From: Adrian Vovk Date: Mon, 19 Jan 2026 23:15:53 +0000 (-0500) Subject: login1: Add "inhibited" state to Can* methods X-Git-Tag: v260-rc1~34^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=46075fc92b5e53168e7e5de79f5192fecb012e0a;p=thirdparty%2Fsystemd.git login1: Add "inhibited" state to Can* methods Desktops cannot currently tell the difference between a power action being set to challenge permanently (i.e. because the sysadmin wanted to restrict the given user) and a power action being set to challenge because it's temporarily inhibited. Thus, a desktop might take an action that is valid in the first case but not the second case. For instance: GNOME hides all of its automatic suspend settings from the UI whenever a sleep inhibitor is active. This now returns a new state: "inhibited". It communicates to the desktop that the action is available normally, but at the moment the desktop isn't allowed to perform the action due to an inhibitor. Related: https://github.com/systemd/systemd/issues/37311 --- diff --git a/man/org.freedesktop.login1.xml b/man/org.freedesktop.login1.xml index 464fdab108d..bc952538593 100644 --- a/man/org.freedesktop.login1.xml +++ b/man/org.freedesktop.login1.xml @@ -711,12 +711,19 @@ node /org/freedesktop/login1 { CanRebootParameter(), CanRebootToFirmwareSetup(), CanRebootToBootLoaderMenu(), and CanRebootToBootLoaderEntry() test whether the system supports the respective operation and whether the calling user is allowed to - execute it. Returns one of na, yes, no, and - challenge. If na is returned, the operation is not available because - hardware, kernel, or drivers do not support it. If yes is returned, the operation is - supported and the user may execute the operation without further authentication. If no - is returned, the operation is available but the user is not allowed to execute the operation. If - challenge is returned, the operation is available but only after authorization. + execute it. Returns one of na, yes, no, + challenge, and inhibited. If na is returned, + the operation is not available because hardware, kernel, or drivers do not support it. If yes + is returned, the operation is supported and the user may execute the operation without further authentication. + If no is returned, the operation is available but the user is not allowed to execute + the operation. If challenge is returned, the operation is available but only after + authorization. If inhibited is returned, the operation is normally available without + authorization but is currently inhibited. The operation is available only if inhibitors are ignored and + after authorization. If inhibitor-blocked is returned, the operation is normally + available without authorization but is currently inhibited. While the inhibitor remains active, the user + is not allowed to execute the operation. challenge-inhibitor-blocked is similar: + the operation is normally available after authorization but a held inhibitor disallows the user from + executing the operation. ScheduleShutdown() schedules a shutdown operation type at time usec in microseconds since the UNIX epoch. Alternatively, if diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c index 87cc4f14bc8..7f7d9e70d2b 100644 --- a/src/login/logind-dbus.c +++ b/src/login/logind-dbus.c @@ -2927,7 +2927,6 @@ static int method_can_shutdown_or_sleep( _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL; bool multiple_sessions, challenge, blocked, check_unit_state = true; const HandleActionData *a; - const char *result = NULL; uid_t uid; int r; @@ -2984,12 +2983,27 @@ static int method_can_shutdown_or_sleep( if (r < 0) return r; - if (!streq(load_state, "loaded")) { - result = "no"; - goto finish; - } + if (!streq(load_state, "loaded")) + return sd_bus_reply_method_return(message, "s", "no"); } + const char *result; + r = bus_test_polkit( + message, + a->polkit_action, + /* details= */ NULL, + /* good_user= */ UID_INVALID, + &challenge, + error); + if (r < 0) + return r; + if (r > 0) + result = "yes"; + else if (challenge) + result = "challenge"; + else + result = "no"; + if (multiple_sessions) { r = bus_test_polkit( message, @@ -3001,12 +3015,13 @@ static int method_can_shutdown_or_sleep( if (r < 0) return r; - if (r > 0) - result = "yes"; - else if (challenge) - result = "challenge"; - else - result = "no"; + if (r == 0) { + if (challenge) { + if (streq(result, "yes")) /* Avoid upgrading no -> challenge */ + result = "challenge"; + } else + result = "no"; + } } if (blocked) { @@ -3020,39 +3035,21 @@ static int method_can_shutdown_or_sleep( if (r < 0) return r; - if (r > 0) { - if (!result) - result = "yes"; - } else if (challenge) { - if (!result || streq(result, "yes")) - result = "challenge"; - } else - result = "no"; - } - - if (!multiple_sessions && !blocked) { - /* If neither inhibit nor multiple sessions - * apply then just check the normal policy */ - - r = bus_test_polkit( - message, - a->polkit_action, - /* details= */ NULL, - /* good_user= */ UID_INVALID, - &challenge, - error); - if (r < 0) - return r; - - if (r > 0) - result = "yes"; - else if (challenge) - result = "challenge"; - else - result = "no"; + if (r == 0) { + if (challenge) { + if (streq(result, "yes")) + result = "inhibited"; + /* If result is already "challenge" or "no", the held inhibitor has no effect */ + } else { + if (streq(result, "yes")) + result = "inhibitor-blocked"; + else if (streq(result, "challenge")) + result = "challenge-inhibitor-blocked"; + /* If the result is already "no", the held inhibitor has no effect */ + } + } } - finish: return sd_bus_reply_method_return(message, "s", result); }