src/shared/polkit.c

   1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
   2
   3 /***
   4   This file is part of systemd.
   5
   6   Copyright 2011 Lennart Poettering
   7
   8   systemd is free software; you can redistribute it and/or modify it
   9   under the terms of the GNU Lesser General Public License as published by
  10   the Free Software Foundation; either version 2.1 of the License, or
  11   (at your option) any later version.
  12
  13   systemd is distributed in the hope that it will be useful, but
  14   WITHOUT ANY WARRANTY; without even the implied warranty of
  15   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16   Lesser General Public License for more details.
  17
  18   You should have received a copy of the GNU Lesser General Public License
  19   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  20 ***/
  21
  22 #include <sys/types.h>
  23
  24 #include <errno.h>
  25
  26 #include "util.h"
  27 #include "dbus-common.h"
  28 #include "polkit.h"
  29
  30 int verify_polkit(
  31                 DBusConnection *c,
  32                 DBusMessage *request,
  33                 const char *action,
  34                 bool interactive,
  35                 bool *_challenge,
  36                 DBusError *error) {
  37
  38         DBusMessage *m = NULL, *reply = NULL;
  39         const char *unix_process = "unix-process", *pid = "pid", *starttime = "start-time", *cancel_id = "";
  40         const char *sender;
  41         uint32_t flags = interactive ? 1 : 0;
  42         pid_t pid_raw;
  43         uint32_t pid_u32;
  44         unsigned long long starttime_raw;
  45         uint64_t starttime_u64;
  46         DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant;
  47         int r;
  48         dbus_bool_t authorized = FALSE, challenge = FALSE;
  49         unsigned long ul;
  50
  51         assert(c);
  52         assert(request);
  53
  54         sender = dbus_message_get_sender(request);
  55         if (!sender)
  56                 return -EINVAL;
  57
  58         ul = dbus_bus_get_unix_user(c, sender, error);
  59         if (ul == (unsigned long) -1)
  60                 return -EINVAL;
  61
  62         /* Shortcut things for root, to avoid the PK roundtrip and dependency */
  63         if (ul == 0)
  64                 return 1;
  65
  66         pid_raw = bus_get_unix_process_id(c, sender, error);
  67         if (pid_raw == 0)
  68                 return -EINVAL;
  69
  70         r = get_starttime_of_pid(pid_raw, &starttime_raw);
  71         if (r < 0)
  72                 return r;
  73
  74         m = dbus_message_new_method_call(
  75                         "org.freedesktop.PolicyKit1",
  76                         "/org/freedesktop/PolicyKit1/Authority",
  77                         "org.freedesktop.PolicyKit1.Authority",
  78                         "CheckAuthorization");
  79         if (!m)
  80                 return -ENOMEM;
  81
  82         dbus_message_iter_init_append(m, &iter_msg);
  83
  84         pid_u32 = (uint32_t) pid_raw;
  85         starttime_u64 = (uint64_t) starttime_raw;
  86
  87         if (!dbus_message_iter_open_container(&iter_msg, DBUS_TYPE_STRUCT, NULL, &iter_struct) ||
  88             !dbus_message_iter_append_basic(&iter_struct, DBUS_TYPE_STRING, &unix_process) ||
  89             !dbus_message_iter_open_container(&iter_struct, DBUS_TYPE_ARRAY, "{sv}", &iter_array) ||
  90             !dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict) ||
  91             !dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &pid) ||
  92             !dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant) ||
  93             !dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &pid_u32) ||
  94             !dbus_message_iter_close_container(&iter_dict, &iter_variant) ||
  95             !dbus_message_iter_close_container(&iter_array, &iter_dict) ||
  96             !dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict) ||
  97             !dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &starttime) ||
  98             !dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "t", &iter_variant) ||
  99             !dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT64, &starttime_u64) ||
 100             !dbus_message_iter_close_container(&iter_dict, &iter_variant) ||
 101             !dbus_message_iter_close_container(&iter_array, &iter_dict) ||
 102             !dbus_message_iter_close_container(&iter_struct, &iter_array) ||
 103             !dbus_message_iter_close_container(&iter_msg, &iter_struct) ||
 104             !dbus_message_iter_append_basic(&iter_msg, DBUS_TYPE_STRING, &action) ||
 105             !dbus_message_iter_open_container(&iter_msg, DBUS_TYPE_ARRAY, "{ss}", &iter_array) ||
 106             !dbus_message_iter_close_container(&iter_msg, &iter_array) ||
 107             !dbus_message_iter_append_basic(&iter_msg, DBUS_TYPE_UINT32, &flags) ||
 108             !dbus_message_iter_append_basic(&iter_msg, DBUS_TYPE_STRING, &cancel_id)) {
 109                 r = -ENOMEM;
 110                 goto finish;
 111         }
 112
 113         reply = dbus_connection_send_with_reply_and_block(c, m, -1, error);
 114         if (!reply) {
 115
 116                 /* Treat no PK available as access denied */
 117                 if (dbus_error_has_name(error, DBUS_ERROR_SERVICE_UNKNOWN)) {
 118                         r = -EACCES;
 119                         dbus_error_free(error);
 120                         goto finish;
 121                 }
 122
 123                 r = -EIO;
 124                 goto finish;
 125         }
 126
 127         if (!dbus_message_iter_init(reply, &iter_msg) ||
 128             dbus_message_iter_get_arg_type(&iter_msg) != DBUS_TYPE_STRUCT) {
 129                 r = -EIO;
 130                 goto finish;
 131         }
 132
 133         dbus_message_iter_recurse(&iter_msg, &iter_struct);
 134
 135         if (dbus_message_iter_get_arg_type(&iter_struct) != DBUS_TYPE_BOOLEAN) {
 136                 r = -EIO;
 137                 goto finish;
 138         }
 139
 140         dbus_message_iter_get_basic(&iter_struct, &authorized);
 141
 142         if (!dbus_message_iter_next(&iter_struct) ||
 143             dbus_message_iter_get_arg_type(&iter_struct) != DBUS_TYPE_BOOLEAN) {
 144                 r = -EIO;
 145                 goto finish;
 146         }
 147
 148         dbus_message_iter_get_basic(&iter_struct, &challenge);
 149
 150         if (authorized)
 151                 r = 1;
 152         else if (_challenge) {
 153                 *_challenge = !!challenge;
 154                 r = 0;
 155         } else
 156                 r = -EPERM;
 157
 158 finish:
 159         if (m)
 160                 dbus_message_unref(m);
 161
 162         if (reply)
 163                 dbus_message_unref(reply);
 164
 165         return r;
 166 }