]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/bus-polkit.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #28355 from yuwata/unit-skip-battery-check-by-kernel-command-line
[thirdparty/systemd.git] / src / shared / bus-polkit.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "bus-internal.h"
4 #include "bus-message.h"
5 #include "bus-polkit.h"
6 #include "bus-util.h"
7 #include "strv.h"
8 #include "user-util.h"
9
10 static int check_good_user(sd_bus_message *m, uid_t good_user) {
11 _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
12 uid_t sender_uid;
13 int r;
14
15 assert(m);
16
17 if (good_user == UID_INVALID)
18 return 0;
19
20 r = sd_bus_query_sender_creds(m, SD_BUS_CREDS_EUID, &creds);
21 if (r < 0)
22 return r;
23
24 /* Don't trust augmented credentials for authorization */
25 assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_EUID) == 0, -EPERM);
26
27 r = sd_bus_creds_get_euid(creds, &sender_uid);
28 if (r < 0)
29 return r;
30
31 return sender_uid == good_user;
32 }
33
34 #if ENABLE_POLKIT
35 static int bus_message_append_strv_key_value(sd_bus_message *m, const char **l) {
36 int r;
37
38 assert(m);
39
40 r = sd_bus_message_open_container(m, 'a', "{ss}");
41 if (r < 0)
42 return r;
43
44 STRV_FOREACH_PAIR(k, v, l) {
45 r = sd_bus_message_append(m, "{ss}", *k, *v);
46 if (r < 0)
47 return r;
48 }
49
50 r = sd_bus_message_close_container(m);
51 if (r < 0)
52 return r;
53
54 return r;
55 }
56
57 static int bus_message_new_polkit_auth_call(
58 sd_bus_message *m,
59 const char *action,
60 const char **details,
61 bool interactive,
62 sd_bus_message **ret) {
63
64 _cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL;
65 const char *sender;
66 int r;
67
68 assert(m);
69 assert(action);
70 assert(ret);
71
72 sender = sd_bus_message_get_sender(m);
73 if (!sender)
74 return -EBADMSG;
75
76 r = sd_bus_message_new_method_call(
77 ASSERT_PTR(m->bus),
78 &c,
79 "org.freedesktop.PolicyKit1",
80 "/org/freedesktop/PolicyKit1/Authority",
81 "org.freedesktop.PolicyKit1.Authority",
82 "CheckAuthorization");
83 if (r < 0)
84 return r;
85
86 r = sd_bus_message_append(c, "(sa{sv})s", "system-bus-name", 1, "name", "s", sender, action);
87 if (r < 0)
88 return r;
89
90 r = bus_message_append_strv_key_value(c, details);
91 if (r < 0)
92 return r;
93
94 r = sd_bus_message_append(c, "us", interactive, NULL);
95 if (r < 0)
96 return r;
97
98 *ret = TAKE_PTR(c);
99 return 0;
100 }
101 #endif
102
103 int bus_test_polkit(
104 sd_bus_message *call,
105 int capability,
106 const char *action,
107 const char **details,
108 uid_t good_user,
109 bool *_challenge,
110 sd_bus_error *ret_error) {
111
112 int r;
113
114 assert(call);
115 assert(action);
116
117 /* Tests non-interactively! */
118
119 r = check_good_user(call, good_user);
120 if (r != 0)
121 return r;
122
123 r = sd_bus_query_sender_privilege(call, capability);
124 if (r < 0)
125 return r;
126 if (r > 0)
127 return 1;
128
129 #if ENABLE_POLKIT
130 _cleanup_(sd_bus_message_unrefp) sd_bus_message *request = NULL, *reply = NULL;
131 int authorized = false, challenge = false;
132
133 r = bus_message_new_polkit_auth_call(call, action, details, /* interactive = */ false, &request);
134 if (r < 0)
135 return r;
136
137 r = sd_bus_call(call->bus, request, 0, ret_error, &reply);
138 if (r < 0) {
139 /* Treat no PK available as access denied */
140 if (bus_error_is_unknown_service(ret_error)) {
141 sd_bus_error_free(ret_error);
142 return -EACCES;
143 }
144
145 return r;
146 }
147
148 r = sd_bus_message_enter_container(reply, 'r', "bba{ss}");
149 if (r < 0)
150 return r;
151
152 r = sd_bus_message_read(reply, "bb", &authorized, &challenge);
153 if (r < 0)
154 return r;
155
156 if (authorized)
157 return 1;
158
159 if (_challenge) {
160 *_challenge = challenge;
161 return 0;
162 }
163 #endif
164
165 return -EACCES;
166 }
167
168 #if ENABLE_POLKIT
169
170 typedef struct AsyncPolkitQueryAction {
171 char *action;
172 char **details;
173
174 LIST_FIELDS(struct AsyncPolkitQueryAction, authorized);
175 } AsyncPolkitQueryAction;
176
177 static AsyncPolkitQueryAction *async_polkit_query_action_free(AsyncPolkitQueryAction *a) {
178 if (!a)
179 return NULL;
180
181 free(a->action);
182 strv_free(a->details);
183
184 return mfree(a);
185 }
186
187 DEFINE_TRIVIAL_CLEANUP_FUNC(AsyncPolkitQueryAction*, async_polkit_query_action_free);
188
189 typedef struct AsyncPolkitQuery {
190 unsigned n_ref;
191
192 AsyncPolkitQueryAction *action;
193
194 sd_bus_message *request;
195 sd_bus_slot *slot;
196
197 Hashmap *registry;
198 sd_event_source *defer_event_source;
199
200 LIST_HEAD(AsyncPolkitQueryAction, authorized_actions);
201 AsyncPolkitQueryAction *denied_action;
202 AsyncPolkitQueryAction *error_action;
203 sd_bus_error error;
204 } AsyncPolkitQuery;
205
206 static AsyncPolkitQuery *async_polkit_query_free(AsyncPolkitQuery *q) {
207 AsyncPolkitQueryAction *a;
208
209 if (!q)
210 return NULL;
211
212 sd_bus_slot_unref(q->slot);
213
214 if (q->registry && q->request)
215 hashmap_remove(q->registry, q->request);
216
217 sd_bus_message_unref(q->request);
218
219 async_polkit_query_action_free(q->action);
220
221 sd_event_source_disable_unref(q->defer_event_source);
222
223 while ((a = q->authorized_actions)) {
224 LIST_REMOVE(authorized, q->authorized_actions, a);
225 async_polkit_query_action_free(a);
226 }
227
228 async_polkit_query_action_free(q->denied_action);
229 async_polkit_query_action_free(q->error_action);
230
231 sd_bus_error_free(&q->error);
232
233 return mfree(q);
234 }
235
236 DEFINE_PRIVATE_TRIVIAL_REF_UNREF_FUNC(AsyncPolkitQuery, async_polkit_query, async_polkit_query_free);
237 DEFINE_TRIVIAL_CLEANUP_FUNC(AsyncPolkitQuery*, async_polkit_query_unref);
238
239 static int async_polkit_defer(sd_event_source *s, void *userdata) {
240 AsyncPolkitQuery *q = ASSERT_PTR(userdata);
241
242 assert(s);
243
244 /* This is called as idle event source after we processed the async polkit reply, hopefully after the
245 * method call we re-enqueued has been properly processed. */
246
247 async_polkit_query_unref(q);
248 return 0;
249 }
250
251 static int async_polkit_read_reply(sd_bus_message *reply, AsyncPolkitQuery *q) {
252 _cleanup_(async_polkit_query_action_freep) AsyncPolkitQueryAction *a = NULL;
253 int authorized, challenge, r;
254
255 assert(reply);
256 assert(q);
257
258 assert(q->action);
259 a = TAKE_PTR(q->action);
260
261 if (sd_bus_message_is_method_error(reply, NULL)) {
262 const sd_bus_error *e;
263
264 e = sd_bus_message_get_error(reply);
265
266 /* Save error from polkit reply, so it can be returned when the same authorization is
267 * attempted for second time */
268 if (!bus_error_is_unknown_service(e)) {
269 q->error_action = TAKE_PTR(a);
270 return sd_bus_error_copy(&q->error, e);
271 }
272
273 /* Treat no PK available as access denied */
274 q->denied_action = TAKE_PTR(a);
275
276 return 0;
277 }
278
279 r = sd_bus_message_enter_container(reply, 'r', "bba{ss}");
280 if (r >= 0)
281 r = sd_bus_message_read(reply, "bb", &authorized, &challenge);
282 if (r < 0)
283 return r;
284
285 /* It's currently expected that processing of a DBus message shall be interrupted on the first
286 * auth. error */
287 assert(!q->denied_action);
288 assert(!q->error_action);
289 assert(!sd_bus_error_is_set(&q->error));
290
291 if (authorized)
292 LIST_PREPEND(authorized, q->authorized_actions, TAKE_PTR(a));
293 else if (challenge) {
294 q->error_action = TAKE_PTR(a);
295 return sd_bus_error_set(&q->error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED, "Interactive authentication required.");
296 } else
297 q->denied_action = TAKE_PTR(a);
298
299 return 0;
300 }
301
302 static int async_polkit_process_reply(sd_bus_message *reply, AsyncPolkitQuery *q) {
303 int r;
304
305 assert(reply);
306 assert(q);
307
308 assert(q->slot);
309 q->slot = sd_bus_slot_unref(q->slot);
310
311 r = async_polkit_read_reply(reply, q);
312 if (r < 0)
313 return r;
314
315 /* Now, let's dispatch the original message a second time be re-enqueing. This will then traverse the
316 * whole message processing again, and thus re-validating and re-retrieving the "userdata" field
317 * again.
318 *
319 * We install an idle event loop event to clean-up the PolicyKit request data when we are idle again,
320 * i.e. after the second time the message is processed is complete. */
321
322 if (!q->defer_event_source) {
323 r = sd_event_add_defer(
324 sd_bus_get_event(sd_bus_message_get_bus(reply)),
325 &q->defer_event_source,
326 async_polkit_defer,
327 q);
328 if (r < 0)
329 return r;
330
331 r = sd_event_source_set_priority(q->defer_event_source, SD_EVENT_PRIORITY_IDLE);
332 if (r < 0)
333 return r;
334 }
335
336 r = sd_event_source_set_enabled(q->defer_event_source, SD_EVENT_ONESHOT);
337 if (r < 0)
338 return r;
339
340 r = sd_bus_message_rewind(q->request, true);
341 if (r < 0)
342 return r;
343
344 r = sd_bus_enqueue_for_read(sd_bus_message_get_bus(q->request), q->request);
345 if (r < 0)
346 return r;
347
348 return 1;
349 }
350
351 static int async_polkit_callback(sd_bus_message *reply, void *userdata, sd_bus_error *error) {
352 AsyncPolkitQuery *q = ASSERT_PTR(userdata);
353 int r;
354
355 assert(reply);
356
357 r = async_polkit_process_reply(reply, q);
358 if (r < 0) {
359 log_debug_errno(r, "Processing asynchronous PolicyKit reply failed, ignoring: %m");
360 (void) sd_bus_reply_method_errno(q->request, r, NULL);
361 async_polkit_query_unref(q);
362 }
363 return r;
364 }
365
366 _pure_ static int async_polkit_query_check_action(
367 AsyncPolkitQuery *q,
368 const char *action,
369 const char **details,
370 sd_bus_error *ret_error) {
371
372 assert(q);
373 assert(action);
374 assert(ret_error);
375
376 LIST_FOREACH(authorized, a, q->authorized_actions)
377 if (streq(a->action, action) && strv_equal(a->details, (char**) details))
378 return 1;
379
380 if (q->error_action && streq(q->error_action->action, action))
381 return sd_bus_error_copy(ret_error, &q->error);
382
383 if (q->denied_action && streq(q->denied_action->action, action))
384 return -EACCES;
385
386 return 0;
387 }
388
389 #endif
390
391 /* bus_verify_polkit_async() handles verification of D-Bus calls with polkit. Because the polkit API
392 * is asynchronous, the whole thing is a bit complex and requires some support in the code that uses
393 * it. It relies on sd-bus's support for interrupting the processing of a message.
394 *
395 * Requirements:
396 *
397 * * bus_verify_polkit_async() must be called before any changes to internal state.
398 * * If bus_verify_polkit_async() has made a new polkit query (signaled by return value 0),
399 * processing of the message should be interrupted. This is done by returning 1--which sd-bus
400 * handles specially--and is usually accompanied by a comment. (The message will be queued for
401 * processing again later when a reply from polkit is received.)
402 * * The code needs to keep a hashmap, here called registry, in which bus_verify_polkit_async()
403 * stores active queries. This hashmap's lifetime must be larger than the method handler's;
404 * e.g., it can be a member of some "manager" object or a global variable.
405 *
406 * Return value:
407 *
408 * * 0 - a new polkit call has been made, which means the processing of the message should be
409 * interrupted;
410 * * 1 - the action has been allowed;
411 * * -EACCES - the action has been denied;
412 * * < 0 - an unspecified error.
413 *
414 * A step-by-step description of how it works:
415 *
416 * 1. A D-Bus method handler calls bus_verify_polkit_async(), passing it the D-Bus message being
417 * processed and the polkit action to verify.
418 * 2. bus_verify_polkit_async() checks the registry for an existing query object associated with the
419 * message. Let's assume this is the first call, so it finds nothing.
420 * 3. A new AsyncPolkitQuery object is created and an async. D-Bus call to polkit is made. The
421 * function then returns 0. The method handler returns 1 to tell sd-bus that the processing of
422 * the message has been interrupted.
423 * 4. (Later) A reply from polkit is received and async_polkit_callback() is called.
424 * 5. async_polkit_callback() reads the reply and stores its result in the passed query.
425 * 6. async_polkit_callback() enqueues the original message again.
426 * 7. (Later) The same D-Bus method handler is called for the same message. It calls
427 * bus_verify_polkit_async() again.
428 * 8. bus_verify_polkit_async() checks the registry for an existing query object associated with the
429 * message. It finds one and returns the result for the action.
430 * 9. The method handler continues processing of the message. If there's another action that needs
431 * to be verified:
432 * 10. bus_verify_polkit_async() is called again for the new action. The registry already contains a
433 * query for the message, but the new action hasn't been seen yet, hence steps 4-8 are repeated.
434 * 11. (In the method handler again.) bus_verify_polkit_async() returns query results for both
435 * actions and the processing continues as in step 9.
436 *
437 * Memory handling:
438 *
439 * async_polkit_callback() registers a deferred call of async_polkit_defer() for the query, which
440 * causes the query to be removed from the registry and freed. Deferred events are run with idle
441 * priority, so this will happen after processing of the D-Bus message, when the query is no longer
442 * needed.
443 *
444 * Schematically:
445 *
446 * (m - D-Bus message, a - polkit action, q - polkit query)
447 *
448 * -> foo_method(m)
449 * -> bus_verify_polkit_async(m, a)
450 * -> async_polkit_query_ref(q)
451 * -> bus_call_method_async(q)
452 * <- bus_verify_polkit_async(m, a) = 0
453 * <- foo_method(m) = 1
454 * ...
455 * -> async_polkit_callback(q)
456 * -> sd_event_add_defer(async_polkit_defer, q)
457 * -> sd_bus_enqueue_for_read(m)
458 * <- async_polkit_callback(q)
459 * ...
460 * -> foo_method(m)
461 * -> bus_verify_polkit_async(m, a)
462 * <- bus_verify_polkit_async(m, a) = 1/-EACCES/error
463 * ...
464 * // possibly another call to bus_verify_polkit_async with action a2
465 * <- foo_method(m)
466 * ...
467 * -> async_polkit_defer(q)
468 * -> async_polkit_query_unref(q)
469 * <- async_polkit_defer(q)
470 */
471
472 int bus_verify_polkit_async(
473 sd_bus_message *call,
474 int capability,
475 const char *action,
476 const char **details,
477 bool interactive,
478 uid_t good_user,
479 Hashmap **registry,
480 sd_bus_error *ret_error) {
481
482 int r;
483
484 assert(call);
485 assert(action);
486 assert(registry);
487
488 r = check_good_user(call, good_user);
489 if (r != 0)
490 return r;
491
492 #if ENABLE_POLKIT
493 _cleanup_(async_polkit_query_unrefp) AsyncPolkitQuery *q = NULL;
494
495 q = async_polkit_query_ref(hashmap_get(*registry, call));
496 /* This is a repeated invocation of this function, hence let's check if we've already got
497 * a response from polkit for this action */
498 if (q) {
499 r = async_polkit_query_check_action(q, action, details, ret_error);
500 if (r != 0)
501 return r;
502 }
503 #endif
504
505 r = sd_bus_query_sender_privilege(call, capability);
506 if (r < 0)
507 return r;
508 if (r > 0)
509 return 1;
510
511 #if ENABLE_POLKIT
512 _cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
513
514 int c = sd_bus_message_get_allow_interactive_authorization(call);
515 if (c < 0)
516 return c;
517 if (c > 0)
518 interactive = true;
519
520 r = hashmap_ensure_allocated(registry, NULL);
521 if (r < 0)
522 return r;
523
524 r = bus_message_new_polkit_auth_call(call, action, details, interactive, &pk);
525 if (r < 0)
526 return r;
527
528 if (!q) {
529 q = new(AsyncPolkitQuery, 1);
530 if (!q)
531 return -ENOMEM;
532
533 *q = (AsyncPolkitQuery) {
534 .n_ref = 1,
535 .request = sd_bus_message_ref(call),
536 };
537 }
538
539 assert(!q->action);
540 q->action = new(AsyncPolkitQueryAction, 1);
541 if (!q->action)
542 return -ENOMEM;
543
544 *q->action = (AsyncPolkitQueryAction) {
545 .action = strdup(action),
546 .details = strv_copy((char**) details),
547 };
548 if (!q->action->action || !q->action->details)
549 return -ENOMEM;
550
551 if (!q->registry) {
552 r = hashmap_put(*registry, call, q);
553 if (r < 0)
554 return r;
555
556 q->registry = *registry;
557 }
558
559 r = sd_bus_call_async(call->bus, &q->slot, pk, async_polkit_callback, q, 0);
560 if (r < 0)
561 return r;
562
563 TAKE_PTR(q);
564
565 return 0;
566 #endif
567
568 return -EACCES;
569 }
570
571 Hashmap *bus_verify_polkit_async_registry_free(Hashmap *registry) {
572 #if ENABLE_POLKIT
573 return hashmap_free_with_destructor(registry, async_polkit_query_unref);
574 #else
575 assert(hashmap_isempty(registry));
576 return hashmap_free(registry);
577 #endif
578 }
Unnamed repository; edit this file 'description' to name the repository.