src/shared/polkit.c

   1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
   2
   3 /***
   4   This file is part of systemd.
   5
   6   Copyright 2011 Lennart Poettering
   7
   8   systemd is free software; you can redistribute it and/or modify it
   9   under the terms of the GNU Lesser General Public License as published by
  10   the Free Software Foundation; either version 2.1 of the License, or
  11   (at your option) any later version.
  12
  13   systemd is distributed in the hope that it will be useful, but
  14   WITHOUT ANY WARRANTY; without even the implied warranty of
  15   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16   Lesser General Public License for more details.
  17
  18   You should have received a copy of the GNU Lesser General Public License
  19   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  20 ***/
  21
  22 #include <sys/types.h>
  23
  24 #include <errno.h>
  25
  26 #include "util.h"
  27 #include "dbus-common.h"
  28 #include "polkit.h"
  29
  30 int verify_polkit(
  31                 DBusConnection *c,
  32                 DBusMessage *request,
  33                 const char *action,
  34                 bool interactive,
  35                 bool *_challenge,
  36                 DBusError *error) {
  37
  38
  39 #ifdef ENABLE_POLKIT
  40         DBusMessage *m = NULL, *reply = NULL;
  41         const char *system_bus_name = "system-bus-name", *name = "name", *cancel_id = "";
  42         uint32_t flags = interactive ? 1 : 0;
  43         DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant;
  44         int r;
  45         dbus_bool_t authorized = FALSE, challenge = FALSE;
  46 #endif
  47         const char *sender;
  48         unsigned long ul;
  49
  50         assert(c);
  51         assert(request);
  52
  53         sender = dbus_message_get_sender(request);
  54         if (!sender)
  55                 return -EINVAL;
  56
  57         ul = dbus_bus_get_unix_user(c, sender, error);
  58         if (ul == (unsigned long) -1)
  59                 return -EINVAL;
  60
  61         /* Shortcut things for root, to avoid the PK roundtrip and dependency */
  62         if (ul == 0)
  63                 return 1;
  64
  65 #ifdef ENABLE_POLKIT
  66
  67         m = dbus_message_new_method_call(
  68                         "org.freedesktop.PolicyKit1",
  69                         "/org/freedesktop/PolicyKit1/Authority",
  70                         "org.freedesktop.PolicyKit1.Authority",
  71                         "CheckAuthorization");
  72         if (!m)
  73                 return -ENOMEM;
  74
  75         dbus_message_iter_init_append(m, &iter_msg);
  76
  77         if (!dbus_message_iter_open_container(&iter_msg, DBUS_TYPE_STRUCT, NULL, &iter_struct) ||
  78             !dbus_message_iter_append_basic(&iter_struct, DBUS_TYPE_STRING, &system_bus_name) ||
  79             !dbus_message_iter_open_container(&iter_struct, DBUS_TYPE_ARRAY, "{sv}", &iter_array) ||
  80             !dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict) ||
  81             !dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &name) ||
  82             !dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "s", &iter_variant) ||
  83             !dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_STRING, &sender) ||
  84             !dbus_message_iter_close_container(&iter_dict, &iter_variant) ||
  85             !dbus_message_iter_close_container(&iter_array, &iter_dict) ||
  86             !dbus_message_iter_close_container(&iter_struct, &iter_array) ||
  87             !dbus_message_iter_close_container(&iter_msg, &iter_struct) ||
  88             !dbus_message_iter_append_basic(&iter_msg, DBUS_TYPE_STRING, &action) ||
  89             !dbus_message_iter_open_container(&iter_msg, DBUS_TYPE_ARRAY, "{ss}", &iter_array) ||
  90             !dbus_message_iter_close_container(&iter_msg, &iter_array) ||
  91             !dbus_message_iter_append_basic(&iter_msg, DBUS_TYPE_UINT32, &flags) ||
  92             !dbus_message_iter_append_basic(&iter_msg, DBUS_TYPE_STRING, &cancel_id)) {
  93                 r = -ENOMEM;
  94                 goto finish;
  95         }
  96
  97         reply = dbus_connection_send_with_reply_and_block(c, m, -1, error);
  98         if (!reply) {
  99
 100                 /* Treat no PK available as access denied */
 101                 if (dbus_error_has_name(error, DBUS_ERROR_SERVICE_UNKNOWN)) {
 102                         r = -EACCES;
 103                         dbus_error_free(error);
 104                         goto finish;
 105                 }
 106
 107                 r = -EIO;
 108                 goto finish;
 109         }
 110
 111         if (!dbus_message_iter_init(reply, &iter_msg) ||
 112             dbus_message_iter_get_arg_type(&iter_msg) != DBUS_TYPE_STRUCT) {
 113                 r = -EIO;
 114                 goto finish;
 115         }
 116
 117         dbus_message_iter_recurse(&iter_msg, &iter_struct);
 118
 119         if (dbus_message_iter_get_arg_type(&iter_struct) != DBUS_TYPE_BOOLEAN) {
 120                 r = -EIO;
 121                 goto finish;
 122         }
 123
 124         dbus_message_iter_get_basic(&iter_struct, &authorized);
 125
 126         if (!dbus_message_iter_next(&iter_struct) ||
 127             dbus_message_iter_get_arg_type(&iter_struct) != DBUS_TYPE_BOOLEAN) {
 128                 r = -EIO;
 129                 goto finish;
 130         }
 131
 132         dbus_message_iter_get_basic(&iter_struct, &challenge);
 133
 134         if (authorized)
 135                 r = 1;
 136         else if (_challenge) {
 137                 *_challenge = !!challenge;
 138                 r = 0;
 139         } else
 140                 r = -EPERM;
 141
 142 finish:
 143         if (m)
 144                 dbus_message_unref(m);
 145
 146         if (reply)
 147                 dbus_message_unref(reply);
 148
 149         return r;
 150 #else
 151         return -EPERM;
 152 #endif
 153 }