machined: use different polkit actions for registering and creating a machine

The difference between these two operations are large: one is relatively
superficial: for "registration" all resources remain associated with the
invoking user, only the cgroup is reported to machined which then keeps
track of the machine, too. OTOH "creation" a scope is allocated in
system context, hence the invoked code will be owned by the system, and
its resource usage charged against the system.

Hence, use two distinct polkit actions for this, so that we can relax
access to registration, but keep access to creation tough.

diff --git a/src/machine/machine-varlink.c b/src/machine/machine-varlink.c
index 8c437efc1759cdf82c3d54acdaad8e006f83841b..a773094cfe7d4d181e3d9c16b80fbe7ccafd9525 100644 (file)
--- a/src/machine/machine-varlink.c
+++ b/src/machine/machine-varlink.c
@@ -155,7 +155,7 @@ int vl_method_register(sd_varlink *link, sd_json_variant *parameters, sd_varlink
         r = varlink_verify_polkit_async(
                         link,
                         manager->bus,
-                        "org.freedesktop.machine1.create-machine",
+                        machine->allocate_unit ? "org.freedesktop.machine1.create-machine" : "org.freedesktop.machine1.register-machine",
                         (const char**) STRV_MAKE("name", machine->name,
                                                  "class", machine_class_to_string(machine->class)),
                         &manager->polkit_registry);

diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c
index 30f722a4497d16e9e76605d5ae25ad4cb8a87e56..82c0addefbe7f9b575d4263d4d8e905076261224 100644 (file)
--- a/src/machine/machined-dbus.c
+++ b/src/machine/machined-dbus.c
@@ -228,6 +228,7 @@ static int method_list_machines(sd_bus_message *message, void *userdata, sd_bus_
 static int method_create_or_register_machine(
                 Manager *manager,
                 sd_bus_message *message,
+                const char *polkit_action,
                 bool read_network,
                 Machine **ret,
                 sd_bus_error *error) {
@@ -318,7 +319,7 @@ static int method_create_or_register_machine(
 
         r = bus_verify_polkit_async(
                         message,
-                        "org.freedesktop.machine1.create-machine",
+                        polkit_action,
                         details,
                         &manager->polkit_registry,
                         error);
@@ -378,7 +379,7 @@ static int method_create_machine_internal(sd_bus_message *message, bool read_net
 
         assert(message);
 
-        r = method_create_or_register_machine(manager, message, read_network, &m, error);
+        r = method_create_or_register_machine(manager, message, "org.freedesktop.machine1.create-machine", read_network, &m, error);
         if (r < 0)
                 return r;
         if (r == 0)
@@ -416,7 +417,7 @@ static int method_register_machine_internal(sd_bus_message *message, bool read_n
 
         assert(message);
 
-        r = method_create_or_register_machine(manager, message, read_network, &m, error);
+        r = method_create_or_register_machine(manager, message, "org.freedesktop.machine1.register-machine", read_network, &m, error);
         if (r < 0)
                 return r;
         if (r == 0)

diff --git a/src/machine/org.freedesktop.machine1.policy b/src/machine/org.freedesktop.machine1.policy
index fe125ed0db344b9cc93eaaaef6c046416ec0308d..d5b8d83d2aade22c1450b6b4aacda9453d520030 100644 (file)
--- a/src/machine/org.freedesktop.machine1.policy
+++ b/src/machine/org.freedesktop.machine1.policy
@@ -99,7 +99,17 @@
                         <allow_inactive>auth_admin</allow_inactive>
                         <allow_active>auth_admin_keep</allow_active>
                 </defaults>
-                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.shell org.freedesktop.login1.login</annotate>
+                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.shell org.freedesktop.login1.login org.freedesktop.machine1.register-machine</annotate>
+        </action>
+
+        <action id="org.freedesktop.machine1.register-machine">
+                <description gettext-domain="systemd">Register a local virtual machine or container</description>
+                <message gettext-domain="systemd">Authentication is required to register a local virtual machine or container.</message>
+                <defaults>
+                        <allow_any>auth_admin</allow_any>
+                        <allow_inactive>auth_admin</allow_inactive>
+                        <allow_active>yes</allow_active>
+                </defaults>
         </action>
 
         <action id="org.freedesktop.machine1.manage-images">