From: Ludwig Nussel Date: Tue, 18 Jan 2022 13:47:41 +0000 (+0100) Subject: machined: provide more details to polkit auth X-Git-Tag: v251-rc1~506 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8dd3f6a3fdf1e3f45209d113052cca2efd1db5d5;p=thirdparty%2Fsystemd.git machined: provide more details to polkit auth --- diff --git a/src/machine/image-dbus.c b/src/machine/image-dbus.c index e6ffb52924c..6d145c76229 100644 --- a/src/machine/image-dbus.c +++ b/src/machine/image-dbus.c @@ -43,11 +43,17 @@ int bus_image_method_remove( if (m->n_operations >= OPERATIONS_MAX) return sd_bus_error_set(error, SD_BUS_ERROR_LIMITS_EXCEEDED, "Too many ongoing operations."); + const char *details[] = { + "image", image->name, + "verb", "remove", + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-images", - NULL, + details, false, UID_INVALID, &m->polkit_registry, @@ -108,11 +114,18 @@ int bus_image_method_rename( if (!image_name_is_valid(new_name)) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Image name '%s' is invalid.", new_name); + const char *details[] = { + "image", image->name, + "verb", "rename", + "new_name", new_name, + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-images", - NULL, + details, false, UID_INVALID, &m->polkit_registry, @@ -155,11 +168,18 @@ int bus_image_method_clone( if (!image_name_is_valid(new_name)) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Image name '%s' is invalid.", new_name); + const char *details[] = { + "image", image->name, + "verb", "clone", + "new_name", new_name, + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-images", - NULL, + details, false, UID_INVALID, &m->polkit_registry, @@ -207,7 +227,8 @@ int bus_image_method_mark_read_only( Image *image = userdata; Manager *m = image->userdata; - int r, read_only; + bool read_only; + int r; assert(message); @@ -215,11 +236,18 @@ int bus_image_method_mark_read_only( if (r < 0) return r; + const char *details[] = { + "image", image->name, + "verb", "mark_read_only", + "read_only", (read_only?"1":"0"), + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-images", - NULL, + details, false, UID_INVALID, &m->polkit_registry, @@ -254,11 +282,17 @@ int bus_image_method_set_limit( if (!FILE_SIZE_VALID_OR_INFINITY(limit)) return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS, "New limit out of range"); + const char *details[] = { + "machine", image->name, + "verb", "set_limit", + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-images", - NULL, + details, false, UID_INVALID, &m->polkit_registry, diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c index 8f11afd65bf..7baca67f1b4 100644 --- a/src/machine/machine-dbus.c +++ b/src/machine/machine-dbus.c @@ -73,11 +73,17 @@ int bus_machine_method_unregister(sd_bus_message *message, void *userdata, sd_bu assert(message); assert(m); + const char *details[] = { + "machine", m->name, + "verb", "unregister", + NULL + }; + r = bus_verify_polkit_async( message, CAP_KILL, "org.freedesktop.machine1.manage-machines", - NULL, + details, false, UID_INVALID, &m->manager->polkit_registry, @@ -101,11 +107,17 @@ int bus_machine_method_terminate(sd_bus_message *message, void *userdata, sd_bus assert(message); assert(m); + const char *details[] = { + "machine", m->name, + "verb", "terminate", + NULL + }; + r = bus_verify_polkit_async( message, CAP_KILL, "org.freedesktop.machine1.manage-machines", - NULL, + details, false, UID_INVALID, &m->manager->polkit_registry, @@ -147,11 +159,17 @@ int bus_machine_method_kill(sd_bus_message *message, void *userdata, sd_bus_erro if (!SIGNAL_VALID(signo)) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid signal %i", signo); + const char *details[] = { + "machine", m->name, + "verb", "kill", + NULL + }; + r = bus_verify_polkit_async( message, CAP_KILL, "org.freedesktop.machine1.manage-machines", - NULL, + details, false, UID_INVALID, &m->manager->polkit_registry, @@ -439,11 +457,16 @@ int bus_machine_method_open_pty(sd_bus_message *message, void *userdata, sd_bus_ assert(message); assert(m); + const char *details[] = { + "machine", m->name, + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-open-pty" : "org.freedesktop.machine1.open-pty", - NULL, + details, false, UID_INVALID, &m->manager->polkit_registry, @@ -526,11 +549,17 @@ int bus_machine_method_open_login(sd_bus_message *message, void *userdata, sd_bu assert(message); assert(m); + const char *details[] = { + "machine", m->name, + "verb", "login", + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-login" : "org.freedesktop.machine1.login", - NULL, + details, false, UID_INVALID, &m->manager->polkit_registry, @@ -835,11 +864,19 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu else if (!path_is_absolute(dest) || !path_is_normalized(dest)) return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS, "Destination path must be absolute and normalized."); + const char *details[] = { + "machine", m->name, + "verb", "bind", + "src", src, + "dest", dest, + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-machines", - NULL, + details, false, UID_INVALID, &m->manager->polkit_registry, @@ -899,11 +936,19 @@ int bus_machine_method_copy(sd_bus_message *message, void *userdata, sd_bus_erro else if (!path_is_absolute(dest)) return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS, "Destination path must be absolute."); + const char *details[] = { + "machine", m->name, + "verb", "copy", + "src", src, + "dest", dest, + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-machines", - NULL, + details, false, UID_INVALID, &m->manager->polkit_registry, @@ -1013,11 +1058,17 @@ int bus_machine_method_open_root_directory(sd_bus_message *message, void *userda assert(message); assert(m); + const char *details[] = { + "machine", m->name, + "verb", "open_root_directory", + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-machines", - NULL, + details, false, UID_INVALID, &m->manager->polkit_registry, diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c index 342b18a8df9..ee9ad992553 100644 --- a/src/machine/machined-dbus.c +++ b/src/machine/machined-dbus.c @@ -714,11 +714,17 @@ static int method_clean_pool(sd_bus_message *message, void *userdata, sd_bus_err else return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Unknown mode '%s'.", mm); + const char *details[] = { + "verb", "clean_pool", + "mode", mm, + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-machines", - NULL, + details, false, UID_INVALID, &m->polkit_registry, @@ -844,11 +850,16 @@ static int method_set_pool_limit(sd_bus_message *message, void *userdata, sd_bus if (!FILE_SIZE_VALID_OR_INFINITY(limit)) return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS, "New limit out of range"); + const char *details[] = { + "verb", "set_pool_limit", + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, "org.freedesktop.machine1.manage-machines", - NULL, + details, false, UID_INVALID, &m->polkit_registry,