src/shared/bus-polkit.c

   1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
   2
   3 #include "bus-internal.h"
   4 #include "bus-message.h"
   5 #include "bus-polkit.h"
   6 #include "bus-util.h"
   7 #include "strv.h"
   8 #include "user-util.h"
   9
  10 static int check_good_user(sd_bus_message *m, uid_t good_user) {
  11         _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
  12         uid_t sender_uid;
  13         int r;
  14
  15         assert(m);
  16
  17         if (good_user == UID_INVALID)
  18                 return 0;
  19
  20         r = sd_bus_query_sender_creds(m, SD_BUS_CREDS_EUID, &creds);
  21         if (r < 0)
  22                 return r;
  23
  24         /* Don't trust augmented credentials for authorization */
  25         assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_EUID) == 0, -EPERM);
  26
  27         r = sd_bus_creds_get_euid(creds, &sender_uid);
  28         if (r < 0)
  29                 return r;
  30
  31         return sender_uid == good_user;
  32 }
  33
  34 #if ENABLE_POLKIT
  35 static int bus_message_append_strv_key_value(sd_bus_message *m, const char **l) {
  36         int r;
  37
  38         assert(m);
  39
  40         r = sd_bus_message_open_container(m, 'a', "{ss}");
  41         if (r < 0)
  42                 return r;
  43
  44         STRV_FOREACH_PAIR(k, v, l) {
  45                 r = sd_bus_message_append(m, "{ss}", *k, *v);
  46                 if (r < 0)
  47                         return r;
  48         }
  49
  50         r = sd_bus_message_close_container(m);
  51         if (r < 0)
  52                 return r;
  53
  54         return r;
  55 }
  56
  57 static int bus_message_new_polkit_auth_call(
  58                 sd_bus_message *m,
  59                 const char *action,
  60                 const char **details,
  61                 bool interactive,
  62                 sd_bus_message **ret) {
  63
  64         _cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL;
  65         const char *sender;
  66         int r;
  67
  68         assert(m);
  69         assert(action);
  70         assert(ret);
  71
  72         sender = sd_bus_message_get_sender(m);
  73         if (!sender)
  74                 return -EBADMSG;
  75
  76         r = sd_bus_message_new_method_call(
  77                         ASSERT_PTR(m->bus),
  78                         &c,
  79                         "org.freedesktop.PolicyKit1",
  80                         "/org/freedesktop/PolicyKit1/Authority",
  81                         "org.freedesktop.PolicyKit1.Authority",
  82                         "CheckAuthorization");
  83         if (r < 0)
  84                 return r;
  85
  86         r = sd_bus_message_append(c, "(sa{sv})s", "system-bus-name", 1, "name", "s", sender, action);
  87         if (r < 0)
  88                 return r;
  89
  90         r = bus_message_append_strv_key_value(c, details);
  91         if (r < 0)
  92                 return r;
  93
  94         r = sd_bus_message_append(c, "us", interactive, NULL);
  95         if (r < 0)
  96                 return r;
  97
  98         *ret = TAKE_PTR(c);
  99         return 0;
 100 }
 101 #endif
 102
 103 int bus_test_polkit(
 104                 sd_bus_message *call,
 105                 int capability,
 106                 const char *action,
 107                 const char **details,
 108                 uid_t good_user,
 109                 bool *_challenge,
 110                 sd_bus_error *ret_error) {
 111
 112         int r;
 113
 114         assert(call);
 115         assert(action);
 116
 117         /* Tests non-interactively! */
 118
 119         r = check_good_user(call, good_user);
 120         if (r != 0)
 121                 return r;
 122
 123         r = sd_bus_query_sender_privilege(call, capability);
 124         if (r < 0)
 125                 return r;
 126         if (r > 0)
 127                 return 1;
 128
 129 #if ENABLE_POLKIT
 130         _cleanup_(sd_bus_message_unrefp) sd_bus_message *request = NULL, *reply = NULL;
 131         int authorized = false, challenge = false;
 132
 133         r = bus_message_new_polkit_auth_call(call, action, details, /* interactive = */ false, &request);
 134         if (r < 0)
 135                 return r;
 136
 137         r = sd_bus_call(call->bus, request, 0, ret_error, &reply);
 138         if (r < 0) {
 139                 /* Treat no PK available as access denied */
 140                 if (bus_error_is_unknown_service(ret_error)) {
 141                         sd_bus_error_free(ret_error);
 142                         return -EACCES;
 143                 }
 144
 145                 return r;
 146         }
 147
 148         r = sd_bus_message_enter_container(reply, 'r', "bba{ss}");
 149         if (r < 0)
 150                 return r;
 151
 152         r = sd_bus_message_read(reply, "bb", &authorized, &challenge);
 153         if (r < 0)
 154                 return r;
 155
 156         if (authorized)
 157                 return 1;
 158
 159         if (_challenge) {
 160                 *_challenge = challenge;
 161                 return 0;
 162         }
 163 #endif
 164
 165         return -EACCES;
 166 }
 167
 168 #if ENABLE_POLKIT
 169
 170 typedef struct AsyncPolkitQuery {
 171         char *action;
 172         char **details;
 173
 174         sd_bus_message *request, *reply;
 175         sd_bus_slot *slot;
 176
 177         Hashmap *registry;
 178         sd_event_source *defer_event_source;
 179 } AsyncPolkitQuery;
 180
 181 static AsyncPolkitQuery *async_polkit_query_free(AsyncPolkitQuery *q) {
 182         if (!q)
 183                 return NULL;
 184
 185         sd_bus_slot_unref(q->slot);
 186
 187         if (q->registry && q->request)
 188                 hashmap_remove(q->registry, q->request);
 189
 190         sd_bus_message_unref(q->request);
 191         sd_bus_message_unref(q->reply);
 192
 193         free(q->action);
 194         strv_free(q->details);
 195
 196         sd_event_source_disable_unref(q->defer_event_source);
 197
 198         return mfree(q);
 199 }
 200
 201 DEFINE_TRIVIAL_CLEANUP_FUNC(AsyncPolkitQuery*, async_polkit_query_free);
 202
 203 static int async_polkit_defer(sd_event_source *s, void *userdata) {
 204         AsyncPolkitQuery *q = ASSERT_PTR(userdata);
 205
 206         assert(s);
 207
 208         /* This is called as idle event source after we processed the async polkit reply, hopefully after the
 209          * method call we re-enqueued has been properly processed. */
 210
 211         async_polkit_query_free(q);
 212         return 0;
 213 }
 214
 215 static int async_polkit_callback(sd_bus_message *reply, void *userdata, sd_bus_error *error) {
 216         AsyncPolkitQuery *q = ASSERT_PTR(userdata);
 217         int r;
 218
 219         assert(reply);
 220
 221         assert(q->slot);
 222         q->slot = sd_bus_slot_unref(q->slot);
 223
 224         assert(!q->reply);
 225         q->reply = sd_bus_message_ref(reply);
 226
 227         /* Now, let's dispatch the original message a second time be re-enqueing. This will then traverse the
 228          * whole message processing again, and thus re-validating and re-retrieving the "userdata" field
 229          * again.
 230          *
 231          * We install an idle event loop event to clean-up the PolicyKit request data when we are idle again,
 232          * i.e. after the second time the message is processed is complete. */
 233
 234         assert(!q->defer_event_source);
 235         r = sd_event_add_defer(sd_bus_get_event(sd_bus_message_get_bus(reply)), &q->defer_event_source, async_polkit_defer, q);
 236         if (r < 0)
 237                 goto fail;
 238
 239         r = sd_event_source_set_priority(q->defer_event_source, SD_EVENT_PRIORITY_IDLE);
 240         if (r < 0)
 241                 goto fail;
 242
 243         r = sd_event_source_set_enabled(q->defer_event_source, SD_EVENT_ONESHOT);
 244         if (r < 0)
 245                 goto fail;
 246
 247         r = sd_bus_message_rewind(q->request, true);
 248         if (r < 0)
 249                 goto fail;
 250
 251         r = sd_bus_enqueue_for_read(sd_bus_message_get_bus(q->request), q->request);
 252         if (r < 0)
 253                 goto fail;
 254
 255         return 1;
 256
 257 fail:
 258         log_debug_errno(r, "Processing asynchronous PolicyKit reply failed, ignoring: %m");
 259         (void) sd_bus_reply_method_errno(q->request, r, NULL);
 260         async_polkit_query_free(q);
 261         return r;
 262 }
 263
 264 static int process_polkit_response(
 265                 AsyncPolkitQuery *q,
 266                 sd_bus_message *call,
 267                 const char *action,
 268                 const char **details,
 269                 sd_bus_error *ret_error) {
 270
 271         int authorized, challenge, r;
 272
 273         assert(q);
 274         assert(call);
 275         assert(action);
 276         assert(ret_error);
 277
 278         assert(q->action);
 279         assert(q->reply);
 280
 281         /* If the operation we want to authenticate changed between the first and the second time,
 282          * let's not use this authentication, it might be out of date as the object and context we
 283          * operate on might have changed. */
 284         if (!streq(q->action, action) || !strv_equal(q->details, (char**) details))
 285                 return -ESTALE;
 286
 287         if (sd_bus_message_is_method_error(q->reply, NULL)) {
 288                 const sd_bus_error *e;
 289
 290                 e = sd_bus_message_get_error(q->reply);
 291
 292                 /* Treat no PK available as access denied */
 293                 if (bus_error_is_unknown_service(e))
 294                         return -EACCES;
 295
 296                 /* Copy error from polkit reply */
 297                 sd_bus_error_copy(ret_error, e);
 298                 return -sd_bus_error_get_errno(e);
 299         }
 300
 301         r = sd_bus_message_enter_container(q->reply, 'r', "bba{ss}");
 302         if (r >= 0)
 303                 r = sd_bus_message_read(q->reply, "bb", &authorized, &challenge);
 304         if (r < 0)
 305                 return r;
 306
 307         if (authorized)
 308                 return 1;
 309
 310         if (challenge)
 311                 return sd_bus_error_set(ret_error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED, "Interactive authentication required.");
 312
 313         return -EACCES;
 314 }
 315
 316 #endif
 317
 318 int bus_verify_polkit_async(
 319                 sd_bus_message *call,
 320                 int capability,
 321                 const char *action,
 322                 const char **details,
 323                 bool interactive,
 324                 uid_t good_user,
 325                 Hashmap **registry,
 326                 sd_bus_error *ret_error) {
 327
 328         int r;
 329
 330         assert(call);
 331         assert(action);
 332         assert(registry);
 333
 334         r = check_good_user(call, good_user);
 335         if (r != 0)
 336                 return r;
 337
 338 #if ENABLE_POLKIT
 339         AsyncPolkitQuery *q = hashmap_get(*registry, call);
 340         /* This is the second invocation of this function, and there's already a response from
 341          * polkit, let's process it */
 342         if (q)
 343                 return process_polkit_response(q, call, action, details, ret_error);
 344 #endif
 345
 346         r = sd_bus_query_sender_privilege(call, capability);
 347         if (r < 0)
 348                 return r;
 349         if (r > 0)
 350                 return 1;
 351
 352 #if ENABLE_POLKIT
 353         _cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
 354         _cleanup_(async_polkit_query_freep) AsyncPolkitQuery *q_new = NULL;
 355
 356         int c = sd_bus_message_get_allow_interactive_authorization(call);
 357         if (c < 0)
 358                 return c;
 359         if (c > 0)
 360                 interactive = true;
 361
 362         r = hashmap_ensure_allocated(registry, NULL);
 363         if (r < 0)
 364                 return r;
 365
 366         r = bus_message_new_polkit_auth_call(call, action, details, interactive, &pk);
 367         if (r < 0)
 368                 return r;
 369
 370         q = q_new = new(AsyncPolkitQuery, 1);
 371         if (!q)
 372                 return -ENOMEM;
 373
 374         *q = (AsyncPolkitQuery) {
 375                 .request = sd_bus_message_ref(call),
 376         };
 377
 378         q->action = strdup(action);
 379         if (!q->action)
 380                 return -ENOMEM;
 381
 382         q->details = strv_copy((char**) details);
 383         if (!q->details)
 384                 return -ENOMEM;
 385
 386         r = hashmap_put(*registry, call, q);
 387         if (r < 0)
 388                 return r;
 389
 390         q->registry = *registry;
 391
 392         r = sd_bus_call_async(call->bus, &q->slot, pk, async_polkit_callback, q, 0);
 393         if (r < 0)
 394                 return r;
 395
 396         TAKE_PTR(q_new);
 397
 398         return 0;
 399 #endif
 400
 401         return -EACCES;
 402 }
 403
 404 Hashmap *bus_verify_polkit_async_registry_free(Hashmap *registry) {
 405 #if ENABLE_POLKIT
 406         return hashmap_free_with_destructor(registry, async_polkit_query_free);
 407 #else
 408         assert(hashmap_isempty(registry));
 409         return hashmap_free(registry);
 410 #endif
 411 }