bus-polkit: shortcut auth. after first denial

A D-Bus/Varlink method can issue PolicyKit auth. requests for multiple
actions; in this case the method is expected to fail on the first one
that is not allowed. This is enforced by asserts in
async_polkit_read_reply(), but that's a wrong place for the check for
two reasons:

1. it doesn't allow to get a meaningful stack trace;
2. sending the query to polkit is already a pointless exercise.

Let's do the check in *_verify_polkit_async_full() and don't send
anything to PolicyKit in that case.

Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=2349594 .

diff --git a/src/shared/bus-polkit.c b/src/shared/bus-polkit.c
index 03870df2b4a994e481754648363d554d4dfbc026..df3f28c29258884109ded5f7b4fa55340e6ddc84 100644 (file)
--- a/src/shared/bus-polkit.c
+++ b/src/shared/bus-polkit.c
@@ -438,6 +438,10 @@ static int async_polkit_query_check_action(
         if (q->absent_action)
                 return FLAGS_SET(flags, POLKIT_DEFAULT_ALLOW) ? 1 /* Allow! */ : -EACCES /* Deny! */;
 
+        /* Also deny if we've got an auth. failure for a previous action */
+        if (q->denied_action || q->error_action)
+                return -EALREADY;
+
         return 0; /* no reply yet */
 }
 #endif