From 536c18e5c33fd682fcd38d228b46a339adbe150b Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Fri, 7 Mar 2025 16:22:00 +0100
Subject: [PATCH] bus-polkit: shortcut auth. after first denial

A D-Bus/Varlink method can issue PolicyKit auth. requests for multiple
actions; in this case the method is expected to fail on the first one
that is not allowed. This is enforced by asserts in
async_polkit_read_reply(), but that's a wrong place for the check for
two reasons:

1. it doesn't allow to get a meaningful stack trace;
2. sending the query to polkit is already a pointless exercise.

Let's do the check in *_verify_polkit_async_full() and don't send
anything to PolicyKit in that case.

Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=2349594 .
---
 src/shared/bus-polkit.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/shared/bus-polkit.c b/src/shared/bus-polkit.c
index 03870df2b4a..df3f28c2925 100644
--- a/src/shared/bus-polkit.c
+++ b/src/shared/bus-polkit.c
@@ -438,6 +438,10 @@ static int async_polkit_query_check_action(
         if (q->absent_action)
                 return FLAGS_SET(flags, POLKIT_DEFAULT_ALLOW) ? 1 /* Allow! */ : -EACCES /* Deny! */;
 
+        /* Also deny if we've got an auth. failure for a previous action */
+        if (q->denied_action || q->error_action)
+                return -EALREADY;
+
         return 0; /* no reply yet */
 }
 #endif
-- 
2.47.3