]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
varlink: add common helper that refuse method calls from unpriv clients
authorLennart Poettering <lennart@poettering.net>
Wed, 26 Mar 2025 16:34:34 +0000 (12:34 -0400)
committerYu Watanabe <watanabe.yu+github@gmail.com>
Wed, 2 Apr 2025 19:07:08 +0000 (04:07 +0900)
src/libsystemd/sd-varlink/varlink-util.c
src/libsystemd/sd-varlink/varlink-util.h
src/login/logind-varlink.c
src/nsresourced/nsresourcework.c

index 899b8ea929fa09a61fd59b22f90cfc29cbddd60c..18adf93a59f4b06dfd395f2306e08f96ed45d5cb 100644 (file)
@@ -181,3 +181,19 @@ int varlink_server_new(
         *ret = TAKE_PTR(s);
         return 0;
 }
+
+int varlink_check_privileged_peer(sd_varlink *vl) {
+        int r;
+
+        assert(vl);
+
+        uid_t uid;
+        r = sd_varlink_get_peer_uid(vl, &uid);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to get peer UID: %m");
+
+        if (uid != 0)
+                return sd_varlink_error(vl, SD_VARLINK_ERROR_PERMISSION_DENIED, /* parameters= */ NULL);
+
+        return 0;
+}
index 124b16263e8f20109a46732d0b86a768266692a0..449b96276703ef694ea253eab6cfeb3725f2667c 100644 (file)
@@ -26,3 +26,5 @@ int varlink_server_new(
                 sd_varlink_server **ret,
                 sd_varlink_server_flags_t flags,
                 void *userdata);
+
+int varlink_check_privileged_peer(sd_varlink *vl);
index 23262fb9a5b3c282a82d7508c446aac64e36ae77..83f0c55531cc6c98944a9937eb63e091babedb53 100644 (file)
@@ -241,12 +241,9 @@ static int vl_method_create_session(sd_varlink *link, sd_json_variant *parameter
                 p.remote = p.remote_user || p.remote_host;
 
         /* Before we continue processing this, let's ensure the peer is privileged */
-        uid_t peer_uid;
-        r = sd_varlink_get_peer_uid(link, &peer_uid);
+        r = varlink_check_privileged_peer(link);
         if (r < 0)
-                return log_debug_errno(r, "Failed to get peer UID: %m");
-        if (peer_uid != 0)
-                return sd_varlink_error(link, SD_VARLINK_ERROR_PERMISSION_DENIED, /* parameters= */ NULL);
+                return r;
 
         if (!pidref_is_set(&p.pid)) {
                 r = varlink_get_peer_pidref(link, &p.pid);
index 671afc69977a8eb7907f6ea2030d4b2bdd4b48a8..0e23ebeec7f2f6ab4e62e3695c88a183caf0e8ee 100644 (file)
@@ -1197,7 +1197,6 @@ static int vl_method_add_mount_to_user_namespace(sd_varlink *link, sd_json_varia
         };
         int r, mnt_id = 0;
         struct stat userns_st;
-        uid_t peer_uid;
 
         assert(link);
         assert(parameters);
@@ -1207,11 +1206,9 @@ static int vl_method_add_mount_to_user_namespace(sd_varlink *link, sd_json_varia
                 return r;
 
         /* Allowlisting arbitrary mounts is a privileged operation */
-        r = sd_varlink_get_peer_uid(link, &peer_uid);
+        r = varlink_check_privileged_peer(link);
         if (r < 0)
                 return r;
-        if (peer_uid != 0)
-                return sd_varlink_error(link, SD_VARLINK_ERROR_PERMISSION_DENIED, NULL);
 
         r = sd_varlink_dispatch(link, parameters, parameter_dispatch_table, &p);
         if (r != 0)