resolved: add missing polkit checks on FlushCaches and ResetServerFeatures D-Bus...

author TristanInSec <tristan.mtn@gmail.com>

Mon, 18 May 2026 17:30:51 +0000 (13:30 -0400)

committer Lennart Poettering <lennart@poettering.net>

Tue, 19 May 2026 06:29:34 +0000 (08:29 +0200)
author TristanInSec <tristan.mtn@gmail.com>
Mon, 18 May 2026 17:30:51 +0000 (13:30 -0400)
committer Lennart Poettering <lennart@poettering.net>
Tue, 19 May 2026 06:29:34 +0000 (08:29 +0200)
diff --git a/src/resolve/org.freedesktop.resolve1.policy b/src/resolve/org.freedesktop.resolve1.policy

index 097e78e73ca7eee44c39c17392e3c548b7ab12c3..6fa243856c7a4b77e88625f0b1bf7525f34ca1c3 100644 (file)
--- a/src/resolve/org.freedesktop.resolve1.policy
+++ b/src/resolve/org.freedesktop.resolve1.policy
@@ -205,4 +205,26 @@
                  <annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
          </action>
  
+        <action id="org.freedesktop.resolve1.flush-caches">
+                <description gettext-domain="systemd">Flush DNS caches</description>
+                <message gettext-domain="systemd">Authentication is required to flush DNS caches.</message>
+                <defaults>
+                        <allow_any>auth_admin</allow_any>
+                        <allow_inactive>auth_admin</allow_inactive>
+                        <allow_active>auth_admin_keep</allow_active>
+                </defaults>
+                <annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
+        </action>
+
+        <action id="org.freedesktop.resolve1.reset-server-features">
+                <description gettext-domain="systemd">Reset server features</description>
+                <message gettext-domain="systemd">Authentication is required to reset server features.</message>
+                <defaults>
+                        <allow_any>auth_admin</allow_any>
+                        <allow_inactive>auth_admin</allow_inactive>
+                        <allow_active>auth_admin_keep</allow_active>
+                </defaults>
+                <annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
+        </action>
+
  </policyconfig>
diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c

index e20c975de8b38fd54ef4333f4ec756ce03b34e55..e04caa7898c0a792840bed236dbfb6ddeea7e262 100644 (file)
--- a/src/resolve/resolved-bus.c
+++ b/src/resolve/resolved-bus.c
@@ -1842,9 +1842,21 @@ static int bus_method_get_link(sd_bus_message *message, void *userdata, sd_bus_e
  
  static int bus_method_flush_caches(sd_bus_message *message, void *userdata, sd_bus_error *error) {
          Manager *m = ASSERT_PTR(userdata);
+        int r;
  
          assert(message);
  
+        r = bus_verify_polkit_async(
+                        message,
+                        "org.freedesktop.resolve1.flush-caches",
+                        /* details= */ NULL,
+                        &m->polkit_registry,
+                        error);
+        if (r < 0)
+                return r;
+        if (r == 0)
+                return 1; /* Polkit will call us back */
+
          bus_client_log(message, "cache flush");
  
          manager_flush_caches(m, LOG_INFO);
@@ -1854,9 +1866,21 @@ static int bus_method_flush_caches(sd_bus_message *message, void *userdata, sd_b
  
  static int bus_method_reset_server_features(sd_bus_message *message, void *userdata, sd_bus_error *error) {
          Manager *m = ASSERT_PTR(userdata);
+        int r;
  
          assert(message);
  
+        r = bus_verify_polkit_async(
+                        message,
+                        "org.freedesktop.resolve1.reset-server-features",
+                        /* details= */ NULL,
+                        &m->polkit_registry,
+                        error);
+        if (r < 0)
+                return r;
+        if (r == 0)
+                return 1; /* Polkit will call us back */
+
          bus_client_log(message, "server feature reset");
  
          (void) dns_stream_disconnect_all(m);
author	TristanInSec <tristan.mtn@gmail.com>
	Mon, 18 May 2026 17:30:51 +0000 (13:30 -0400)
committer	Lennart Poettering <lennart@poettering.net>
	Tue, 19 May 2026 06:29:34 +0000 (08:29 +0200)
src/resolve/org.freedesktop.resolve1.policy		patch \| blob \| blame \| history
src/resolve/resolved-bus.c		patch \| blob \| blame \| history