From: Lennart Poettering Date: Thu, 12 Jun 2025 09:48:37 +0000 (+0200) Subject: vmspawn: spawn polkit during registration phase X-Git-Tag: v258-rc1~79^2~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3cfa7826d281d27a7aba3fe4c08bdcf54ddfb89b;p=thirdparty%2Fsystemd.git vmspawn: spawn polkit during registration phase Just like in nspawn, there's a chance we need to PK authenticate the registration, hence let's spawn off the agent for that during that phase, and terminate it once we don't need it anymore. --- diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c index bf16056b15f..94453356b66 100644 --- a/src/vmspawn/vmspawn.c +++ b/src/vmspawn/vmspawn.c @@ -52,6 +52,7 @@ #include "path-lookup.h" #include "path-util.h" #include "pidref.h" +#include "polkit-agent.h" #include "pretty-print.h" #include "process-util.h" #include "ptyfwd.h" @@ -1546,6 +1547,8 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) { const char *accel, *shm; int r; + polkit_agent_open(); + if (arg_privileged) r = sd_bus_default_system(&bus); else @@ -2378,6 +2381,11 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) { return r; } + /* All operations that might need Polkit authorizations (i.e. machine registration, netif + * acquisition, …) are complete now, get rid of the agent again, so that we retain exclusive control + * of the TTY from now on. */ + polkit_agent_close(); + _cleanup_(sd_event_source_unrefp) sd_event_source *notify_event_source = NULL; _cleanup_(sd_event_unrefp) sd_event *event = NULL; r = sd_event_new(&event);