polkit: map POLKIT_ALWAYS_QUERY to new polkit flag

polkitd by default just waves through requests from a root process.
A new POLKIT_CHECK_AUTHORIZATION_FLAGS_ALWAYS_CHECK flag was added
to main (will be part of v125 when it ships) that forces it to go
through the policy checks for root too. Previous versions will just
ignore it.

Change the flags handling slightly so that we pass this or the
interactive flags through, as the values match what polkit expects.

diff --git a/src/shared/bus-polkit.c b/src/shared/bus-polkit.c
index ed884c3001851b0c9c16a1283a7f02a66718ab84..03870df2b4a994e481754648363d554d4dfbc026 100644 (file)
--- a/src/shared/bus-polkit.c
+++ b/src/shared/bus-polkit.c
@@ -56,7 +56,7 @@ static int bus_message_new_polkit_auth_call_for_bus(
                 sd_bus_message *m,
                 const char *action,
                 const char **details,
-                bool interactive,
+                PolkitFlags flags,
                 sd_bus_message **ret) {
 
         _cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL;
@@ -89,7 +89,7 @@ static int bus_message_new_polkit_auth_call_for_bus(
         if (r < 0)
                 return r;
 
-        r = sd_bus_message_append(c, "us", interactive, NULL);
+        r = sd_bus_message_append(c, "us", (uint32_t) (flags & _POLKIT_MASK_PUBLIC), NULL);
         if (r < 0)
                 return r;
 
@@ -569,16 +569,14 @@ int bus_verify_polkit_async_full(
         }
 
 #if ENABLE_POLKIT
-        bool interactive = FLAGS_SET(flags, POLKIT_ALLOW_INTERACTIVE);
-
         int c = sd_bus_message_get_allow_interactive_authorization(call);
         if (c < 0)
                 return c;
         if (c > 0)
-                interactive = true;
+                flags |= POLKIT_ALLOW_INTERACTIVE;
 
         _cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
-        r = bus_message_new_polkit_auth_call_for_bus(call, action, details, interactive, &pk);
+        r = bus_message_new_polkit_auth_call_for_bus(call, action, details, flags, &pk);
         if (r < 0)
                 return r;
 
@@ -663,7 +661,7 @@ static int bus_message_new_polkit_auth_call_for_varlink(
                 sd_varlink *link,
                 const char *action,
                 const char **details,
-                bool interactive,
+                PolkitFlags flags,
                 sd_bus_message **ret) {
 
         _cleanup_(sd_bus_message_unrefp) sd_bus_message *c = NULL;
@@ -710,7 +708,7 @@ static int bus_message_new_polkit_auth_call_for_varlink(
         if (r < 0)
                 return r;
 
-        r = sd_bus_message_append(c, "us", interactive, NULL);
+        r = sd_bus_message_append(c, "us", (uint32_t) (flags & _POLKIT_MASK_PUBLIC), NULL);
         if (r < 0)
                 return r;
 
@@ -814,12 +812,11 @@ int varlink_verify_polkit_async_full(
                 bus = mybus;
         }
 
-        bool interactive =
-                FLAGS_SET(flags, POLKIT_ALLOW_INTERACTIVE) ||
-                varlink_allow_interactive_authentication(link);
+        if (varlink_allow_interactive_authentication(link))
+                flags |= POLKIT_ALLOW_INTERACTIVE;
 
         _cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
-        r = bus_message_new_polkit_auth_call_for_varlink(bus, link, action, details, interactive, &pk);
+        r = bus_message_new_polkit_auth_call_for_varlink(bus, link, action, details, flags, &pk);
         if (r < 0)
                 return r;
 

diff --git a/src/shared/bus-polkit.h b/src/shared/bus-polkit.h
index 3ee9a41d39882b1289b1c60c7aa4f4a3cf262eca..64340dc338fb352339fb762c47a085acf6012def 100644 (file)
--- a/src/shared/bus-polkit.h
+++ b/src/shared/bus-polkit.h
@@ -12,6 +12,7 @@ typedef enum PolkitFLags {
         POLKIT_ALWAYS_QUERY      = 1 << 1, /* Query polkit even if client is privileged */
         POLKIT_DEFAULT_ALLOW     = 1 << 2, /* If polkit is not around, assume "allow" rather than the usual "deny" */
         POLKIT_DONT_REPLY        = 1 << 3, /* Varlink: don't immediately propagate polkit error to the Varlink client */
+        _POLKIT_MASK_PUBLIC      = POLKIT_ALLOW_INTERACTIVE | POLKIT_ALWAYS_QUERY, /* polkit accepts these flags verbatim */
 } PolkitFlags;
 
 int bus_test_polkit(sd_bus_message *call, const char *action, const char **details, uid_t good_user, bool *_challenge, sd_bus_error *e);