From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Mon, 7 Mar 2022 18:22:26 +0000 (+0100)
Subject: core: manage SetShowStatus through polkit
X-Git-Tag: v251-rc1~187
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4db62561c2a7c762f83e38f57ccc0a8ab6a662a8;p=thirdparty%2Fsystemd.git

core: manage SetShowStatus through polkit

When writing docs for SD_BUS_VTABLE_CAPABILITY, I noticed that we have one use
of SD_BUS_VTABLE_CAPABILITY(CAP_SYS_ADMIN) in the tree. This is the default, so
it's not very useful to specify it. But if we're touching that, I think it's
better to use mac + polkit for this like for everything else.

We don't have a very good category for this, but I don't think it makes sense
to add a new one. I just reused the same as other similar calls.
---

diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index f6d6cf13848..5f1f586222c 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -149,7 +149,6 @@ node /org/freedesktop/systemd1 {
       CancelJob(in  u id);
       ClearJobs();
       ResetFailed();
-      @org.freedesktop.systemd1.Privileged("true")
       SetShowStatus(in  s mode);
       ListUnits(out a(ssssssouso) units);
       ListUnitsFiltered(in  as states,
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 91ff68fb5c8..49982d00301 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -2710,6 +2710,16 @@ static int method_set_show_status(sd_bus_message *message, void *userdata, sd_bu
         assert(m);
         assert(message);
 
+        r = mac_selinux_access_check(message, "reload", error);
+        if (r < 0)
+                return r;
+
+        r = bus_verify_set_environment_async(m, message, error);
+        if (r < 0)
+                return r;
+        if (r == 0)
+                return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
+
         r = sd_bus_message_read(message, "s", &t);
         if (r < 0)
                 return r;
@@ -3100,7 +3110,7 @@ const sd_bus_vtable bus_manager_vtable[] = {
                                  SD_BUS_PARAM(mode),
                                  NULL,,
                                  method_set_show_status,
-                                 SD_BUS_VTABLE_CAPABILITY(CAP_SYS_ADMIN)),
+                                 SD_BUS_VTABLE_UNPRIVILEGED),
         SD_BUS_METHOD_WITH_NAMES("ListUnits",
                                  NULL,,
                                  "a(ssssssouso)",