From: TristanInSec Date: Mon, 18 May 2026 17:30:51 +0000 (-0400) Subject: resolved: add missing polkit checks on FlushCaches and ResetServerFeatures D-Bus... X-Git-Tag: v261-rc1~107 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa76d81122a1db488c7116cf44d949f07b8fb198;p=thirdparty%2Fsystemd.git resolved: add missing polkit checks on FlushCaches and ResetServerFeatures D-Bus methods The FlushCaches and ResetServerFeatures D-Bus methods perform destructive operations (flushing all DNS caches and resetting server feature negotiation including DNS-over-TLS state) without any authorization check. The corresponding Varlink methods already enforce polkit via verify_polkit(), but the D-Bus handlers were not updated. Add bus_verify_polkit_async() calls to both methods, matching the pattern used by ResetStatistics. Add the corresponding policy actions to the polkit policy file. --- diff --git a/src/resolve/org.freedesktop.resolve1.policy b/src/resolve/org.freedesktop.resolve1.policy index 097e78e73ca..6fa243856c7 100644 --- a/src/resolve/org.freedesktop.resolve1.policy +++ b/src/resolve/org.freedesktop.resolve1.policy @@ -205,4 +205,26 @@ unix-user:systemd-resolve + + Flush DNS caches + Authentication is required to flush DNS caches. + + auth_admin + auth_admin + auth_admin_keep + + unix-user:systemd-resolve + + + + Reset server features + Authentication is required to reset server features. + + auth_admin + auth_admin + auth_admin_keep + + unix-user:systemd-resolve + + diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c index e20c975de8b..e04caa7898c 100644 --- a/src/resolve/resolved-bus.c +++ b/src/resolve/resolved-bus.c @@ -1842,9 +1842,21 @@ static int bus_method_get_link(sd_bus_message *message, void *userdata, sd_bus_e static int bus_method_flush_caches(sd_bus_message *message, void *userdata, sd_bus_error *error) { Manager *m = ASSERT_PTR(userdata); + int r; assert(message); + r = bus_verify_polkit_async( + message, + "org.freedesktop.resolve1.flush-caches", + /* details= */ NULL, + &m->polkit_registry, + error); + if (r < 0) + return r; + if (r == 0) + return 1; /* Polkit will call us back */ + bus_client_log(message, "cache flush"); manager_flush_caches(m, LOG_INFO); @@ -1854,9 +1866,21 @@ static int bus_method_flush_caches(sd_bus_message *message, void *userdata, sd_b static int bus_method_reset_server_features(sd_bus_message *message, void *userdata, sd_bus_error *error) { Manager *m = ASSERT_PTR(userdata); + int r; assert(message); + r = bus_verify_polkit_async( + message, + "org.freedesktop.resolve1.reset-server-features", + /* details= */ NULL, + &m->polkit_registry, + error); + if (r < 0) + return r; + if (r == 0) + return 1; /* Polkit will call us back */ + bus_client_log(message, "server feature reset"); (void) dns_stream_disconnect_all(m);