machined: beef up PolicyKit actions

Introduce separate actions for creating login or shell sessions for
the local host or a local container. By default allow local unprivileged
clients to create new login sessions (which is safe, since getty will
ask for username and authentication).

Also, imply login privs from shell privs, as well as shell and login
privs from manage privs.

diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c
index b89bb2cba17b49e25a13f86ee874c7fbe924bf30..af2b8eff063b79b04190c8a19d3be7121963304c 100644 (file)
--- a/src/machine/machine-dbus.c
+++ b/src/machine/machine-dbus.c
@@ -486,7 +486,7 @@ int bus_machine_method_open_pty(sd_bus_message *message, void *userdata, sd_bus_
         r = bus_verify_polkit_async(
                         message,
                         CAP_SYS_ADMIN,
-                        "org.freedesktop.machine1.open-pty",
+                        m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-open-pty" : "org.freedesktop.machine1.open-pty",
                         false,
                         UID_INVALID,
                         &m->manager->polkit_registry,
@@ -575,7 +575,7 @@ int bus_machine_method_open_login(sd_bus_message *message, void *userdata, sd_bu
         r = bus_verify_polkit_async(
                         message,
                         CAP_SYS_ADMIN,
-                        "org.freedesktop.machine1.login",
+                        m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-login" : "org.freedesktop.machine1.login",
                         false,
                         UID_INVALID,
                         &m->manager->polkit_registry,
@@ -676,7 +676,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu
         r = bus_verify_polkit_async(
                         message,
                         CAP_SYS_ADMIN,
-                        "org.freedesktop.machine1.shell",
+                        m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-shell" : "org.freedesktop.machine1.shell",
                         false,
                         UID_INVALID,
                         &m->manager->polkit_registry,

diff --git a/src/machine/org.freedesktop.machine1.policy.in b/src/machine/org.freedesktop.machine1.policy.in
index f1557806d18a29333670092a188ae2fd4cf19d04..6e35c5c04545e9459356b49571ed9a1440db317a 100644 (file)
--- a/src/machine/org.freedesktop.machine1.policy.in
+++ b/src/machine/org.freedesktop.machine1.policy.in
@@ -26,6 +26,38 @@
                 </defaults>
         </action>
 
+        <action id="org.freedesktop.machine1.host-login">
+                <_description>Log into the local host</_description>
+                <_message>Authentication is required to log into the local host.</_message>
+                <defaults>
+                        <allow_any>auth_admin</allow_any>
+                        <allow_inactive>auth_admin</allow_inactive>
+                        <allow_active>yes</allow_active>
+                </defaults>
+        </action>
+
+        <action id="org.freedesktop.machine1.shell">
+                <_description>Acquire a shell in a local container</_description>
+                <_message>Authentication is required to acquire a shell in a local container.</_message>
+                <defaults>
+                        <allow_any>auth_admin</allow_any>
+                        <allow_inactive>auth_admin</allow_inactive>
+                        <allow_active>auth_admin_keep</allow_active>
+                </defaults>
+                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.login</annotate>
+        </action>
+
+        <action id="org.freedesktop.machine1.host-shell">
+                <_description>Acquire a shell on the local host</_description>
+                <_message>Authentication is required to acquire a shell on the local host.</_message>
+                <defaults>
+                        <allow_any>auth_admin</allow_any>
+                        <allow_inactive>auth_admin</allow_inactive>
+                        <allow_active>auth_admin_keep</allow_active>
+                </defaults>
+                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.host-login</annotate>
+        </action>
+
         <action id="org.freedesktop.machine1.open-pty">
                 <_description>Acquire a pseudo TTY in a local container</_description>
                 <_message>Authentication is acquire a pseudo TTY in a local container.</_message>
@@ -36,9 +68,9 @@
                 </defaults>
         </action>
 
-        <action id="org.freedesktop.machine1.shell">
-                <_description>Acquire a shell in a local container</_description>
-                <_message>Authentication is required to acquire a shell in a local container.</_message>
+        <action id="org.freedesktop.machine1.host-open-pty">
+                <_description>Acquire a pseudo TTY on the local host</_description>
+                <_message>Authentication is acquire a pseudo TTY on the local host.</_message>
                 <defaults>
                         <allow_any>auth_admin</allow_any>
                         <allow_inactive>auth_admin</allow_inactive>
@@ -54,6 +86,7 @@
                         <allow_inactive>auth_admin</allow_inactive>
                         <allow_active>auth_admin_keep</allow_active>
                 </defaults>
+                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.shell org.freedesktop.login1.login</annotate>
         </action>
 
         <action id="org.freedesktop.machine1.manage-images">