#include "sd-id128.h"
#include "sd-json.h"
+#include "bus-polkit.h"
#include "hostname-util.h"
#include "json-util.h"
#include "machine-varlink.h"
{ "vSockCid", SD_JSON_VARIANT_UNSIGNED, machine_cid, offsetof(Machine, vsock_cid), 0 },
{ "sshAddress", SD_JSON_VARIANT_STRING, sd_json_dispatch_string, offsetof(Machine, ssh_address), SD_JSON_STRICT },
{ "sshPrivateKeyPath", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(Machine, ssh_private_key_path), 0 },
+ VARLINK_DISPATCH_POLKIT_FIELD,
{}
};
if (r != 0)
return r;
+ r = varlink_verify_polkit_async(
+ link,
+ manager->bus,
+ "org.freedesktop.machine1.create-machine",
+ (const char**) STRV_MAKE("name", machine->name,
+ "class", machine_class_to_string(machine->class)),
+ &manager->polkit_registry);
+ if (r <= 0)
+ return r;
+
if (!pidref_is_set(&machine->leader)) {
r = varlink_get_peer_pidref(link, &machine->leader);
if (r < 0)
if (m->varlink_machine_server)
return 0;
- r = varlink_server_new(&s, VARLINK_SERVER_ROOT_ONLY|VARLINK_SERVER_INHERIT_USERDATA);
+ r = varlink_server_new(&s, VARLINK_SERVER_ACCOUNT_UID|VARLINK_SERVER_INHERIT_USERDATA);
if (r < 0)
return log_error_errno(r, "Failed to allocate varlink server object: %m");
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.shell org.freedesktop.login1.login</annotate>
</action>
+ <action id="org.freedesktop.machine1.create-machine">
+ <description gettext-domain="systemd">Create a local virtual machine or container</description>
+ <message gettext-domain="systemd">Authentication is required to create a local virtual machine or container.</message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.shell org.freedesktop.login1.login</annotate>
+ </action>
+
<action id="org.freedesktop.machine1.manage-images">
<description gettext-domain="systemd">Manage local virtual machine and container images</description>
<message gettext-domain="systemd">Authentication is required to manage local virtual machine and container images.</message>
VARLINK_DEFINE_INPUT(ifIndices, VARLINK_INT, VARLINK_ARRAY|VARLINK_NULLABLE),
VARLINK_DEFINE_INPUT(vSockCid, VARLINK_INT, VARLINK_NULLABLE),
VARLINK_DEFINE_INPUT(sshAddress, VARLINK_STRING, VARLINK_NULLABLE),
- VARLINK_DEFINE_INPUT(sshPrivateKeyPath, VARLINK_STRING, VARLINK_NULLABLE));
+ VARLINK_DEFINE_INPUT(sshPrivateKeyPath, VARLINK_STRING, VARLINK_NULLABLE),
+ VARLINK_FIELD_COMMENT("Whether to allow interactive authentication on this operation."),
+ VARLINK_DEFINE_INPUT(allowInteractiveAuthentication, VARLINK_BOOL, VARLINK_NULLABLE));
static VARLINK_DEFINE_ERROR(MachineExists);
SD_JSON_BUILD_PAIR_CONDITION(VSOCK_CID_IS_REGULAR(cid), "vSockCid", SD_JSON_BUILD_UNSIGNED(cid)),
SD_JSON_BUILD_PAIR_CONDITION(!!directory, "rootDirectory", SD_JSON_BUILD_STRING(directory)),
SD_JSON_BUILD_PAIR_CONDITION(!!address, "sshAddress", SD_JSON_BUILD_STRING(address)),
- SD_JSON_BUILD_PAIR_CONDITION(!!key_path, "sshPrivateKeyPath", SD_JSON_BUILD_STRING(key_path)));
+ SD_JSON_BUILD_PAIR_CONDITION(!!key_path, "sshPrivateKeyPath", SD_JSON_BUILD_STRING(key_path)),
+ SD_JSON_BUILD_PAIR_CONDITION(isatty(STDIN_FILENO), "allowInteractiveAuthentication", SD_JSON_BUILD_BOOLEAN(true)));
}
int unregister_machine(sd_bus *bus, const char *machine_name) {
if (!strv_isempty(arg_initrds) && !arg_linux)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Option --initrd= cannot be used without --linux=.");
- if (arg_register && !arg_privileged)
- return log_error_errno(SYNTHETIC_ERRNO(EPERM), "--register= requires root privileges, refusing.");
-
return 0;
}
projects / thirdparty / systemd.git / commitdiff
