From: networkException Date: Mon, 29 Jan 2024 21:31:59 +0000 (+0100) Subject: resolve: include interface name in org.freedesktop.resolve1 polkit checks X-Git-Tag: v256-rc1~999 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=de39202426e2d3d4d6fb509635d2462b5ded6e9c;p=thirdparty%2Fsystemd.git resolve: include interface name in org.freedesktop.resolve1 polkit checks this patch adds the interface name of the interface to be modified to *details* when verifying dbus calls to the `org.freedesktop.resolve1` D-Bus interface for all `Set*` and the `Revert` method. when defining a polkit rule, this allows limiting the access to a specific interface: ```js // This rule prevents the user "vpn" to disable DNSoverTLS for any // other interface than "vpn0". The vpn service should be allowed // to disable DNSoverTLS on its own as it provides a local DNS // server with search domains on the interface and this server does // not support DNSoverTLS. polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.resolve1.set-dns-over-tls" && action.lookup("interface") == "vpn0" && subject.user == "vpn") { return polkit.Result.YES; } }); ``` --- diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c index 7ca3214b064..65562dc9339 100644 --- a/src/resolve/resolved-link-bus.c +++ b/src/resolve/resolved-link-bus.c @@ -239,7 +239,7 @@ static int bus_link_method_set_dns_servers_internal(sd_bus_message *message, voi r = bus_verify_polkit_async( message, "org.freedesktop.resolve1.set-dns-servers", - /* details= */ NULL, + (const char**) STRV_MAKE("interface", l->ifname), &l->manager->polkit_registry, error); if (r < 0) goto finalize; @@ -372,7 +372,7 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_ r = bus_verify_polkit_async( message, "org.freedesktop.resolve1.set-domains", - /* details= */ NULL, + (const char**) STRV_MAKE("interface", l->ifname), &l->manager->polkit_registry, error); if (r < 0) @@ -452,7 +452,7 @@ int bus_link_method_set_default_route(sd_bus_message *message, void *userdata, s r = bus_verify_polkit_async( message, "org.freedesktop.resolve1.set-default-route", - /* details= */ NULL, + (const char**) STRV_MAKE("interface", l->ifname), &l->manager->polkit_registry, error); if (r < 0) @@ -501,7 +501,7 @@ int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_er r = bus_verify_polkit_async( message, "org.freedesktop.resolve1.set-llmnr", - /* details= */ NULL, + (const char**) STRV_MAKE("interface", l->ifname), &l->manager->polkit_registry, error); if (r < 0) @@ -551,7 +551,7 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err r = bus_verify_polkit_async( message, "org.freedesktop.resolve1.set-mdns", - /* details= */ NULL, + (const char**) STRV_MAKE("interface", l->ifname), &l->manager->polkit_registry, error); if (r < 0) @@ -601,7 +601,7 @@ int bus_link_method_set_dns_over_tls(sd_bus_message *message, void *userdata, sd r = bus_verify_polkit_async( message, "org.freedesktop.resolve1.set-dns-over-tls", - /* details= */ NULL, + (const char**) STRV_MAKE("interface", l->ifname), &l->manager->polkit_registry, error); if (r < 0) @@ -651,7 +651,7 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e r = bus_verify_polkit_async( message, "org.freedesktop.resolve1.set-dnssec", - /* details= */ NULL, + (const char**) STRV_MAKE("interface", l->ifname), &l->manager->polkit_registry, error); if (r < 0) @@ -714,7 +714,7 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v r = bus_verify_polkit_async( message, "org.freedesktop.resolve1.set-dnssec-negative-trust-anchors", - /* details= */ NULL, + (const char**) STRV_MAKE("interface", l->ifname), &l->manager->polkit_registry, error); if (r < 0) @@ -752,7 +752,7 @@ int bus_link_method_revert(sd_bus_message *message, void *userdata, sd_bus_error r = bus_verify_polkit_async( message, "org.freedesktop.resolve1.revert", - /* details= */ NULL, + (const char**) STRV_MAKE("interface", l->ifname), &l->manager->polkit_registry, error); if (r < 0)