<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
</action>
+ <action id="org.freedesktop.resolve1.subscribe-query-results">
+ <description gettext-domain="systemd">Subscribe query results</description>
+ <message gettext-domain="systemd">Authentication is required to subscribe query results.</message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
+ </action>
+
+ <action id="org.freedesktop.resolve1.dump-cache">
+ <description gettext-domain="systemd">Dump cache</description>
+ <message gettext-domain="systemd">Authentication is required to dump cache.</message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
+ </action>
+
+ <action id="org.freedesktop.resolve1.dump-server-state">
+ <description gettext-domain="systemd">Dump server state</description>
+ <message gettext-domain="systemd">Authentication is required to dump server state.</message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
+ </action>
+
+ <action id="org.freedesktop.resolve1.dump-statistics">
+ <description gettext-domain="systemd">Dump statistics</description>
+ <message gettext-domain="systemd">Authentication is required to dump statistics.</message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
+ </action>
+
+ <action id="org.freedesktop.resolve1.reset-statistics">
+ <description gettext-domain="systemd">Reset statistics</description>
+ <message gettext-domain="systemd">Authentication is required to reset statistics.</message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
+ </action>
+
</policyconfig>
_cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
int r;
+ (void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
+
r = sd_varlink_connect_address(&vl, "/run/systemd/resolve/io.systemd.Resolve.Monitor");
if (r < 0)
return log_error_errno(r, "Failed to connect to query monitoring service /run/systemd/resolve/io.systemd.Resolve.Monitor: %m");
- r = varlink_call_and_log(vl, "io.systemd.Resolve.Monitor.DumpStatistics", /* parameters= */ NULL, &reply);
+ r = varlink_callbo_and_log(
+ vl,
+ "io.systemd.Resolve.Monitor.DumpStatistics",
+ &reply,
+ SD_JSON_BUILD_PAIR_BOOLEAN("allowInteractiveAuthentication", arg_ask_password));
if (r < 0)
return r;
_cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
int r;
+ (void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
+
r = sd_varlink_connect_address(&vl, "/run/systemd/resolve/io.systemd.Resolve.Monitor");
if (r < 0)
return log_error_errno(r, "Failed to connect to query monitoring service /run/systemd/resolve/io.systemd.Resolve.Monitor: %m");
- r = varlink_call_and_log(vl, "io.systemd.Resolve.Monitor.ResetStatistics", /* parameters= */ NULL, &reply);
+ r = varlink_callbo_and_log(
+ vl,
+ "io.systemd.Resolve.Monitor.ResetStatistics",
+ &reply,
+ SD_JSON_BUILD_PAIR_BOOLEAN("allowInteractiveAuthentication", arg_ask_password));
if (r < 0)
return r;
_cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
int r, c;
+ (void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
+
r = sd_event_default(&event);
if (r < 0)
return log_error_errno(r, "Failed to get event loop: %m");
if (r < 0)
return log_error_errno(r, "Failed to bind reply callback to varlink connection: %m");
- r = sd_varlink_observe(vl, "io.systemd.Resolve.Monitor.SubscribeQueryResults", NULL);
+ r = sd_varlink_observebo(
+ vl,
+ "io.systemd.Resolve.Monitor.SubscribeQueryResults",
+ SD_JSON_BUILD_PAIR_BOOLEAN("allowInteractiveAuthentication", arg_ask_password));
if (r < 0)
return log_error_errno(r, "Failed to issue SubscribeQueryResults() varlink call: %m");
_cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
int r;
+ (void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
+
r = sd_varlink_connect_address(&vl, "/run/systemd/resolve/io.systemd.Resolve.Monitor");
if (r < 0)
return log_error_errno(r, "Failed to connect to query monitoring service /run/systemd/resolve/io.systemd.Resolve.Monitor: %m");
- r = varlink_call_and_log(vl, "io.systemd.Resolve.Monitor.DumpCache", /* parameters= */ NULL, &reply);
+ r = varlink_callbo_and_log(
+ vl,
+ "io.systemd.Resolve.Monitor.DumpCache",
+ &reply,
+ SD_JSON_BUILD_PAIR_BOOLEAN("allowInteractiveAuthentication", arg_ask_password));
if (r < 0)
return r;
_cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
int r;
+ (void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
+
r = sd_varlink_connect_address(&vl, "/run/systemd/resolve/io.systemd.Resolve.Monitor");
if (r < 0)
return log_error_errno(r, "Failed to connect to query monitoring service /run/systemd/resolve/io.systemd.Resolve.Monitor: %m");
- r = varlink_call_and_log(vl, "io.systemd.Resolve.Monitor.DumpServerState", /* parameters= */ NULL, &reply);
+ r = varlink_callbo_and_log(
+ vl,
+ "io.systemd.Resolve.Monitor.DumpServerState",
+ &reply,
+ SD_JSON_BUILD_PAIR_BOOLEAN("allowInteractiveAuthentication", arg_ask_password));
if (r < 0)
return r;
/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#include "bus-polkit.h"
#include "glyph-util.h"
#include "in-addr-util.h"
#include "json-util.h"
return 1;
}
+static int verify_polkit(sd_varlink *link, sd_json_variant *parameters, const char *action) {
+ static const sd_json_dispatch_field dispatch_table[] = {
+ VARLINK_DISPATCH_POLKIT_FIELD,
+ {}
+ };
+
+ int r;
+ Manager *m = ASSERT_PTR(sd_varlink_server_get_userdata(sd_varlink_get_server(ASSERT_PTR(link))));
+
+ assert(action);
+
+ r = sd_varlink_dispatch(link, parameters, dispatch_table, /* userdata = */ NULL);
+ if (r != 0)
+ return r;
+
+ return varlink_verify_polkit_async(
+ link,
+ m->bus,
+ action,
+ /* details= */ NULL,
+ &m->polkit_registry);
+}
+
static int vl_method_subscribe_query_results(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
Manager *m;
int r;
if (!FLAGS_SET(flags, SD_VARLINK_METHOD_MORE))
return sd_varlink_error(link, SD_VARLINK_ERROR_EXPECTED_MORE, NULL);
- if (sd_json_variant_elements(parameters) > 0)
- return sd_varlink_error_invalid_parameter(link, parameters);
+ r = verify_polkit(link, parameters, "org.freedesktop.resolve1.subscribe-query-results");
+ if (r <= 0)
+ return r;
/* Send a ready message to the connecting client, to indicate that we are now listinening, and all
* queries issued after the point the client sees this will also be reported to the client. */
assert(link);
- if (sd_json_variant_elements(parameters) > 0)
- return sd_varlink_error_invalid_parameter(link, parameters);
+ r = verify_polkit(link, parameters, "org.freedesktop.resolve1.dump-cache");
+ if (r <= 0)
+ return r;
m = ASSERT_PTR(sd_varlink_server_get_userdata(sd_varlink_get_server(link)));
assert(link);
- if (sd_json_variant_elements(parameters) > 0)
- return sd_varlink_error_invalid_parameter(link, parameters);
+ r = verify_polkit(link, parameters, "org.freedesktop.resolve1.dump-server-state");
+ if (r <= 0)
+ return r;
m = ASSERT_PTR(sd_varlink_server_get_userdata(sd_varlink_get_server(link)));
assert(link);
- if (sd_json_variant_elements(parameters) > 0)
- return sd_varlink_error_invalid_parameter(link, parameters);
+ r = verify_polkit(link, parameters, "org.freedesktop.resolve1.dump-statistics");
+ if (r <= 0)
+ return r;
m = ASSERT_PTR(sd_varlink_server_get_userdata(sd_varlink_get_server(link)));
static int vl_method_reset_statistics(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
Manager *m;
+ int r;
assert(link);
- if (sd_json_variant_elements(parameters) > 0)
- return sd_varlink_error_invalid_parameter(link, parameters);
+ r = verify_polkit(link, parameters, "org.freedesktop.resolve1.reset-statistics");
+ if (r <= 0)
+ return r;
m = ASSERT_PTR(sd_varlink_server_get_userdata(sd_varlink_get_server(link)));
if (m->varlink_monitor_server)
return 0;
- r = sd_varlink_server_new(&server, SD_VARLINK_SERVER_ROOT_ONLY);
+ r = sd_varlink_server_new(&server, SD_VARLINK_SERVER_ACCOUNT_UID);
if (r < 0)
return log_error_errno(r, "Failed to allocate varlink server object: %m");
if (r < 0)
return log_error_errno(r, "Failed to register varlink disconnect handler: %m");
- r = sd_varlink_server_listen_address(server, "/run/systemd/resolve/io.systemd.Resolve.Monitor", 0600);
+ r = sd_varlink_server_listen_address(server, "/run/systemd/resolve/io.systemd.Resolve.Monitor", 0666);
if (r < 0)
return log_error_errno(r, "Failed to bind to varlink socket: %m");
static SD_VARLINK_DEFINE_METHOD(
SubscribeQueryResults,
+ SD_VARLINK_DEFINE_INPUT(allowInteractiveAuthentication, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
/* First reply */
SD_VARLINK_DEFINE_OUTPUT(ready, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
/* Subsequent replies */
static SD_VARLINK_DEFINE_METHOD(
DumpCache,
+ SD_VARLINK_DEFINE_INPUT(allowInteractiveAuthentication, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
SD_VARLINK_DEFINE_OUTPUT_BY_TYPE(dump, ScopeCache, SD_VARLINK_ARRAY));
static SD_VARLINK_DEFINE_STRUCT_TYPE(
static SD_VARLINK_DEFINE_METHOD(
DumpServerState,
+ SD_VARLINK_DEFINE_INPUT(allowInteractiveAuthentication, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
SD_VARLINK_DEFINE_OUTPUT_BY_TYPE(dump, ServerState, SD_VARLINK_ARRAY));
static SD_VARLINK_DEFINE_STRUCT_TYPE(
static SD_VARLINK_DEFINE_METHOD(
DumpStatistics,
+ SD_VARLINK_DEFINE_INPUT(allowInteractiveAuthentication, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
SD_VARLINK_DEFINE_OUTPUT_BY_TYPE(transactions, TransactionStatistics, 0),
SD_VARLINK_DEFINE_OUTPUT_BY_TYPE(cache, CacheStatistics, 0),
SD_VARLINK_DEFINE_OUTPUT_BY_TYPE(dnssec, DnssecStatistics, 0));
-static SD_VARLINK_DEFINE_METHOD(ResetStatistics);
+static SD_VARLINK_DEFINE_METHOD(
+ ResetStatistics,
+ SD_VARLINK_DEFINE_INPUT(allowInteractiveAuthentication, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE));
SD_VARLINK_DEFINE_INTERFACE(
io_systemd_Resolve_Monitor,
projects / thirdparty / systemd.git / commitdiff
