src/shared/bus-polkit.c

   1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
   2
   3 #include "bus-internal.h"
   4 #include "bus-message.h"
   5 #include "bus-polkit.h"
   6 #include "bus-util.h"
   7 #include "strv.h"
   8 #include "user-util.h"
   9
  10 static int check_good_user(sd_bus_message *m, uid_t good_user) {
  11         _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
  12         uid_t sender_uid;
  13         int r;
  14
  15         assert(m);
  16
  17         if (good_user == UID_INVALID)
  18                 return 0;
  19
  20         r = sd_bus_query_sender_creds(m, SD_BUS_CREDS_EUID, &creds);
  21         if (r < 0)
  22                 return r;
  23
  24         /* Don't trust augmented credentials for authorization */
  25         assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_EUID) == 0, -EPERM);
  26
  27         r = sd_bus_creds_get_euid(creds, &sender_uid);
  28         if (r < 0)
  29                 return r;
  30
  31         return sender_uid == good_user;
  32 }
  33
  34 #if ENABLE_POLKIT
  35 static int bus_message_append_strv_key_value(sd_bus_message *m, const char **l) {
  36         int r;
  37
  38         assert(m);
  39
  40         r = sd_bus_message_open_container(m, 'a', "{ss}");
  41         if (r < 0)
  42                 return r;
  43
  44         STRV_FOREACH_PAIR(k, v, l) {
  45                 r = sd_bus_message_append(m, "{ss}", *k, *v);
  46                 if (r < 0)
  47                         return r;
  48         }
  49
  50         r = sd_bus_message_close_container(m);
  51         if (r < 0)
  52                 return r;
  53
  54         return r;
  55 }
  56
  57 static int bus_message_new_polkit_auth_call(
  58                 sd_bus_message *m,
  59                 const char *action,
  60                 const char **details,
  61                 bool interactive,
  62                 sd_bus_message **ret) {
  63
  64         _cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL;
  65         const char *sender;
  66         int r;
  67
  68         assert(m);
  69         assert(action);
  70         assert(ret);
  71
  72         sender = sd_bus_message_get_sender(m);
  73         if (!sender)
  74                 return -EBADMSG;
  75
  76         r = sd_bus_message_new_method_call(
  77                         ASSERT_PTR(m->bus),
  78                         &c,
  79                         "org.freedesktop.PolicyKit1",
  80                         "/org/freedesktop/PolicyKit1/Authority",
  81                         "org.freedesktop.PolicyKit1.Authority",
  82                         "CheckAuthorization");
  83         if (r < 0)
  84                 return r;
  85
  86         r = sd_bus_message_append(c, "(sa{sv})s", "system-bus-name", 1, "name", "s", sender, action);
  87         if (r < 0)
  88                 return r;
  89
  90         r = bus_message_append_strv_key_value(c, details);
  91         if (r < 0)
  92                 return r;
  93
  94         r = sd_bus_message_append(c, "us", interactive, NULL);
  95         if (r < 0)
  96                 return r;
  97
  98         *ret = TAKE_PTR(c);
  99         return 0;
 100 }
 101 #endif
 102
 103 int bus_test_polkit(
 104                 sd_bus_message *call,
 105                 int capability,
 106                 const char *action,
 107                 const char **details,
 108                 uid_t good_user,
 109                 bool *_challenge,
 110                 sd_bus_error *ret_error) {
 111
 112         int r;
 113
 114         assert(call);
 115         assert(action);
 116
 117         /* Tests non-interactively! */
 118
 119         r = check_good_user(call, good_user);
 120         if (r != 0)
 121                 return r;
 122
 123         r = sd_bus_query_sender_privilege(call, capability);
 124         if (r < 0)
 125                 return r;
 126         if (r > 0)
 127                 return 1;
 128
 129 #if ENABLE_POLKIT
 130         _cleanup_(sd_bus_message_unrefp) sd_bus_message *request = NULL, *reply = NULL;
 131         int authorized = false, challenge = false;
 132
 133         r = bus_message_new_polkit_auth_call(call, action, details, /* interactive = */ false, &request);
 134         if (r < 0)
 135                 return r;
 136
 137         r = sd_bus_call(call->bus, request, 0, ret_error, &reply);
 138         if (r < 0) {
 139                 /* Treat no PK available as access denied */
 140                 if (bus_error_is_unknown_service(ret_error)) {
 141                         sd_bus_error_free(ret_error);
 142                         return -EACCES;
 143                 }
 144
 145                 return r;
 146         }
 147
 148         r = sd_bus_message_enter_container(reply, 'r', "bba{ss}");
 149         if (r < 0)
 150                 return r;
 151
 152         r = sd_bus_message_read(reply, "bb", &authorized, &challenge);
 153         if (r < 0)
 154                 return r;
 155
 156         if (authorized)
 157                 return 1;
 158
 159         if (_challenge) {
 160                 *_challenge = challenge;
 161                 return 0;
 162         }
 163 #endif
 164
 165         return -EACCES;
 166 }
 167
 168 #if ENABLE_POLKIT
 169
 170 typedef struct AsyncPolkitQuery {
 171         char *action;
 172         char **details;
 173
 174         sd_bus_message *request, *reply;
 175         sd_bus_slot *slot;
 176
 177         Hashmap *registry;
 178         sd_event_source *defer_event_source;
 179 } AsyncPolkitQuery;
 180
 181 static AsyncPolkitQuery *async_polkit_query_free(AsyncPolkitQuery *q) {
 182         if (!q)
 183                 return NULL;
 184
 185         sd_bus_slot_unref(q->slot);
 186
 187         if (q->registry && q->request)
 188                 hashmap_remove(q->registry, q->request);
 189
 190         sd_bus_message_unref(q->request);
 191         sd_bus_message_unref(q->reply);
 192
 193         free(q->action);
 194         strv_free(q->details);
 195
 196         sd_event_source_disable_unref(q->defer_event_source);
 197
 198         return mfree(q);
 199 }
 200
 201 DEFINE_TRIVIAL_CLEANUP_FUNC(AsyncPolkitQuery*, async_polkit_query_free);
 202
 203 static int async_polkit_defer(sd_event_source *s, void *userdata) {
 204         AsyncPolkitQuery *q = ASSERT_PTR(userdata);
 205
 206         assert(s);
 207
 208         /* This is called as idle event source after we processed the async polkit reply, hopefully after the
 209          * method call we re-enqueued has been properly processed. */
 210
 211         async_polkit_query_free(q);
 212         return 0;
 213 }
 214
 215 static int async_polkit_process_reply(sd_bus_message *reply, AsyncPolkitQuery *q) {
 216         int r;
 217
 218         assert(reply);
 219         assert(q);
 220
 221         assert(q->slot);
 222         q->slot = sd_bus_slot_unref(q->slot);
 223
 224         assert(!q->reply);
 225         q->reply = sd_bus_message_ref(reply);
 226
 227         /* Now, let's dispatch the original message a second time be re-enqueing. This will then traverse the
 228          * whole message processing again, and thus re-validating and re-retrieving the "userdata" field
 229          * again.
 230          *
 231          * We install an idle event loop event to clean-up the PolicyKit request data when we are idle again,
 232          * i.e. after the second time the message is processed is complete. */
 233
 234         assert(!q->defer_event_source);
 235         r = sd_event_add_defer(sd_bus_get_event(sd_bus_message_get_bus(reply)), &q->defer_event_source, async_polkit_defer, q);
 236         if (r < 0)
 237                 return r;
 238
 239         r = sd_event_source_set_priority(q->defer_event_source, SD_EVENT_PRIORITY_IDLE);
 240         if (r < 0)
 241                 return r;
 242
 243         r = sd_event_source_set_enabled(q->defer_event_source, SD_EVENT_ONESHOT);
 244         if (r < 0)
 245                 return r;
 246
 247         r = sd_bus_message_rewind(q->request, true);
 248         if (r < 0)
 249                 return r;
 250
 251         r = sd_bus_enqueue_for_read(sd_bus_message_get_bus(q->request), q->request);
 252         if (r < 0)
 253                 return r;
 254
 255         return 1;
 256 }
 257
 258 static int async_polkit_callback(sd_bus_message *reply, void *userdata, sd_bus_error *error) {
 259         AsyncPolkitQuery *q = ASSERT_PTR(userdata);
 260         int r;
 261
 262         assert(reply);
 263
 264         r = async_polkit_process_reply(reply, q);
 265         if (r < 0) {
 266                 log_debug_errno(r, "Processing asynchronous PolicyKit reply failed, ignoring: %m");
 267                 (void) sd_bus_reply_method_errno(q->request, r, NULL);
 268                 async_polkit_query_free(q);
 269         }
 270         return r;
 271 }
 272
 273 static int process_polkit_response(
 274                 AsyncPolkitQuery *q,
 275                 sd_bus_message *call,
 276                 const char *action,
 277                 const char **details,
 278                 sd_bus_error *ret_error) {
 279
 280         int authorized, challenge, r;
 281
 282         assert(q);
 283         assert(call);
 284         assert(action);
 285         assert(ret_error);
 286
 287         assert(q->action);
 288         assert(q->reply);
 289
 290         /* If the operation we want to authenticate changed between the first and the second time,
 291          * let's not use this authentication, it might be out of date as the object and context we
 292          * operate on might have changed. */
 293         if (!streq(q->action, action) || !strv_equal(q->details, (char**) details))
 294                 return -ESTALE;
 295
 296         if (sd_bus_message_is_method_error(q->reply, NULL)) {
 297                 const sd_bus_error *e;
 298
 299                 e = sd_bus_message_get_error(q->reply);
 300
 301                 /* Treat no PK available as access denied */
 302                 if (bus_error_is_unknown_service(e))
 303                         return -EACCES;
 304
 305                 /* Copy error from polkit reply */
 306                 sd_bus_error_copy(ret_error, e);
 307                 return -sd_bus_error_get_errno(e);
 308         }
 309
 310         r = sd_bus_message_enter_container(q->reply, 'r', "bba{ss}");
 311         if (r >= 0)
 312                 r = sd_bus_message_read(q->reply, "bb", &authorized, &challenge);
 313         if (r < 0)
 314                 return r;
 315
 316         if (authorized)
 317                 return 1;
 318
 319         if (challenge)
 320                 return sd_bus_error_set(ret_error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED, "Interactive authentication required.");
 321
 322         return -EACCES;
 323 }
 324
 325 #endif
 326
 327 int bus_verify_polkit_async(
 328                 sd_bus_message *call,
 329                 int capability,
 330                 const char *action,
 331                 const char **details,
 332                 bool interactive,
 333                 uid_t good_user,
 334                 Hashmap **registry,
 335                 sd_bus_error *ret_error) {
 336
 337         int r;
 338
 339         assert(call);
 340         assert(action);
 341         assert(registry);
 342
 343         r = check_good_user(call, good_user);
 344         if (r != 0)
 345                 return r;
 346
 347 #if ENABLE_POLKIT
 348         AsyncPolkitQuery *q = hashmap_get(*registry, call);
 349         /* This is the second invocation of this function, and there's already a response from
 350          * polkit, let's process it */
 351         if (q)
 352                 return process_polkit_response(q, call, action, details, ret_error);
 353 #endif
 354
 355         r = sd_bus_query_sender_privilege(call, capability);
 356         if (r < 0)
 357                 return r;
 358         if (r > 0)
 359                 return 1;
 360
 361 #if ENABLE_POLKIT
 362         _cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
 363         _cleanup_(async_polkit_query_freep) AsyncPolkitQuery *q_new = NULL;
 364
 365         int c = sd_bus_message_get_allow_interactive_authorization(call);
 366         if (c < 0)
 367                 return c;
 368         if (c > 0)
 369                 interactive = true;
 370
 371         r = hashmap_ensure_allocated(registry, NULL);
 372         if (r < 0)
 373                 return r;
 374
 375         r = bus_message_new_polkit_auth_call(call, action, details, interactive, &pk);
 376         if (r < 0)
 377                 return r;
 378
 379         q = q_new = new(AsyncPolkitQuery, 1);
 380         if (!q)
 381                 return -ENOMEM;
 382
 383         *q = (AsyncPolkitQuery) {
 384                 .request = sd_bus_message_ref(call),
 385         };
 386
 387         q->action = strdup(action);
 388         if (!q->action)
 389                 return -ENOMEM;
 390
 391         q->details = strv_copy((char**) details);
 392         if (!q->details)
 393                 return -ENOMEM;
 394
 395         r = hashmap_put(*registry, call, q);
 396         if (r < 0)
 397                 return r;
 398
 399         q->registry = *registry;
 400
 401         r = sd_bus_call_async(call->bus, &q->slot, pk, async_polkit_callback, q, 0);
 402         if (r < 0)
 403                 return r;
 404
 405         TAKE_PTR(q_new);
 406
 407         return 0;
 408 #endif
 409
 410         return -EACCES;
 411 }
 412
 413 Hashmap *bus_verify_polkit_async_registry_free(Hashmap *registry) {
 414 #if ENABLE_POLKIT
 415         return hashmap_free_with_destructor(registry, async_polkit_query_free);
 416 #else
 417         assert(hashmap_isempty(registry));
 418         return hashmap_free(registry);
 419 #endif
 420 }