]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/bus-polkit.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
bus-polkit: describe async. polkit verification
[thirdparty/systemd.git] / src / shared / bus-polkit.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "bus-internal.h"
4 #include "bus-message.h"
5 #include "bus-polkit.h"
6 #include "bus-util.h"
7 #include "strv.h"
8 #include "user-util.h"
9
10 static int check_good_user(sd_bus_message *m, uid_t good_user) {
11 _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
12 uid_t sender_uid;
13 int r;
14
15 assert(m);
16
17 if (good_user == UID_INVALID)
18 return 0;
19
20 r = sd_bus_query_sender_creds(m, SD_BUS_CREDS_EUID, &creds);
21 if (r < 0)
22 return r;
23
24 /* Don't trust augmented credentials for authorization */
25 assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_EUID) == 0, -EPERM);
26
27 r = sd_bus_creds_get_euid(creds, &sender_uid);
28 if (r < 0)
29 return r;
30
31 return sender_uid == good_user;
32 }
33
34 #if ENABLE_POLKIT
35 static int bus_message_append_strv_key_value(sd_bus_message *m, const char **l) {
36 int r;
37
38 assert(m);
39
40 r = sd_bus_message_open_container(m, 'a', "{ss}");
41 if (r < 0)
42 return r;
43
44 STRV_FOREACH_PAIR(k, v, l) {
45 r = sd_bus_message_append(m, "{ss}", *k, *v);
46 if (r < 0)
47 return r;
48 }
49
50 r = sd_bus_message_close_container(m);
51 if (r < 0)
52 return r;
53
54 return r;
55 }
56
57 static int bus_message_new_polkit_auth_call(
58 sd_bus_message *m,
59 const char *action,
60 const char **details,
61 bool interactive,
62 sd_bus_message **ret) {
63
64 _cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL;
65 const char *sender;
66 int r;
67
68 assert(m);
69 assert(action);
70 assert(ret);
71
72 sender = sd_bus_message_get_sender(m);
73 if (!sender)
74 return -EBADMSG;
75
76 r = sd_bus_message_new_method_call(
77 ASSERT_PTR(m->bus),
78 &c,
79 "org.freedesktop.PolicyKit1",
80 "/org/freedesktop/PolicyKit1/Authority",
81 "org.freedesktop.PolicyKit1.Authority",
82 "CheckAuthorization");
83 if (r < 0)
84 return r;
85
86 r = sd_bus_message_append(c, "(sa{sv})s", "system-bus-name", 1, "name", "s", sender, action);
87 if (r < 0)
88 return r;
89
90 r = bus_message_append_strv_key_value(c, details);
91 if (r < 0)
92 return r;
93
94 r = sd_bus_message_append(c, "us", interactive, NULL);
95 if (r < 0)
96 return r;
97
98 *ret = TAKE_PTR(c);
99 return 0;
100 }
101 #endif
102
103 int bus_test_polkit(
104 sd_bus_message *call,
105 int capability,
106 const char *action,
107 const char **details,
108 uid_t good_user,
109 bool *_challenge,
110 sd_bus_error *ret_error) {
111
112 int r;
113
114 assert(call);
115 assert(action);
116
117 /* Tests non-interactively! */
118
119 r = check_good_user(call, good_user);
120 if (r != 0)
121 return r;
122
123 r = sd_bus_query_sender_privilege(call, capability);
124 if (r < 0)
125 return r;
126 if (r > 0)
127 return 1;
128
129 #if ENABLE_POLKIT
130 _cleanup_(sd_bus_message_unrefp) sd_bus_message *request = NULL, *reply = NULL;
131 int authorized = false, challenge = false;
132
133 r = bus_message_new_polkit_auth_call(call, action, details, /* interactive = */ false, &request);
134 if (r < 0)
135 return r;
136
137 r = sd_bus_call(call->bus, request, 0, ret_error, &reply);
138 if (r < 0) {
139 /* Treat no PK available as access denied */
140 if (bus_error_is_unknown_service(ret_error)) {
141 sd_bus_error_free(ret_error);
142 return -EACCES;
143 }
144
145 return r;
146 }
147
148 r = sd_bus_message_enter_container(reply, 'r', "bba{ss}");
149 if (r < 0)
150 return r;
151
152 r = sd_bus_message_read(reply, "bb", &authorized, &challenge);
153 if (r < 0)
154 return r;
155
156 if (authorized)
157 return 1;
158
159 if (_challenge) {
160 *_challenge = challenge;
161 return 0;
162 }
163 #endif
164
165 return -EACCES;
166 }
167
168 #if ENABLE_POLKIT
169
170 typedef struct AsyncPolkitQuery {
171 char *action;
172 char **details;
173
174 sd_bus_message *request, *reply;
175 sd_bus_slot *slot;
176
177 Hashmap *registry;
178 sd_event_source *defer_event_source;
179 } AsyncPolkitQuery;
180
181 static AsyncPolkitQuery *async_polkit_query_free(AsyncPolkitQuery *q) {
182 if (!q)
183 return NULL;
184
185 sd_bus_slot_unref(q->slot);
186
187 if (q->registry && q->request)
188 hashmap_remove(q->registry, q->request);
189
190 sd_bus_message_unref(q->request);
191 sd_bus_message_unref(q->reply);
192
193 free(q->action);
194 strv_free(q->details);
195
196 sd_event_source_disable_unref(q->defer_event_source);
197
198 return mfree(q);
199 }
200
201 DEFINE_TRIVIAL_CLEANUP_FUNC(AsyncPolkitQuery*, async_polkit_query_free);
202
203 static int async_polkit_defer(sd_event_source *s, void *userdata) {
204 AsyncPolkitQuery *q = ASSERT_PTR(userdata);
205
206 assert(s);
207
208 /* This is called as idle event source after we processed the async polkit reply, hopefully after the
209 * method call we re-enqueued has been properly processed. */
210
211 async_polkit_query_free(q);
212 return 0;
213 }
214
215 static int async_polkit_process_reply(sd_bus_message *reply, AsyncPolkitQuery *q) {
216 int r;
217
218 assert(reply);
219 assert(q);
220
221 assert(q->slot);
222 q->slot = sd_bus_slot_unref(q->slot);
223
224 assert(!q->reply);
225 q->reply = sd_bus_message_ref(reply);
226
227 /* Now, let's dispatch the original message a second time be re-enqueing. This will then traverse the
228 * whole message processing again, and thus re-validating and re-retrieving the "userdata" field
229 * again.
230 *
231 * We install an idle event loop event to clean-up the PolicyKit request data when we are idle again,
232 * i.e. after the second time the message is processed is complete. */
233
234 assert(!q->defer_event_source);
235 r = sd_event_add_defer(sd_bus_get_event(sd_bus_message_get_bus(reply)), &q->defer_event_source, async_polkit_defer, q);
236 if (r < 0)
237 return r;
238
239 r = sd_event_source_set_priority(q->defer_event_source, SD_EVENT_PRIORITY_IDLE);
240 if (r < 0)
241 return r;
242
243 r = sd_event_source_set_enabled(q->defer_event_source, SD_EVENT_ONESHOT);
244 if (r < 0)
245 return r;
246
247 r = sd_bus_message_rewind(q->request, true);
248 if (r < 0)
249 return r;
250
251 r = sd_bus_enqueue_for_read(sd_bus_message_get_bus(q->request), q->request);
252 if (r < 0)
253 return r;
254
255 return 1;
256 }
257
258 static int async_polkit_callback(sd_bus_message *reply, void *userdata, sd_bus_error *error) {
259 AsyncPolkitQuery *q = ASSERT_PTR(userdata);
260 int r;
261
262 assert(reply);
263
264 r = async_polkit_process_reply(reply, q);
265 if (r < 0) {
266 log_debug_errno(r, "Processing asynchronous PolicyKit reply failed, ignoring: %m");
267 (void) sd_bus_reply_method_errno(q->request, r, NULL);
268 async_polkit_query_free(q);
269 }
270 return r;
271 }
272
273 static int process_polkit_response(
274 AsyncPolkitQuery *q,
275 sd_bus_message *call,
276 const char *action,
277 const char **details,
278 sd_bus_error *ret_error) {
279
280 int authorized, challenge, r;
281
282 assert(q);
283 assert(call);
284 assert(action);
285 assert(ret_error);
286
287 assert(q->action);
288 assert(q->reply);
289
290 /* If the operation we want to authenticate changed between the first and the second time,
291 * let's not use this authentication, it might be out of date as the object and context we
292 * operate on might have changed. */
293 if (!streq(q->action, action) || !strv_equal(q->details, (char**) details))
294 return -ESTALE;
295
296 if (sd_bus_message_is_method_error(q->reply, NULL)) {
297 const sd_bus_error *e;
298
299 e = sd_bus_message_get_error(q->reply);
300
301 /* Treat no PK available as access denied */
302 if (bus_error_is_unknown_service(e))
303 return -EACCES;
304
305 /* Copy error from polkit reply */
306 sd_bus_error_copy(ret_error, e);
307 return -sd_bus_error_get_errno(e);
308 }
309
310 r = sd_bus_message_enter_container(q->reply, 'r', "bba{ss}");
311 if (r >= 0)
312 r = sd_bus_message_read(q->reply, "bb", &authorized, &challenge);
313 if (r < 0)
314 return r;
315
316 if (authorized)
317 return 1;
318
319 if (challenge)
320 return sd_bus_error_set(ret_error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED, "Interactive authentication required.");
321
322 return -EACCES;
323 }
324
325 #endif
326
327 /* bus_verify_polkit_async() handles verification of D-Bus calls with polkit. Because the polkit API
328 * is asynchronous, the whole thing is a bit complex and requires some support in the code that uses
329 * it. It relies on sd-bus's support for interrupting the processing of a message.
330 *
331 * Requirements:
332 *
333 * * bus_verify_polkit_async() must be called before any changes to internal state.
334 * * If bus_verify_polkit_async() has made a new polkit query (signaled by return value 0),
335 * processing of the message should be interrupted. This is done by returning 1--which sd-bus
336 * handles specially--and is usually accompanied by a comment. (The message will be queued for
337 * processing again later when a reply from polkit is received.)
338 * * The code needs to keep a hashmap, here called registry, in which bus_verify_polkit_async()
339 * stores active queries. This hashmap's lifetime must be larger than the method handler's;
340 * e.g., it can be a member of some "manager" object or a global variable.
341 *
342 * Return value:
343 *
344 * * 0 - a new polkit call has been made, which means the processing of the message should be
345 * interrupted;
346 * * 1 - the action has been allowed;
347 * * -EACCES - the action has been denied;
348 * * < 0 - an unspecified error.
349 *
350 * A step-by-step description of how it works:
351 *
352 * 1. A D-Bus method handler calls bus_verify_polkit_async(), passing it the D-Bus message being
353 * processed and the polkit action to verify.
354 * 2. bus_verify_polkit_async() checks the registry for the message and action combination. Let's
355 * assume this is the first call, so it finds nothing.
356 * 3. A new AsyncPolkitQuery object is created and an async. D-Bus call to polkit is made. The
357 * function then returns 0. The method handler returns 1 to tell sd-bus that the processing of
358 * the message has been interrupted.
359 * 4. (Later) A reply from polkit is received and async_polkit_callback() is called.
360 * 5. async_polkit_callback() reads the reply and stores result into the passed query.
361 * 6. async_polkit_callback() enqueues the original message again.
362 * 7. (Later) The same D-Bus method handler is called for the same message. It calls
363 * bus_verify_polkit_async() again.
364 * 8. bus_verify_polkit_async() checks the registry for the message and action combination. It finds
365 * an existing query and returns its result.
366 * 9. The method handler continues processing of the message.
367 *
368 * Memory handling:
369 *
370 * async_polkit_callback() registers a deferred call of async_polkit_defer() for the query, which
371 * causes the query to be removed from the registry and freed. Deferred events are run with idle
372 * priority, so this will happen after processing of the D-Bus message, when the query is no longer
373 * needed.
374 *
375 * Schematically:
376 *
377 * (m - D-Bus message, a - polkit action, q - polkit query)
378 *
379 * -> foo_method(m)
380 * -> bus_verify_polkit_async(m, a)
381 * -> bus_call_method_async(q)
382 * <- bus_verify_polkit_async(m, a) = 0
383 * <- foo_method(m) = 1
384 * ...
385 * -> async_polkit_callback(q)
386 * -> sd_event_add_defer(async_polkit_defer, q)
387 * -> sd_bus_enqueue_for_read(m)
388 * <- async_polkit_callback(q)
389 * ...
390 * -> foo_method(m)
391 * -> bus_verify_polkit_async(m, a)
392 * <- bus_verify_polkit_async(m, a) = 1/-EACCES/error
393 * ...
394 * <- foo_method(m)
395 * ...
396 * -> async_polkit_defer(q)
397 * -> async_polkit_query_free(q)
398 * <- async_polkit_defer(q)
399 */
400
401 int bus_verify_polkit_async(
402 sd_bus_message *call,
403 int capability,
404 const char *action,
405 const char **details,
406 bool interactive,
407 uid_t good_user,
408 Hashmap **registry,
409 sd_bus_error *ret_error) {
410
411 int r;
412
413 assert(call);
414 assert(action);
415 assert(registry);
416
417 r = check_good_user(call, good_user);
418 if (r != 0)
419 return r;
420
421 #if ENABLE_POLKIT
422 AsyncPolkitQuery *q = hashmap_get(*registry, call);
423 /* This is the second invocation of this function, and there's already a response from
424 * polkit, let's process it */
425 if (q)
426 return process_polkit_response(q, call, action, details, ret_error);
427 #endif
428
429 r = sd_bus_query_sender_privilege(call, capability);
430 if (r < 0)
431 return r;
432 if (r > 0)
433 return 1;
434
435 #if ENABLE_POLKIT
436 _cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
437 _cleanup_(async_polkit_query_freep) AsyncPolkitQuery *q_new = NULL;
438
439 int c = sd_bus_message_get_allow_interactive_authorization(call);
440 if (c < 0)
441 return c;
442 if (c > 0)
443 interactive = true;
444
445 r = hashmap_ensure_allocated(registry, NULL);
446 if (r < 0)
447 return r;
448
449 r = bus_message_new_polkit_auth_call(call, action, details, interactive, &pk);
450 if (r < 0)
451 return r;
452
453 q = q_new = new(AsyncPolkitQuery, 1);
454 if (!q)
455 return -ENOMEM;
456
457 *q = (AsyncPolkitQuery) {
458 .request = sd_bus_message_ref(call),
459 };
460
461 q->action = strdup(action);
462 if (!q->action)
463 return -ENOMEM;
464
465 q->details = strv_copy((char**) details);
466 if (!q->details)
467 return -ENOMEM;
468
469 r = hashmap_put(*registry, call, q);
470 if (r < 0)
471 return r;
472
473 q->registry = *registry;
474
475 r = sd_bus_call_async(call->bus, &q->slot, pk, async_polkit_callback, q, 0);
476 if (r < 0)
477 return r;
478
479 TAKE_PTR(q_new);
480
481 return 0;
482 #endif
483
484 return -EACCES;
485 }
486
487 Hashmap *bus_verify_polkit_async_registry_free(Hashmap *registry) {
488 #if ENABLE_POLKIT
489 return hashmap_free_with_destructor(registry, async_polkit_query_free);
490 #else
491 assert(hashmap_isempty(registry));
492 return hashmap_free(registry);
493 #endif
494 }
Unnamed repository; edit this file 'description' to name the repository.