1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include "bus-internal.h"
4 #include "bus-message.h"
5 #include "bus-polkit.h"
10 static int check_good_user(sd_bus_message
*m
, uid_t good_user
) {
11 _cleanup_(sd_bus_creds_unrefp
) sd_bus_creds
*creds
= NULL
;
17 if (good_user
== UID_INVALID
)
20 r
= sd_bus_query_sender_creds(m
, SD_BUS_CREDS_EUID
, &creds
);
24 /* Don't trust augmented credentials for authorization */
25 assert_return((sd_bus_creds_get_augmented_mask(creds
) & SD_BUS_CREDS_EUID
) == 0, -EPERM
);
27 r
= sd_bus_creds_get_euid(creds
, &sender_uid
);
31 return sender_uid
== good_user
;
35 static int bus_message_append_strv_key_value(sd_bus_message
*m
, const char **l
) {
40 r
= sd_bus_message_open_container(m
, 'a', "{ss}");
44 STRV_FOREACH_PAIR(k
, v
, l
) {
45 r
= sd_bus_message_append(m
, "{ss}", *k
, *v
);
50 r
= sd_bus_message_close_container(m
);
57 static int bus_message_new_polkit_auth_call(
62 sd_bus_message
**ret
) {
64 _cleanup_(sd_bus_message_unrefp
) sd_bus_message
*c
= NULL
;
72 sender
= sd_bus_message_get_sender(m
);
76 r
= sd_bus_message_new_method_call(
79 "org.freedesktop.PolicyKit1",
80 "/org/freedesktop/PolicyKit1/Authority",
81 "org.freedesktop.PolicyKit1.Authority",
82 "CheckAuthorization");
86 r
= sd_bus_message_append(c
, "(sa{sv})s", "system-bus-name", 1, "name", "s", sender
, action
);
90 r
= bus_message_append_strv_key_value(c
, details
);
94 r
= sd_bus_message_append(c
, "us", interactive
, NULL
);
104 sd_bus_message
*call
,
107 const char **details
,
110 sd_bus_error
*ret_error
) {
117 /* Tests non-interactively! */
119 r
= check_good_user(call
, good_user
);
123 r
= sd_bus_query_sender_privilege(call
, capability
);
130 _cleanup_(sd_bus_message_unrefp
) sd_bus_message
*request
= NULL
, *reply
= NULL
;
131 int authorized
= false, challenge
= false;
133 r
= bus_message_new_polkit_auth_call(call
, action
, details
, /* interactive = */ false, &request
);
137 r
= sd_bus_call(call
->bus
, request
, 0, ret_error
, &reply
);
139 /* Treat no PK available as access denied */
140 if (bus_error_is_unknown_service(ret_error
)) {
141 sd_bus_error_free(ret_error
);
148 r
= sd_bus_message_enter_container(reply
, 'r', "bba{ss}");
152 r
= sd_bus_message_read(reply
, "bb", &authorized
, &challenge
);
160 *_challenge
= challenge
;
170 typedef struct AsyncPolkitQueryAction
{
174 LIST_FIELDS(struct AsyncPolkitQueryAction
, authorized
);
175 } AsyncPolkitQueryAction
;
177 static AsyncPolkitQueryAction
*async_polkit_query_action_free(AsyncPolkitQueryAction
*a
) {
182 strv_free(a
->details
);
187 DEFINE_TRIVIAL_CLEANUP_FUNC(AsyncPolkitQueryAction
*, async_polkit_query_action_free
);
189 typedef struct AsyncPolkitQuery
{
192 AsyncPolkitQueryAction
*action
;
194 sd_bus_message
*request
;
198 sd_event_source
*defer_event_source
;
200 LIST_HEAD(AsyncPolkitQueryAction
, authorized_actions
);
201 AsyncPolkitQueryAction
*denied_action
;
202 AsyncPolkitQueryAction
*error_action
;
206 static AsyncPolkitQuery
*async_polkit_query_free(AsyncPolkitQuery
*q
) {
207 AsyncPolkitQueryAction
*a
;
212 sd_bus_slot_unref(q
->slot
);
214 if (q
->registry
&& q
->request
)
215 hashmap_remove(q
->registry
, q
->request
);
217 sd_bus_message_unref(q
->request
);
219 async_polkit_query_action_free(q
->action
);
221 sd_event_source_disable_unref(q
->defer_event_source
);
223 while ((a
= q
->authorized_actions
)) {
224 LIST_REMOVE(authorized
, q
->authorized_actions
, a
);
225 async_polkit_query_action_free(a
);
228 async_polkit_query_action_free(q
->denied_action
);
229 async_polkit_query_action_free(q
->error_action
);
231 sd_bus_error_free(&q
->error
);
236 DEFINE_PRIVATE_TRIVIAL_REF_UNREF_FUNC(AsyncPolkitQuery
, async_polkit_query
, async_polkit_query_free
);
237 DEFINE_TRIVIAL_CLEANUP_FUNC(AsyncPolkitQuery
*, async_polkit_query_unref
);
239 static int async_polkit_defer(sd_event_source
*s
, void *userdata
) {
240 AsyncPolkitQuery
*q
= ASSERT_PTR(userdata
);
244 /* This is called as idle event source after we processed the async polkit reply, hopefully after the
245 * method call we re-enqueued has been properly processed. */
247 async_polkit_query_unref(q
);
251 static int async_polkit_read_reply(sd_bus_message
*reply
, AsyncPolkitQuery
*q
) {
252 _cleanup_(async_polkit_query_action_freep
) AsyncPolkitQueryAction
*a
= NULL
;
253 int authorized
, challenge
, r
;
259 a
= TAKE_PTR(q
->action
);
261 if (sd_bus_message_is_method_error(reply
, NULL
)) {
262 const sd_bus_error
*e
;
264 e
= sd_bus_message_get_error(reply
);
266 /* Save error from polkit reply, so it can be returned when the same authorization is
267 * attempted for second time */
268 if (!bus_error_is_unknown_service(e
)) {
269 q
->error_action
= TAKE_PTR(a
);
270 return sd_bus_error_copy(&q
->error
, e
);
273 /* Treat no PK available as access denied */
274 q
->denied_action
= TAKE_PTR(a
);
279 r
= sd_bus_message_enter_container(reply
, 'r', "bba{ss}");
281 r
= sd_bus_message_read(reply
, "bb", &authorized
, &challenge
);
285 /* It's currently expected that processing of a DBus message shall be interrupted on the first
287 assert(!q
->denied_action
);
288 assert(!q
->error_action
);
289 assert(!sd_bus_error_is_set(&q
->error
));
292 LIST_PREPEND(authorized
, q
->authorized_actions
, TAKE_PTR(a
));
293 else if (challenge
) {
294 q
->error_action
= TAKE_PTR(a
);
295 return sd_bus_error_set(&q
->error
, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED
, "Interactive authentication required.");
297 q
->denied_action
= TAKE_PTR(a
);
302 static int async_polkit_process_reply(sd_bus_message
*reply
, AsyncPolkitQuery
*q
) {
309 q
->slot
= sd_bus_slot_unref(q
->slot
);
311 r
= async_polkit_read_reply(reply
, q
);
315 /* Now, let's dispatch the original message a second time be re-enqueing. This will then traverse the
316 * whole message processing again, and thus re-validating and re-retrieving the "userdata" field
319 * We install an idle event loop event to clean-up the PolicyKit request data when we are idle again,
320 * i.e. after the second time the message is processed is complete. */
322 if (!q
->defer_event_source
) {
323 r
= sd_event_add_defer(
324 sd_bus_get_event(sd_bus_message_get_bus(reply
)),
325 &q
->defer_event_source
,
331 r
= sd_event_source_set_priority(q
->defer_event_source
, SD_EVENT_PRIORITY_IDLE
);
336 r
= sd_event_source_set_enabled(q
->defer_event_source
, SD_EVENT_ONESHOT
);
340 r
= sd_bus_message_rewind(q
->request
, true);
344 r
= sd_bus_enqueue_for_read(sd_bus_message_get_bus(q
->request
), q
->request
);
351 static int async_polkit_callback(sd_bus_message
*reply
, void *userdata
, sd_bus_error
*error
) {
352 AsyncPolkitQuery
*q
= ASSERT_PTR(userdata
);
357 r
= async_polkit_process_reply(reply
, q
);
359 log_debug_errno(r
, "Processing asynchronous PolicyKit reply failed, ignoring: %m");
360 (void) sd_bus_reply_method_errno(q
->request
, r
, NULL
);
361 async_polkit_query_unref(q
);
366 _pure_
static int async_polkit_query_check_action(
369 const char **details
,
370 sd_bus_error
*ret_error
) {
376 LIST_FOREACH(authorized
, a
, q
->authorized_actions
)
377 if (streq(a
->action
, action
) && strv_equal(a
->details
, (char**) details
))
380 if (q
->error_action
&& streq(q
->error_action
->action
, action
))
381 return sd_bus_error_copy(ret_error
, &q
->error
);
383 if (q
->denied_action
&& streq(q
->denied_action
->action
, action
))
391 /* bus_verify_polkit_async() handles verification of D-Bus calls with polkit. Because the polkit API
392 * is asynchronous, the whole thing is a bit complex and requires some support in the code that uses
393 * it. It relies on sd-bus's support for interrupting the processing of a message.
397 * * bus_verify_polkit_async() must be called before any changes to internal state.
398 * * If bus_verify_polkit_async() has made a new polkit query (signaled by return value 0),
399 * processing of the message should be interrupted. This is done by returning 1--which sd-bus
400 * handles specially--and is usually accompanied by a comment. (The message will be queued for
401 * processing again later when a reply from polkit is received.)
402 * * The code needs to keep a hashmap, here called registry, in which bus_verify_polkit_async()
403 * stores active queries. This hashmap's lifetime must be larger than the method handler's;
404 * e.g., it can be a member of some "manager" object or a global variable.
408 * * 0 - a new polkit call has been made, which means the processing of the message should be
410 * * 1 - the action has been allowed;
411 * * -EACCES - the action has been denied;
412 * * < 0 - an unspecified error.
414 * A step-by-step description of how it works:
416 * 1. A D-Bus method handler calls bus_verify_polkit_async(), passing it the D-Bus message being
417 * processed and the polkit action to verify.
418 * 2. bus_verify_polkit_async() checks the registry for an existing query object associated with the
419 * message. Let's assume this is the first call, so it finds nothing.
420 * 3. A new AsyncPolkitQuery object is created and an async. D-Bus call to polkit is made. The
421 * function then returns 0. The method handler returns 1 to tell sd-bus that the processing of
422 * the message has been interrupted.
423 * 4. (Later) A reply from polkit is received and async_polkit_callback() is called.
424 * 5. async_polkit_callback() reads the reply and stores its result in the passed query.
425 * 6. async_polkit_callback() enqueues the original message again.
426 * 7. (Later) The same D-Bus method handler is called for the same message. It calls
427 * bus_verify_polkit_async() again.
428 * 8. bus_verify_polkit_async() checks the registry for an existing query object associated with the
429 * message. It finds one and returns the result for the action.
430 * 9. The method handler continues processing of the message. If there's another action that needs
432 * 10. bus_verify_polkit_async() is called again for the new action. The registry already contains a
433 * query for the message, but the new action hasn't been seen yet, hence steps 4-8 are repeated.
434 * 11. (In the method handler again.) bus_verify_polkit_async() returns query results for both
435 * actions and the processing continues as in step 9.
439 * async_polkit_callback() registers a deferred call of async_polkit_defer() for the query, which
440 * causes the query to be removed from the registry and freed. Deferred events are run with idle
441 * priority, so this will happen after processing of the D-Bus message, when the query is no longer
446 * (m - D-Bus message, a - polkit action, q - polkit query)
449 * -> bus_verify_polkit_async(m, a)
450 * -> async_polkit_query_ref(q)
451 * -> bus_call_method_async(q)
452 * <- bus_verify_polkit_async(m, a) = 0
453 * <- foo_method(m) = 1
455 * -> async_polkit_callback(q)
456 * -> sd_event_add_defer(async_polkit_defer, q)
457 * -> sd_bus_enqueue_for_read(m)
458 * <- async_polkit_callback(q)
461 * -> bus_verify_polkit_async(m, a)
462 * <- bus_verify_polkit_async(m, a) = 1/-EACCES/error
464 * // possibly another call to bus_verify_polkit_async with action a2
467 * -> async_polkit_defer(q)
468 * -> async_polkit_query_unref(q)
469 * <- async_polkit_defer(q)
472 int bus_verify_polkit_async(
473 sd_bus_message
*call
,
476 const char **details
,
480 sd_bus_error
*ret_error
) {
488 r
= check_good_user(call
, good_user
);
493 _cleanup_(async_polkit_query_unrefp
) AsyncPolkitQuery
*q
= NULL
;
495 q
= async_polkit_query_ref(hashmap_get(*registry
, call
));
496 /* This is a repeated invocation of this function, hence let's check if we've already got
497 * a response from polkit for this action */
499 r
= async_polkit_query_check_action(q
, action
, details
, ret_error
);
505 r
= sd_bus_query_sender_privilege(call
, capability
);
512 _cleanup_(sd_bus_message_unrefp
) sd_bus_message
*pk
= NULL
;
514 int c
= sd_bus_message_get_allow_interactive_authorization(call
);
520 r
= hashmap_ensure_allocated(registry
, NULL
);
524 r
= bus_message_new_polkit_auth_call(call
, action
, details
, interactive
, &pk
);
529 q
= new(AsyncPolkitQuery
, 1);
533 *q
= (AsyncPolkitQuery
) {
535 .request
= sd_bus_message_ref(call
),
540 q
->action
= new(AsyncPolkitQueryAction
, 1);
544 *q
->action
= (AsyncPolkitQueryAction
) {
545 .action
= strdup(action
),
546 .details
= strv_copy((char**) details
),
548 if (!q
->action
->action
|| !q
->action
->details
)
552 r
= hashmap_put(*registry
, call
, q
);
556 q
->registry
= *registry
;
559 r
= sd_bus_call_async(call
->bus
, &q
->slot
, pk
, async_polkit_callback
, q
, 0);
571 Hashmap
*bus_verify_polkit_async_registry_free(Hashmap
*registry
) {
573 return hashmap_free_with_destructor(registry
, async_polkit_query_unref
);
575 assert(hashmap_isempty(registry
));
576 return hashmap_free(registry
);