage_units_async(u->manager, message, error); + if (reload_if_possible) + verb = strjoin("reload-or-", job_type_to_string(job_type), NULL); + else + verb = strdup(job_type_to_string(job_type)); + if (!verb) + return -ENOMEM; + + r = bus_verify_manage_units_async_full( + u, + verb, + CAP_SYS_ADMIN, + job_type < _JOB_TYPE_MAX ? polkit_message_for_job[job_type] : NULL, + message, + error); if (r < 0) return r; if (r == 0) @@ -484,7 +528,13 @@ int bus_unit_method_kill(sd_bus_message *message, void *userdata, sd_bus_error * if (signo <= 0 || signo >= _NSIG) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Signal number out of range."); - r = bus_verify_manage_units_async_for_kill(u->manager, message, error); + r = bus_verify_manage_units_async_full( + u, + "kill", + CAP_KILL, + N_("Authentication is required to kill '$(unit)'."), + message, + error); if (r < 0) return r; if (r == 0) @@ -508,7 +558,13 @@ int bus_unit_method_reset_failed(sd_bus_message *message, void *userdata, sd_bus if (r < 0) return r; - r = bus_verify_manage_units_async(u->manager, message, error); + r = bus_verify_manage_units_async_full( + u, + "reset-failed", + CAP_SYS_ADMIN, + N_("Authentication is required to reset the \"failed\" state of '$(unit)'."), + message, + error); if (r < 0) return r; if (r == 0) @@ -534,7 +590,13 @@ int bus_unit_method_set_properties(sd_bus_message *message, void *userdata, sd_b if (r < 0) return r; - r = bus_verify_manage_units_async(u->manager, message, error); + r = bus_verify_manage_units_async_full( + u, + "set-property", + CAP_SYS_ADMIN, + N_("Authentication is required to set properties on '$(unit)'."), + message, + error); if (r < 0) return r; if (r == 0) diff --git a/src/core/dbus.c b/src/core/dbus.c index 7ad16aa42b..0a2180c6a7 100644 --- a/src/core/dbus.c +++ b/src/core/dbus.c @@ -1198,22 +1198,17 @@ int bus_track_coldplug(Manager *m, sd_bus_track **t, char ***l) { } int bus_verify_manage_units_async(Manager *m, sd_bus_message *call, sd_bus_error *error) { - return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-units", false, UID_INVALID, &m->polkit_registry, error); -} - -/* Same as bus_verify_manage_unit_async(), but checks for CAP_KILL instead of CAP_SYS_ADMIN */ -int bus_verify_manage_units_async_for_kill(Manager *m, sd_bus_message *call, sd_bus_error *error) { - return bus_verify_polkit_async(call, CAP_KILL, "org.freedesktop.systemd1.manage-units", false, UID_INVALID, &m->polkit_registry, error); + return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-units", NULL, false, UID_INVALID, &m->polkit_registry, error); } int bus_verify_manage_unit_files_async(Manager *m, sd_bus_message *call, sd_bus_error *error) { - return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-unit-files", false, UID_INVALID, &m->polkit_registry, error); + return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-unit-files", NULL, false, UID_INVALID, &m->polkit_registry, error); } int bus_verify_reload_daemon_async(Manager *m, sd_bus_message *call, sd_bus_error *error) { - return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.reload-daemon", false, UID_INVALID, &m->polkit_registry, error); + return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.reload-daemon", NULL, false, UID_INVALID, &m->polkit_registry, error); } int bus_verify_set_environment_async(Manager *m, sd_bus_message *call, sd_bus_error *error) { - return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.set-environment", false, UID_INVALID, &m->polkit_registry, error); + return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.set-environment", NULL, false, UID_INVALID, &m->polkit_registry, error); } diff --git a/src/core/dbus.h b/src/core/dbus.h index 4832722069..4f06ad11c4 100644 --- a/src/core/dbus.h +++ b/src/core/dbus.h @@ -37,7 +37,6 @@ int bus_track_coldplug(Manager *m, sd_bus_track **t, char ***l); int bus_foreach_bus(Manager *m, sd_bus_track *subscribed2, int (*send_message)(sd_bus *bus, void *userdata), void *userdata); int bus_verify_manage_units_async(Manager *m, sd_bus_message *call, sd_bus_error *error); -int bus_verify_manage_units_async_for_kill(Manager *m, sd_bus_message *call, sd_bus_error *error); int bus_verify_manage_unit_files_async(Manager *m, sd_bus_message *call, sd_bus_error *error); int bus_verify_reload_daemon_async(Manager *m, sd_bus_message *call, sd_bus_error *error); int bus_verify_set_environment_async(Manager *m, sd_bus_message *call, sd_bus_error *error); diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c index a78516c8b5..c423be3767 100644 --- a/src/hostname/hostnamed.c +++ b/src/hostname/hostnamed.c @@ -434,6 +434,7 @@ static int method_set_hostname(sd_bus_message *m, void *userdata, sd_bus_error * m, CAP_SYS_ADMIN, "org.freedesktop.hostname1.set-hostname", + NULL, interactive, UID_INVALID, &c->polkit_registry, @@ -486,6 +487,7 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_ m, CAP_SYS_ADMIN, "org.freedesktop.hostname1.set-static-hostname", + NULL, interactive, UID_INVALID, &c->polkit_registry, @@ -557,6 +559,7 @@ static int set_machine_info(Context *c, sd_bus_message *m, int prop, sd_bus_mess m, CAP_SYS_ADMIN, prop == PROP_PRETTY_HOSTNAME ? "org.freedesktop.hostname1.set-static-hostname" : "org.freedesktop.hostname1.set-machine-info", + NULL, interactive, UID_INVALID, &c->polkit_registry, diff --git a/src/import/importd.c b/src/import/importd.c index 8b508eaeec..ffff94ee72 100644 --- a/src/import/importd.c +++ b/src/import/importd.c @@ -735,6 +735,7 @@ static int method_import_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_ msg, CAP_SYS_ADMIN, "org.freedesktop.import1.import", + NULL, false, UID_INVALID, &m->polkit_registry, @@ -799,6 +800,7 @@ static int method_export_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_ msg, CAP_SYS_ADMIN, "org.freedesktop.import1.export", + NULL, false, UID_INVALID, &m->polkit_registry, @@ -864,6 +866,7 @@ static int method_pull_tar_or_raw(sd_bus_message *msg, void *userdata, sd_bus_er msg, CAP_SYS_ADMIN, "org.freedesktop.import1.pull", + NULL, false, UID_INVALID, &m->polkit_registry, @@ -945,6 +948,7 @@ static int method_pull_dkr(sd_bus_message *msg, void *userdata, sd_bus_error *er msg, CAP_SYS_ADMIN, "org.freedesktop.import1.pull", + NULL, false, UID_INVALID, &m->polkit_registry, @@ -1079,6 +1083,7 @@ static int method_cancel(sd_bus_message *msg, void *userdata, sd_bus_error *erro msg, CAP_SYS_ADMIN, "org.freedesktop.import1.pull", + NULL, false, UID_INVALID, &t->manager->polkit_registry, @@ -1108,6 +1113,7 @@ static int method_cancel_transfer(sd_bus_message *msg, void *userdata, sd_bus_er msg, CAP_SYS_ADMIN, "org.freedesktop.import1.pull", + NULL, false, UID_INVALID, &m->polkit_registry, diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c index 0593aa658a..1d061cb9cf 100644 --- a/src/libsystemd/sd-bus/bus-objects.c +++ b/src/libsystemd/sd-bus/bus-objects.c @@ -169,11 +169,18 @@ static int add_enumerated_to_set( return 0; } +enum { + /* if set, add_subtree() works recursively */ + CHILDREN_RECURSIVE = (1U << 1), + /* if set, add_subtree() scans object-manager hierarchies recursively */ + CHILDREN_SUBHIERARCHIES = (1U << 0), +}; + static int add_subtree_to_set( sd_bus *bus, const char *prefix, struct node *n, - bool skip_subhierarchies, + unsigned int flags, Set *s, sd_bus_error *error) { @@ -205,8 +212,9 @@ static int add_subtree_to_set( if (r < 0 && r != -EEXIST) return r; - if (!skip_subhierarchies || !i->object_managers) { - r = add_subtree_to_set(bus, prefix, i, skip_subhierarchies, s, error); + if ((flags & CHILDREN_RECURSIVE) && + ((flags & CHILDREN_SUBHIERARCHIES) || !i->object_managers)) { + r = add_subtree_to_set(bus, prefix, i, flags, s, error); if (r < 0) return r; if (bus->nodes_modified) @@ -221,7 +229,7 @@ static int get_child_nodes( sd_bus *bus, const char *prefix, struct node *n, - bool skip_subhierarchies, + unsigned int flags, Set **_s, sd_bus_error *error) { @@ -237,7 +245,7 @@ static int get_child_nodes( if (!s) return -ENOMEM; - r = add_subtree_to_set(bus, prefix, n, skip_subhierarchies, s, error); + r = add_subtree_to_set(bus, prefix, n, flags, s, error); if (r < 0) { set_free_free(s); return r; @@ -907,7 +915,7 @@ static int process_introspect( assert(n); assert(found_object); - r = get_child_nodes(bus, m->path, n, false, &s, &error); + r = get_child_nodes(bus, m->path, n, 0, &s, &error); if (r < 0) return bus_maybe_reply_error(m, r, &error); if (bus->nodes_modified) @@ -1173,7 +1181,7 @@ static int process_get_managed_objects( if (require_fallback || !n->object_managers) return 0; - r = get_child_nodes(bus, m->path, n, true, &s, &error); + r = get_child_nodes(bus, m->path, n, CHILDREN_RECURSIVE, &s, &error); if (r < 0) return r; if (bus->nodes_modified) diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c index 4ed508427e..4a9181613a 100644 --- a/src/libsystemd/sd-bus/sd-bus.c +++ b/src/libsystemd/sd-bus/sd-bus.c @@ -1241,6 +1241,8 @@ fail: int bus_set_address_user(sd_bus *b) { const char *e; + uid_t uid; + int r; assert(b); @@ -1248,6 +1250,10 @@ int bus_set_address_user(sd_bus *b) { if (e) return sd_bus_set_address(b, e); + r = cg_pid_get_owner_uid(0, &uid); + if (r < 0) + uid = getuid(); + e = secure_getenv("XDG_RUNTIME_DIR"); if (e) { _cleanup_free_ char *ee = NULL; @@ -1256,9 +1262,9 @@ int bus_set_address_user(sd_bus *b) { if (!ee) return -ENOMEM; - (void) asprintf(&b->address, KERNEL_USER_BUS_ADDRESS_FMT ";" UNIX_USER_BUS_ADDRESS_FMT, getuid(), ee); + (void) asprintf(&b->address, KERNEL_USER_BUS_ADDRESS_FMT ";" UNIX_USER_BUS_ADDRESS_FMT, uid, ee); } else - (void) asprintf(&b->address, KERNEL_USER_BUS_ADDRESS_FMT, getuid()); + (void) asprintf(&b->address, KERNEL_USER_BUS_ADDRESS_FMT, uid); if (!b->address) return -ENOMEM; diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c index 838ee4d454..62b63ec3d9 100644 --- a/src/libsystemd/sd-event/sd-event.c +++ b/src/libsystemd/sd-event/sd-event.c @@ -1708,7 +1708,7 @@ _public_ int sd_event_source_set_enabled(sd_event_source *s, int m) { s->enabled = m; - r = event_make_signal_data(s->event, s->signal.sig, SIGCHLD); + r = event_make_signal_data(s->event, s->signal.sig, NULL); if (r < 0) { s->enabled = SD_EVENT_OFF; s->event->n_enabled_child_sources--; diff --git a/src/locale/localed.c b/src/locale/localed.c index 4fa84df8c0..e304588c58 100644 --- a/src/locale/localed.c +++ b/src/locale/localed.c @@ -960,6 +960,7 @@ static int method_set_locale(sd_bus_message *m, void *userdata, sd_bus_error *er m, CAP_SYS_ADMIN, "org.freedesktop.locale1.set-locale", + NULL, interactive, UID_INVALID, &c->polkit_registry, @@ -1049,6 +1050,7 @@ static int method_set_vc_keyboard(sd_bus_message *m, void *userdata, sd_bus_erro m, CAP_SYS_ADMIN, "org.freedesktop.locale1.set-keyboard", + NULL, interactive, UID_INVALID, &c->polkit_registry, @@ -1180,6 +1182,7 @@ static int method_set_x11_keyboard(sd_bus_message *m, void *userdata, sd_bus_err m, CAP_SYS_ADMIN, "org.freedesktop.locale1.set-keyboard", + NULL, interactive, UID_INVALID, &c->polkit_registry, diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c index d2296f5311..b6fa50aa52 100644 --- a/src/login/logind-dbus.c +++ b/src/login/logind-dbus.c @@ -942,6 +942,7 @@ static int method_lock_sessions(sd_bus_message *message, void *userdata, sd_bus_ message, CAP_SYS_ADMIN, "org.freedesktop.login1.lock-sessions", + NULL, false, UID_INVALID, &m->polkit_registry, @@ -1096,6 +1097,7 @@ static int method_set_user_linger(sd_bus_message *message, void *userdata, sd_bu message, CAP_SYS_ADMIN, "org.freedesktop.login1.set-user-linger", + NULL, interactive, UID_INVALID, &m->polkit_registry, @@ -1268,6 +1270,7 @@ static int method_attach_device(sd_bus_message *message, void *userdata, sd_bus_ message, CAP_SYS_ADMIN, "org.freedesktop.login1.attach-device", + NULL, interactive, UID_INVALID, &m->polkit_registry, @@ -1299,6 +1302,7 @@ static int method_flush_devices(sd_bus_message *message, void *userdata, sd_bus_ message, CAP_SYS_ADMIN, "org.freedesktop.login1.flush-devices", + NULL, interactive, UID_INVALID, &m->polkit_registry, @@ -1649,7 +1653,7 @@ static int verify_shutdown_creds( blocked = manager_is_inhibited(m, w, INHIBIT_BLOCK, NULL, false, true, uid, NULL); if (multiple_sessions && action_multiple_sessions) { - r = bus_verify_polkit_async(message, CAP_SYS_BOOT, action_multiple_sessions, interactive, UID_INVALID, &m->polkit_registry, error); + r = bus_verify_polkit_async(message, CAP_SYS_BOOT, action_multiple_sessions, NULL, interactive, UID_INVALID, &m->polkit_registry, error); if (r < 0) return r; if (r == 0) @@ -1657,7 +1661,7 @@ static int verify_shutdown_creds( } if (blocked && action_ignore_inhibit) { - r = bus_verify_polkit_async(message, CAP_SYS_BOOT, action_ignore_inhibit, interactive, UID_INVALID, &m->polkit_registry, error); + r = bus_verify_polkit_async(message, CAP_SYS_BOOT, action_ignore_inhibit, NULL, interactive, UID_INVALID, &m->polkit_registry, error); if (r < 0) return r; if (r == 0) @@ -1665,7 +1669,7 @@ static int verify_shutdown_creds( } if (!multiple_sessions && !blocked && action) { - r = bus_verify_polkit_async(message, CAP_SYS_BOOT, action, interactive, UID_INVALID, &m->polkit_registry, error); + r = bus_verify_polkit_async(message, CAP_SYS_BOOT, action, NULL, interactive, UID_INVALID, &m->polkit_registry, error); if (r < 0) return r; if (r == 0) @@ -2087,7 +2091,7 @@ static int method_can_shutdown_or_sleep( blocked = manager_is_inhibited(m, w, INHIBIT_BLOCK, NULL, false, true, uid, NULL); if (multiple_sessions) { - r = bus_test_polkit(message, CAP_SYS_BOOT, action_multiple_sessions, UID_INVALID, &challenge, error); + r = bus_test_polkit(message, CAP_SYS_BOOT, action_multiple_sessions, NULL, UID_INVALID, &challenge, error); if (r < 0) return r; @@ -2100,7 +2104,7 @@ static int method_can_shutdown_or_sleep( } if (blocked) { - r = bus_test_polkit(message, CAP_SYS_BOOT, action_ignore_inhibit, UID_INVALID, &challenge, error); + r = bus_test_polkit(message, CAP_SYS_BOOT, action_ignore_inhibit, NULL, UID_INVALID, &challenge, error); if (r < 0) return r; @@ -2116,7 +2120,7 @@ static int method_can_shutdown_or_sleep( /* If neither inhibit nor multiple sessions * apply then just check the normal policy */ - r = bus_test_polkit(message, CAP_SYS_BOOT, action, UID_INVALID, &challenge, error); + r = bus_test_polkit(message, CAP_SYS_BOOT, action, NULL, UID_INVALID, &challenge, error); if (r < 0) return r; @@ -2235,6 +2239,7 @@ static int method_set_reboot_to_firmware_setup( r = bus_verify_polkit_async(message, CAP_SYS_ADMIN, "org.freedesktop.login1.set-reboot-to-firmware-setup", + NULL, false, UID_INVALID, &m->polkit_registry, @@ -2273,6 +2278,7 @@ static int method_can_reboot_to_firmware_setup( r = bus_test_polkit(message, CAP_SYS_ADMIN, "org.freedesktop.login1.set-reboot-to-firmware-setup", + NULL, UID_INVALID, &challenge, error); @@ -2309,6 +2315,7 @@ static int method_set_wall_message( r = bus_verify_polkit_async(message, CAP_SYS_ADMIN, "org.freedesktop.login1.set-wall-message", + NULL, false, UID_INVALID, &m->polkit_registry, @@ -2380,6 +2387,7 @@ static int method_inhibit(sd_bus_message *message, void *userdata, sd_bus_error w == INHIBIT_HANDLE_SUSPEND_KEY ? "org.freedesktop.login1.inhibit-handle-suspend-key" : w == INHIBIT_HANDLE_HIBERNATE_KEY ? "org.freedesktop.login1.inhibit-handle-hibernate-key" : "org.freedesktop.login1.inhibit-handle-lid-switch", + NULL, false, UID_INVALID, &m->polkit_registry, diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c index ce67ffde37..346e1d2cec 100644 --- a/src/login/logind-seat-dbus.c +++ b/src/login/logind-seat-dbus.c @@ -204,6 +204,7 @@ int bus_seat_method_terminate(sd_bus_message *message, void *userdata, sd_bus_er message, CAP_KILL, "org.freedesktop.login1.manage", + NULL, false, UID_INVALID, &s->manager->polkit_registry, diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c index 563153e2d9..e6b4ccd7c6 100644 --- a/src/login/logind-session-dbus.c +++ b/src/login/logind-session-dbus.c @@ -191,6 +191,7 @@ int bus_session_method_terminate(sd_bus_message *message, void *userdata, sd_bus message, CAP_KILL, "org.freedesktop.login1.manage", + NULL, false, s->user->uid, &s->manager->polkit_registry, @@ -232,6 +233,7 @@ int bus_session_method_lock(sd_bus_message *message, void *userdata, sd_bus_erro message, CAP_SYS_ADMIN, "org.freedesktop.login1.lock-sessions", + NULL, false, s->user->uid, &s->manager->polkit_registry, @@ -306,6 +308,7 @@ int bus_session_method_kill(sd_bus_message *message, void *userdata, sd_bus_erro message, CAP_KILL, "org.freedesktop.login1.manage", + NULL, false, s->user->uid, &s->manager->polkit_registry, diff --git a/src/login/logind-user-dbus.c b/src/login/logind-user-dbus.c index 36c0e8626d..20ea2fbdc4 100644 --- a/src/login/logind-user-dbus.c +++ b/src/login/logind-user-dbus.c @@ -179,6 +179,7 @@ int bus_user_method_terminate(sd_bus_message *message, void *userdata, sd_bus_er message, CAP_KILL, "org.freedesktop.login1.manage", + NULL, false, u->uid, &u->manager->polkit_registry, @@ -207,6 +208,7 @@ int bus_user_method_kill(sd_bus_message *message, void *userdata, sd_bus_error * message, CAP_KILL, "org.freedesktop.login1.manage", + NULL, false, u->uid, &u->manager->polkit_registry, diff --git a/src/machine/image-dbus.c b/src/machine/image-dbus.c index 95d7bca4bf..2453a9ff04 100644 --- a/src/machine/image-dbus.c +++ b/src/machine/image-dbus.c @@ -43,6 +43,7 @@ int bus_image_method_remove( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-images", + NULL, false, UID_INVALID, &m->polkit_registry, @@ -83,6 +84,7 @@ int bus_image_method_rename( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-images", + NULL, false, UID_INVALID, &m->polkit_registry, @@ -123,6 +125,7 @@ int bus_image_method_clone( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-images", + NULL, false, UID_INVALID, &m->polkit_registry, @@ -158,6 +161,7 @@ int bus_image_method_mark_read_only( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-images", + NULL, false, UID_INVALID, &m->polkit_registry, @@ -194,6 +198,7 @@ int bus_image_method_set_limit( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-images", + NULL, false, UID_INVALID, &m->polkit_registry, diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c index a63b9785af..fbeace0ed6 100644 --- a/src/machine/machine-dbus.c +++ b/src/machine/machine-dbus.c @@ -124,6 +124,7 @@ int bus_machine_method_terminate(sd_bus_message *message, void *userdata, sd_bus message, CAP_KILL, "org.freedesktop.machine1.manage-machines", + NULL, false, UID_INVALID, &m->manager->polkit_registry, @@ -169,6 +170,7 @@ int bus_machine_method_kill(sd_bus_message *message, void *userdata, sd_bus_erro message, CAP_KILL, "org.freedesktop.machine1.manage-machines", + NULL, false, UID_INVALID, &m->manager->polkit_registry, @@ -488,6 +490,7 @@ int bus_machine_method_open_pty(sd_bus_message *message, void *userdata, sd_bus_ message, CAP_SYS_ADMIN, m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-open-pty" : "org.freedesktop.machine1.open-pty", + NULL, false, UID_INVALID, &m->manager->polkit_registry, @@ -577,6 +580,7 @@ int bus_machine_method_open_login(sd_bus_message *message, void *userdata, sd_bu message, CAP_SYS_ADMIN, m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-login" : "org.freedesktop.machine1.login", + NULL, false, UID_INVALID, &m->manager->polkit_registry, @@ -675,6 +679,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu message, CAP_SYS_ADMIN, m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-shell" : "org.freedesktop.machine1.shell", + NULL, false, UID_INVALID, &m->manager->polkit_registry, @@ -883,6 +888,7 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-machines", + NULL, false, UID_INVALID, &m->manager->polkit_registry, @@ -1145,6 +1151,7 @@ int bus_machine_method_copy(sd_bus_message *message, void *userdata, sd_bus_erro message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-machines", + NULL, false, UID_INVALID, &m->manager->polkit_registry, diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c index 0d52c693e4..eef9c5fa5f 100644 --- a/src/machine/machined-dbus.c +++ b/src/machine/machined-dbus.c @@ -810,6 +810,7 @@ static int method_set_pool_limit(sd_bus_message *message, void *userdata, sd_bus message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-machines", + NULL, false, UID_INVALID, &m->polkit_registry, diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c index 1369a61458..d9cc19700e 100644 --- a/src/shared/bus-util.c +++ b/src/shared/bus-util.c @@ -220,6 +220,7 @@ int bus_test_polkit( sd_bus_message *call, int capability, const char *action, + const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e) { @@ -242,29 +243,52 @@ int bus_test_polkit( return 1; #ifdef ENABLE_POLKIT else { + _cleanup_bus_message_unref_ sd_bus_message *request = NULL; _cleanup_bus_message_unref_ sd_bus_message *reply = NULL; int authorized = false, challenge = false; - const char *sender; + const char *sender, **k, **v; sender = sd_bus_message_get_sender(call); if (!sender) return -EBADMSG; - r = sd_bus_call_method( + r = sd_bus_message_new_method_call( call->bus, + &request, "org.freedesktop.PolicyKit1", "/org/freedesktop/PolicyKit1/Authority", "org.freedesktop.PolicyKit1.Authority", - "CheckAuthorization", - e, - &reply, - "(sa{sv})sa{ss}us", + "CheckAuthorization"); + if (r < 0) + return r; + + r = sd_bus_message_append( + request, + "(sa{sv})s", "system-bus-name", 1, "name", "s", sender, - action, - 0, - 0, - ""); + action); + if (r < 0) + return r; + + r = sd_bus_message_open_container(request, 'a', "{ss}"); + if (r < 0) + return r; + STRV_FOREACH_PAIR(k, v, details) { + r = sd_bus_message_append(request, "{ss}", *k, *v); + if (r < 0) + return r; + } + + r = sd_bus_message_close_container(request); + if (r < 0) + return r; + + r = sd_bus_message_append(request, "us", 0, NULL); + if (r < 0) + return r; + + r = sd_bus_call(call->bus, request, 0, e, &reply); if (r < 0) { /* Treat no PK available as access denied */ if (sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN)) { @@ -354,6 +378,7 @@ int bus_verify_polkit_async( sd_bus_message *call, int capability, const char *action, + const char **details, bool interactive, uid_t good_user, Hashmap **registry, @@ -362,7 +387,7 @@ int bus_verify_polkit_async( #ifdef ENABLE_POLKIT _cleanup_bus_message_unref_ sd_bus_message *pk = NULL; AsyncPolkitQuery *q; - const char *sender; + const char *sender, **k, **v; sd_bus_message_handler_t callback; void *userdata; int c; @@ -460,12 +485,27 @@ int bus_verify_polkit_async( r = sd_bus_message_append( pk, - "(sa{sv})sa{ss}us", + "(sa{sv})s", "system-bus-name", 1, "name", "s", sender, - action, - 0, - !!interactive, - NULL); + action); + if (r < 0) + return r; + + r = sd_bus_message_open_container(pk, 'a', "{ss}"); + if (r < 0) + return r; + + STRV_FOREACH_PAIR(k, v, details) { + r = sd_bus_message_append(pk, "{ss}", *k, *v); + if (r < 0) + return r; + } + + r = sd_bus_message_close_container(pk); + if (r < 0) + return r; + + r = sd_bus_message_append(pk, "us", !!interactive, NULL); if (r < 0) return r; diff --git a/src/shared/bus-util.h b/src/shared/bus-util.h index 4ae216b7d9..d2b2d701ce 100644 --- a/src/shared/bus-util.h +++ b/src/shared/bus-util.h @@ -60,9 +60,9 @@ int bus_name_has_owner(sd_bus *c, const char *name, sd_bus_error *error); int bus_check_peercred(sd_bus *c); -int bus_test_polkit(sd_bus_message *call, int capability, const char *action, uid_t good_user, bool *_challenge, sd_bus_error *e); +int bus_test_polkit(sd_bus_message *call, int capability, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e); -int bus_verify_polkit_async(sd_bus_message *call, int capability, const char *action, bool interactive, uid_t good_user, Hashmap **registry, sd_bus_error *error); +int bus_verify_polkit_async(sd_bus_message *call, int capability, const char *action, const char **details, bool interactive, uid_t good_user, Hashmap **registry, sd_bus_error *error); void bus_verify_polkit_async_registry_free(Hashmap *registry); int bus_open_system_systemd(sd_bus **_bus); diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c index 42ae70fd1d..6de9e246f6 100644 --- a/src/timedate/timedated.c +++ b/src/timedate/timedated.c @@ -361,6 +361,7 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error * m, CAP_SYS_TIME, "org.freedesktop.timedate1.set-timezone", + NULL, interactive, UID_INVALID, &c->polkit_registry, @@ -428,6 +429,7 @@ static int method_set_local_rtc(sd_bus_message *m, void *userdata, sd_bus_error m, CAP_SYS_TIME, "org.freedesktop.timedate1.set-local-rtc", + NULL, interactive, UID_INVALID, &c->polkit_registry, @@ -543,6 +545,7 @@ static int method_set_time(sd_bus_message *m, void *userdata, sd_bus_error *erro m, CAP_SYS_TIME, "org.freedesktop.timedate1.set-time", + NULL, interactive, UID_INVALID, &c->polkit_registry, @@ -601,6 +604,7 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error m, CAP_SYS_TIME, "org.freedesktop.timedate1.set-ntp", + NULL, interactive, UID_INVALID, &c->polkit_registry, |