From 1d22e9068c52c1cf935bcdff70b9b9654e3c939e Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 18 Feb 2015 17:40:57 +0100 Subject: core: rework policykit hookup - Always issue selinux access check as early as possible, and PK check as late as possible. - Introduce a new policykit action for altering environment - Open most remaining bus calls to unprivileged clients via PK --- src/core/dbus.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'src/core/dbus.c') diff --git a/src/core/dbus.c b/src/core/dbus.c index 2f313adec7..e7cf93dc6c 100644 --- a/src/core/dbus.c +++ b/src/core/dbus.c @@ -1192,12 +1192,12 @@ int bus_track_coldplug(Manager *m, sd_bus_track **t, char ***l) { return r; } -int bus_verify_manage_unit_async(Manager *m, sd_bus_message *call, sd_bus_error *error) { +int bus_verify_manage_units_async(Manager *m, sd_bus_message *call, sd_bus_error *error) { return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.manage-units", false, UID_INVALID, &m->polkit_registry, error); } /* Same as bus_verify_manage_unit_async(), but checks for CAP_KILL instead of CAP_SYS_ADMIN */ -int bus_verify_manage_unit_async_for_kill(Manager *m, sd_bus_message *call, sd_bus_error *error) { +int bus_verify_manage_units_async_for_kill(Manager *m, sd_bus_message *call, sd_bus_error *error) { return bus_verify_polkit_async(call, CAP_KILL, "org.freedesktop.systemd1.manage-units", false, UID_INVALID, &m->polkit_registry, error); } @@ -1208,3 +1208,7 @@ int bus_verify_manage_unit_files_async(Manager *m, sd_bus_message *call, sd_bus_ int bus_verify_reload_daemon_async(Manager *m, sd_bus_message *call, sd_bus_error *error) { return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.reload-daemon", false, UID_INVALID, &m->polkit_registry, error); } + +int bus_verify_set_environment_async(Manager *m, sd_bus_message *call, sd_bus_error *error) { + return bus_verify_polkit_async(call, CAP_SYS_ADMIN, "org.freedesktop.systemd1.set-environment", false, UID_INVALID, &m->polkit_registry, error); +} -- cgit v1.2.3-54-g00ecf