From: David Tardon <dtardon@redhat.com>
Date: Fri, 7 Mar 2025 15:22:00 +0000 (+0100)
Subject: bus-polkit: shortcut auth. after first denial
X-Git-Tag: v258-rc1~1115
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=536c18e5c3;p=thirdparty%2Fsystemd.git

bus-polkit: shortcut auth. after first denial

A D-Bus/Varlink method can issue PolicyKit auth. requests for multiple
actions; in this case the method is expected to fail on the first one
that is not allowed. This is enforced by asserts in
async_polkit_read_reply(), but that's a wrong place for the check for
two reasons:

1. it doesn't allow to get a meaningful stack trace;
2. sending the query to polkit is already a pointless exercise.

Let's do the check in *_verify_polkit_async_full() and don't send
anything to PolicyKit in that case.

Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=2349594 .
---

diff --git a/src/shared/bus-polkit.c b/src/shared/bus-polkit.c
index 03870df2b4a..df3f28c2925 100644
--- a/src/shared/bus-polkit.c
+++ b/src/shared/bus-polkit.c
@@ -438,6 +438,10 @@ static int async_polkit_query_check_action(
         if (q->absent_action)
                 return FLAGS_SET(flags, POLKIT_DEFAULT_ALLOW) ? 1 /* Allow! */ : -EACCES /* Deny! */;
 
+        /* Also deny if we've got an auth. failure for a previous action */
+        if (q->denied_action || q->error_action)
+                return -EALREADY;
+
         return 0; /* no reply yet */
 }
 #endif