From: Lennart Poettering Date: Fri, 23 May 2025 20:10:36 +0000 (+0200) Subject: machined: use different polkit actions for registering and creating a machine X-Git-Tag: v258-rc1~79^2~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=adaff8eb35d9c471af81fddaa4403bc5843a256f;p=thirdparty%2Fsystemd.git machined: use different polkit actions for registering and creating a machine The difference between these two operations are large: one is relatively superficial: for "registration" all resources remain associated with the invoking user, only the cgroup is reported to machined which then keeps track of the machine, too. OTOH "creation" a scope is allocated in system context, hence the invoked code will be owned by the system, and its resource usage charged against the system. Hence, use two distinct polkit actions for this, so that we can relax access to registration, but keep access to creation tough. --- diff --git a/src/machine/machine-varlink.c b/src/machine/machine-varlink.c index 8c437efc175..a773094cfe7 100644 --- a/src/machine/machine-varlink.c +++ b/src/machine/machine-varlink.c @@ -155,7 +155,7 @@ int vl_method_register(sd_varlink *link, sd_json_variant *parameters, sd_varlink r = varlink_verify_polkit_async( link, manager->bus, - "org.freedesktop.machine1.create-machine", + machine->allocate_unit ? "org.freedesktop.machine1.create-machine" : "org.freedesktop.machine1.register-machine", (const char**) STRV_MAKE("name", machine->name, "class", machine_class_to_string(machine->class)), &manager->polkit_registry); diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c index 30f722a4497..82c0addefbe 100644 --- a/src/machine/machined-dbus.c +++ b/src/machine/machined-dbus.c @@ -228,6 +228,7 @@ static int method_list_machines(sd_bus_message *message, void *userdata, sd_bus_ static int method_create_or_register_machine( Manager *manager, sd_bus_message *message, + const char *polkit_action, bool read_network, Machine **ret, sd_bus_error *error) { @@ -318,7 +319,7 @@ static int method_create_or_register_machine( r = bus_verify_polkit_async( message, - "org.freedesktop.machine1.create-machine", + polkit_action, details, &manager->polkit_registry, error); @@ -378,7 +379,7 @@ static int method_create_machine_internal(sd_bus_message *message, bool read_net assert(message); - r = method_create_or_register_machine(manager, message, read_network, &m, error); + r = method_create_or_register_machine(manager, message, "org.freedesktop.machine1.create-machine", read_network, &m, error); if (r < 0) return r; if (r == 0) @@ -416,7 +417,7 @@ static int method_register_machine_internal(sd_bus_message *message, bool read_n assert(message); - r = method_create_or_register_machine(manager, message, read_network, &m, error); + r = method_create_or_register_machine(manager, message, "org.freedesktop.machine1.register-machine", read_network, &m, error); if (r < 0) return r; if (r == 0) diff --git a/src/machine/org.freedesktop.machine1.policy b/src/machine/org.freedesktop.machine1.policy index fe125ed0db3..d5b8d83d2aa 100644 --- a/src/machine/org.freedesktop.machine1.policy +++ b/src/machine/org.freedesktop.machine1.policy @@ -99,7 +99,17 @@ auth_admin auth_admin_keep - org.freedesktop.login1.shell org.freedesktop.login1.login + org.freedesktop.login1.shell org.freedesktop.login1.login org.freedesktop.machine1.register-machine + + + + Register a local virtual machine or container + Authentication is required to register a local virtual machine or container. + + auth_admin + auth_admin + yes +