From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 23 May 2025 12:09:55 +0000 (+0200)
Subject: machined: open up machine registration for unpriv clients also via D-Bus
X-Git-Tag: v258-rc1~359
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=790f5162174cc9813f67a01f5b8a0f960f5386f8;p=thirdparty%2Fsystemd.git

machined: open up machine registration for unpriv clients also via D-Bus

This is already opened up via Varlink. Let's also open it up via D-Bus
with the same polikit operation.
---

diff --git a/man/org.freedesktop.machine1.xml b/man/org.freedesktop.machine1.xml
index e2ec4a11475..35b2d64cc85 100644
--- a/man/org.freedesktop.machine1.xml
+++ b/man/org.freedesktop.machine1.xml
@@ -46,7 +46,6 @@ node /org/freedesktop/machine1 {
                       out o machine);
       ListMachines(out a(ssso) machines);
       ListImages(out a(ssbttto) images);
-      @org.freedesktop.systemd1.Privileged("true")
       CreateMachine(in  s name,
                     in  ay id,
                     in  s service,
@@ -55,7 +54,6 @@ node /org/freedesktop/machine1 {
                     in  s root_directory,
                     in  a(sv) scope_properties,
                     out o path);
-      @org.freedesktop.systemd1.Privileged("true")
       CreateMachineWithNetwork(in  s name,
                                in  ay id,
                                in  s service,
@@ -65,7 +63,6 @@ node /org/freedesktop/machine1 {
                                in  ai ifindices,
                                in  a(sv) scope_properties,
                                out o path);
-      @org.freedesktop.systemd1.Privileged("true")
       RegisterMachine(in  s name,
                       in  ay id,
                       in  s service,
@@ -73,7 +70,6 @@ node /org/freedesktop/machine1 {
                       in  u leader,
                       in  s root_directory,
                       out o path);
-      @org.freedesktop.systemd1.Privileged("true")
       RegisterMachineWithNetwork(in  s name,
                                  in  ay id,
                                  in  s service,
diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c
index d64959dab71..b13546df095 100644
--- a/src/machine/machined-dbus.c
+++ b/src/machine/machined-dbus.c
@@ -300,6 +300,23 @@ static int method_create_or_register_machine(
         if (hashmap_get(manager->machines, name))
                 return sd_bus_error_setf(error, BUS_ERROR_MACHINE_EXISTS, "Machine '%s' already exists", name);
 
+        const char *details[] = {
+                "name",  name,
+                "class", machine_class_to_string(c),
+                NULL
+        };
+
+        r = bus_verify_polkit_async(
+                        message,
+                        "org.freedesktop.machine1.create-machine",
+                        details,
+                        &manager->polkit_registry,
+                        error);
+        if (r < 0)
+                return r;
+        if (r == 0)
+                return 0; /* Will call us back */
+
         r = manager_add_machine(manager, name, &m);
         if (r < 0)
                 return r;
@@ -353,6 +370,8 @@ static int method_create_machine_internal(sd_bus_message *message, bool read_net
         r = method_create_or_register_machine(manager, message, read_network, &m, error);
         if (r < 0)
                 return r;
+        if (r == 0)
+                return 1; /* Will call us back */
 
         r = sd_bus_message_enter_container(message, 'a', "(sv)");
         if (r < 0)
@@ -389,6 +408,8 @@ static int method_register_machine_internal(sd_bus_message *message, bool read_n
         r = method_create_or_register_machine(manager, message, read_network, &m, error);
         if (r < 0)
                 return r;
+        if (r == 0)
+                return 1; /* Will call us back */
 
         r = cg_pidref_get_unit(&m->leader, &m->unit);
         if (r < 0) {
@@ -901,19 +922,23 @@ const sd_bus_vtable manager_vtable[] = {
         SD_BUS_METHOD_WITH_ARGS("CreateMachine",
                                 SD_BUS_ARGS("s", name, "ay", id, "s", service, "s", class, "u", leader, "s", root_directory, "a(sv)", scope_properties),
                                 SD_BUS_RESULT("o", path),
-                                method_create_machine, 0),
+                                method_create_machine,
+                                SD_BUS_VTABLE_UNPRIVILEGED),
         SD_BUS_METHOD_WITH_ARGS("CreateMachineWithNetwork",
                                 SD_BUS_ARGS("s", name, "ay", id, "s", service, "s", class, "u", leader, "s", root_directory, "ai", ifindices, "a(sv)", scope_properties),
                                 SD_BUS_RESULT("o", path),
-                                method_create_machine_with_network, 0),
+                                method_create_machine_with_network,
+                                SD_BUS_VTABLE_UNPRIVILEGED),
         SD_BUS_METHOD_WITH_ARGS("RegisterMachine",
                                 SD_BUS_ARGS("s", name, "ay", id, "s", service, "s", class, "u", leader, "s", root_directory),
                                 SD_BUS_RESULT("o", path),
-                                method_register_machine, 0),
+                                method_register_machine,
+                                SD_BUS_VTABLE_UNPRIVILEGED),
         SD_BUS_METHOD_WITH_ARGS("RegisterMachineWithNetwork",
                                 SD_BUS_ARGS("s", name, "ay", id, "s", service, "s", class, "u", leader, "s", root_directory, "ai", ifindices),
                                 SD_BUS_RESULT("o", path),
-                                method_register_machine_with_network, 0),
+                                method_register_machine_with_network,
+                                SD_BUS_VTABLE_UNPRIVILEGED),
         SD_BUS_METHOD_WITH_ARGS("UnregisterMachine",
                                 SD_BUS_ARGS("s", name),
                                 SD_BUS_NO_RESULT,
diff --git a/src/machine/org.freedesktop.machine1.conf b/src/machine/org.freedesktop.machine1.conf
index c0b329fcc3b..50772946929 100644
--- a/src/machine/org.freedesktop.machine1.conf
+++ b/src/machine/org.freedesktop.machine1.conf
@@ -36,6 +36,8 @@
                        send_interface="org.freedesktop.DBus.Properties"
                        send_member="GetAll"/>
 
+                <!-- org.freedesktop.machine1.Manager Method Calls -->
+
                 <allow send_destination="org.freedesktop.machine1"
                        send_interface="org.freedesktop.machine1.Manager"
                        send_member="ListMachines"/>
@@ -180,6 +182,24 @@
                        send_interface="org.freedesktop.machine1.Manager"
                        send_member="MapToMachineGroup"/>
 
+                <allow send_destination="org.freedesktop.machine1"
+                       send_interface="org.freedesktop.machine1.Manager"
+                       send_member="CreateMachine"/>
+
+                <allow send_destination="org.freedesktop.machine1"
+                       send_interface="org.freedesktop.machine1.Manager"
+                       send_member="CreateMachineWithNetwork"/>
+
+                <allow send_destination="org.freedesktop.machine1"
+                       send_interface="org.freedesktop.machine1.Manager"
+                       send_member="RegisterMachine"/>
+
+                <allow send_destination="org.freedesktop.machine1"
+                       send_interface="org.freedesktop.machine1.Manager"
+                       send_member="RegisterMachineWithNetwork"/>
+
+                <!-- org.freedesktop.machine1.Machine Method Calls -->
+
                 <allow send_destination="org.freedesktop.machine1"
                        send_interface="org.freedesktop.machine1.Machine"
                        send_member="GetAddresses"/>