X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fcore%2Fdbus-manager.c;h=c54abd3b4e820af1ba0bd085c365f6f798558a8d;hp=68a68a2d944506416fc3f341bc210c06de28adae;hb=adeba5008eac3105ae59256dedd087ebe006a9e6;hpb=5ae4d543cb9b45ad6c6b82b78da1d6abc2291cdb diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c index 68a68a2d9..c54abd3b4 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c @@ -34,6 +34,7 @@ #include "architecture.h" #include "env-util.h" #include "dbus.h" +#include "dbus-job.h" #include "dbus-manager.h" #include "dbus-unit.h" #include "dbus-snapshot.h" @@ -352,6 +353,8 @@ static int method_get_unit(sd_bus *bus, sd_bus_message *message, void *userdata, assert(message); assert(m); + /* Anyone can call this method */ + r = sd_bus_message_read(message, "s", &name); if (r < 0) return r; @@ -360,7 +363,7 @@ static int method_get_unit(sd_bus *bus, sd_bus_message *message, void *userdata, if (!u) return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s not loaded.", name); - r = selinux_unit_access_check(u, message, "status", error); + r = mac_selinux_unit_access_check(u, message, "status", error); if (r < 0) return r; @@ -384,6 +387,8 @@ static int method_get_unit_by_pid(sd_bus *bus, sd_bus_message *message, void *us assert_cc(sizeof(pid_t) == sizeof(uint32_t)); + /* Anyone can call this method */ + r = sd_bus_message_read(message, "u", &pid); if (r < 0) return r; @@ -404,7 +409,7 @@ static int method_get_unit_by_pid(sd_bus *bus, sd_bus_message *message, void *us if (!u) return sd_bus_error_setf(error, BUS_ERROR_NO_UNIT_FOR_PID, "PID %u does not belong to any loaded unit.", pid); - r = selinux_unit_access_check(u, message, "status", error); + r = mac_selinux_unit_access_check(u, message, "status", error); if (r < 0) return r; @@ -426,6 +431,8 @@ static int method_load_unit(sd_bus *bus, sd_bus_message *message, void *userdata assert(message); assert(m); + /* Anyone can call this method */ + r = sd_bus_message_read(message, "s", &name); if (r < 0) return r; @@ -434,7 +441,7 @@ static int method_load_unit(sd_bus *bus, sd_bus_message *message, void *userdata if (r < 0) return r; - r = selinux_unit_access_check(u, message, "status", error); + r = mac_selinux_unit_access_check(u, message, "status", error); if (r < 0) return r; @@ -454,6 +461,12 @@ static int method_start_unit_generic(sd_bus *bus, sd_bus_message *message, Manag assert(message); assert(m); + r = bus_verify_manage_unit_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + r = sd_bus_message_read(message, "s", &name); if (r < 0) return r; @@ -503,6 +516,12 @@ static int method_start_unit_replace(sd_bus *bus, sd_bus_message *message, void assert(message); assert(m); + r = bus_verify_manage_unit_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + r = sd_bus_message_read(message, "s", &old_name); if (r < 0) return r; @@ -524,6 +543,13 @@ static int method_kill_unit(sd_bus *bus, sd_bus_message *message, void *userdata assert(message); assert(m); + /* Like bus_verify_manage_unit_async(), but uses CAP_SYS_KILL */ + r = bus_verify_manage_unit_async_for_kill(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + r = sd_bus_message_read(message, "s", &name); if (r < 0) return r; @@ -545,6 +571,12 @@ static int method_reset_failed_unit(sd_bus *bus, sd_bus_message *message, void * assert(message); assert(m); + r = bus_verify_manage_unit_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + r = sd_bus_message_read(message, "s", &name); if (r < 0) return r; @@ -566,6 +598,12 @@ static int method_set_unit_properties(sd_bus *bus, sd_bus_message *message, void assert(message); assert(m); + r = bus_verify_manage_unit_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + r = sd_bus_message_read(message, "s", &name); if (r < 0) return r; @@ -589,6 +627,12 @@ static int method_start_transient_unit(sd_bus *bus, sd_bus_message *message, voi assert(message); assert(m); + r = bus_verify_manage_unit_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + r = sd_bus_message_read(message, "ss", &name, &smode); if (r < 0) return r; @@ -604,7 +648,7 @@ static int method_start_transient_unit(sd_bus *bus, sd_bus_message *message, voi if (mode < 0) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Job mode %s is invalid.", smode); - r = selinux_access_check(message, "start", error); + r = mac_selinux_access_check(message, "start", error); if (r < 0) return r; @@ -648,6 +692,8 @@ static int method_get_job(sd_bus *bus, sd_bus_message *message, void *userdata, assert(message); assert(m); + /* Anyone can call this method */ + r = sd_bus_message_read(message, "u", &id); if (r < 0) return r; @@ -656,7 +702,7 @@ static int method_get_job(sd_bus *bus, sd_bus_message *message, void *userdata, if (!j) return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_JOB, "Job %u does not exist.", (unsigned) id); - r = selinux_unit_access_check(j->unit, message, "status", error); + r = mac_selinux_unit_access_check(j->unit, message, "status", error); if (r < 0) return r; @@ -685,13 +731,7 @@ static int method_cancel_job(sd_bus *bus, sd_bus_message *message, void *userdat if (!j) return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_JOB, "Job %u does not exist.", (unsigned) id); - r = selinux_unit_access_check(j->unit, message, "stop", error); - if (r < 0) - return r; - - job_finish_and_invalidate(j, JOB_CANCELED, true); - - return sd_bus_reply_method_return(message, NULL); + return bus_job_method_cancel(bus, message, j, error); } static int method_clear_jobs(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { @@ -702,7 +742,7 @@ static int method_clear_jobs(sd_bus *bus, sd_bus_message *message, void *userdat assert(message); assert(m); - r = selinux_access_check(message, "reboot", error); + r = mac_selinux_access_check(message, "reboot", error); if (r < 0) return r; @@ -719,7 +759,7 @@ static int method_reset_failed(sd_bus *bus, sd_bus_message *message, void *userd assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -740,7 +780,9 @@ static int list_units_filtered(sd_bus *bus, sd_bus_message *message, void *userd assert(message); assert(m); - r = selinux_access_check(message, "status", error); + /* Anyone can call this method */ + + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -826,7 +868,9 @@ static int method_list_jobs(sd_bus *bus, sd_bus_message *message, void *userdata assert(message); assert(m); - r = selinux_access_check(message, "status", error); + /* Anyone can call this method */ + + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -876,7 +920,9 @@ static int method_subscribe(sd_bus *bus, sd_bus_message *message, void *userdata assert(message); assert(m); - r = selinux_access_check(message, "status", error); + /* Anyone can call this method */ + + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -909,7 +955,9 @@ static int method_unsubscribe(sd_bus *bus, sd_bus_message *message, void *userda assert(message); assert(m); - r = selinux_access_check(message, "status", error); + /* Anyone can call this method */ + + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -935,7 +983,9 @@ static int method_dump(sd_bus *bus, sd_bus_message *message, void *userdata, sd_ assert(message); assert(m); - r = selinux_access_check(message, "status", error); + /* Anyone can call this method */ + + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -966,7 +1016,7 @@ static int method_create_snapshot(sd_bus *bus, sd_bus_message *message, void *us assert(message); assert(m); - r = selinux_access_check(message, "start", error); + r = mac_selinux_access_check(message, "start", error); if (r < 0) return r; @@ -998,7 +1048,7 @@ static int method_remove_snapshot(sd_bus *bus, sd_bus_message *message, void *us assert(message); assert(m); - r = selinux_access_check(message, "stop", error); + r = mac_selinux_access_check(message, "stop", error); if (r < 0) return r; @@ -1024,7 +1074,13 @@ static int method_reload(sd_bus *bus, sd_bus_message *message, void *userdata, s assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = bus_verify_reload_daemon_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1052,7 +1108,13 @@ static int method_reexecute(sd_bus *bus, sd_bus_message *message, void *userdata assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = bus_verify_reload_daemon_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1071,7 +1133,7 @@ static int method_exit(sd_bus *bus, sd_bus_message *message, void *userdata, sd_ assert(message); assert(m); - r = selinux_access_check(message, "halt", error); + r = mac_selinux_access_check(message, "halt", error); if (r < 0) return r; @@ -1091,7 +1153,7 @@ static int method_reboot(sd_bus *bus, sd_bus_message *message, void *userdata, s assert(message); assert(m); - r = selinux_access_check(message, "reboot", error); + r = mac_selinux_access_check(message, "reboot", error); if (r < 0) return r; @@ -1112,7 +1174,7 @@ static int method_poweroff(sd_bus *bus, sd_bus_message *message, void *userdata, assert(message); assert(m); - r = selinux_access_check(message, "halt", error); + r = mac_selinux_access_check(message, "halt", error); if (r < 0) return r; @@ -1132,7 +1194,7 @@ static int method_halt(sd_bus *bus, sd_bus_message *message, void *userdata, sd_ assert(message); assert(m); - r = selinux_access_check(message, "halt", error); + r = mac_selinux_access_check(message, "halt", error); if (r < 0) return r; @@ -1152,7 +1214,7 @@ static int method_kexec(sd_bus *bus, sd_bus_message *message, void *userdata, sd assert(message); assert(m); - r = selinux_access_check(message, "reboot", error); + r = mac_selinux_access_check(message, "reboot", error); if (r < 0) return r; @@ -1174,12 +1236,12 @@ static int method_switch_root(sd_bus *bus, sd_bus_message *message, void *userda assert(message); assert(m); - r = selinux_access_check(message, "reboot", error); + r = mac_selinux_access_check(message, "reboot", error); if (r < 0) return r; if (m->running_as != SYSTEMD_SYSTEM) - return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "KExec is only supported for system managers."); + return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Root switching is only supported by system manager."); r = sd_bus_message_read(message, "ss", &root, &init); if (r < 0) @@ -1190,7 +1252,7 @@ static int method_switch_root(sd_bus *bus, sd_bus_message *message, void *userda /* Safety check */ if (isempty(init)) { - if (! path_is_os_tree(root)) + if (!path_is_os_tree(root)) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Specified switch root path %s does not seem to be an OS tree. os-release file is missing.", root); } else { _cleanup_free_ char *p = NULL; @@ -1238,7 +1300,7 @@ static int method_set_environment(sd_bus *bus, sd_bus_message *message, void *us assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1264,7 +1326,7 @@ static int method_unset_environment(sd_bus *bus, sd_bus_message *message, void * assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1291,22 +1353,22 @@ static int method_unset_and_set_environment(sd_bus *bus, sd_bus_message *message assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; - r = sd_bus_message_read_strv(message, &plus); + r = sd_bus_message_read_strv(message, &minus); if (r < 0) return r; - r = sd_bus_message_read_strv(message, &minus); + r = sd_bus_message_read_strv(message, &plus); if (r < 0) return r; - if (!strv_env_is_valid(plus)) - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment assignments"); if (!strv_env_name_or_assignment_is_valid(minus)) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment variable names or assignments"); + if (!strv_env_is_valid(plus)) + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment assignments"); r = manager_environment_add(m, minus, plus); if (r < 0) @@ -1327,7 +1389,9 @@ static int method_list_unit_files(sd_bus *bus, sd_bus_message *message, void *us assert(message); assert(m); - r = selinux_access_check(message, "status", error); + /* Anyone can call this method */ + + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -1335,7 +1399,7 @@ static int method_list_unit_files(sd_bus *bus, sd_bus_message *message, void *us if (r < 0) return r; - h = hashmap_new(string_hash_func, string_compare_func); + h = hashmap_new(&string_hash_ops); if (!h) return -ENOMEM; @@ -1378,7 +1442,9 @@ static int method_get_unit_file_state(sd_bus *bus, sd_bus_message *message, void assert(message); assert(m); - r = selinux_access_check(message, "status", error); + /* Anyone can call this method */ + + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -1405,7 +1471,9 @@ static int method_get_default_target(sd_bus *bus, sd_bus_message *message, void assert(message); assert(m); - r = selinux_access_check(message, "status", error); + /* Anyone can call this method */ + + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -1487,16 +1555,13 @@ fail: static int method_enable_unit_files_generic( sd_bus *bus, sd_bus_message *message, - Manager *m, const - char *verb, + Manager *m, + const char *verb, int (*call)(UnitFileScope scope, bool runtime, const char *root_dir, char *files[], bool force, UnitFileChange **changes, unsigned *n_changes), bool carries_install_info, sd_bus_error *error) { _cleanup_strv_free_ char **l = NULL; -#ifdef HAVE_SELINUX - char **i; -#endif UnitFileChange *changes = NULL; unsigned n_changes = 0; UnitFileScope scope; @@ -1506,27 +1571,24 @@ static int method_enable_unit_files_generic( assert(message); assert(m); - r = sd_bus_message_read_strv(message, &l); + r = bus_verify_manage_unit_files_async(m, message, error); if (r < 0) return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ -#ifdef HAVE_SELINUX - STRV_FOREACH(i, l) { - Unit *u; - - u = manager_get_unit(m, *i); - if (u) { - r = selinux_unit_access_check(u, message, verb, error); - if (r < 0) - return r; - } - } -#endif + r = sd_bus_message_read_strv(message, &l); + if (r < 0) + return r; r = sd_bus_message_read(message, "bb", &runtime, &force); if (r < 0) return r; + r = mac_selinux_unit_access_check_strv(l, message, m, verb, error); + if (r < 0) + return r; + scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; r = call(scope, runtime, NULL, l, force, &changes, &n_changes); @@ -1548,14 +1610,68 @@ static int method_link_unit_files(sd_bus *bus, sd_bus_message *message, void *us return method_enable_unit_files_generic(bus, message, userdata, "enable", unit_file_link, false, error); } +static int unit_file_preset_without_mode(UnitFileScope scope, bool runtime, const char *root_dir, char **files, bool force, UnitFileChange **changes, unsigned *n_changes) { + return unit_file_preset(scope, runtime, root_dir, files, UNIT_FILE_PRESET_FULL, force, changes, n_changes); +} + static int method_preset_unit_files(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { - return method_enable_unit_files_generic(bus, message, userdata, "enable", unit_file_preset, true, error); + return method_enable_unit_files_generic(bus, message, userdata, "enable", unit_file_preset_without_mode, true, error); } static int method_mask_unit_files(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { return method_enable_unit_files_generic(bus, message, userdata, "disable", unit_file_mask, false, error); } +static int method_preset_unit_files_with_mode(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { + + _cleanup_strv_free_ char **l = NULL; + UnitFileChange *changes = NULL; + unsigned n_changes = 0; + Manager *m = userdata; + UnitFilePresetMode mm; + UnitFileScope scope; + int runtime, force, r; + const char *mode; + + assert(bus); + assert(message); + assert(m); + + r = bus_verify_manage_unit_files_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = sd_bus_message_read_strv(message, &l); + if (r < 0) + return r; + + r = sd_bus_message_read(message, "sbb", &mode, &runtime, &force); + if (r < 0) + return r; + + if (isempty(mode)) + mm = UNIT_FILE_PRESET_FULL; + else { + mm = unit_file_preset_mode_from_string(mode); + if (mm < 0) + return -EINVAL; + } + + r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error); + if (r < 0) + return r; + + scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; + + r = unit_file_preset(scope, runtime, NULL, l, mm, force, &changes, &n_changes); + if (r < 0) + return r; + + return reply_unit_file_changes_and_free(m, bus, message, r, changes, n_changes); +} + static int method_disable_unit_files_generic( sd_bus *bus, sd_bus_message *message, @@ -1574,7 +1690,13 @@ static int method_disable_unit_files_generic( assert(message); assert(m); - r = selinux_access_check(message, verb, error); + r = bus_verify_manage_unit_files_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = mac_selinux_access_check(message, verb, error); if (r < 0) return r; @@ -1615,7 +1737,13 @@ static int method_set_default_target(sd_bus *bus, sd_bus_message *message, void assert(message); assert(m); - r = selinux_access_check(message, "enable", error); + r = bus_verify_manage_unit_files_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = mac_selinux_access_check(message, "enable", error); if (r < 0) return r; @@ -1632,6 +1760,96 @@ static int method_set_default_target(sd_bus *bus, sd_bus_message *message, void return reply_unit_file_changes_and_free(m, bus, message, -1, changes, n_changes); } +static int method_preset_all_unit_files(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { + UnitFileChange *changes = NULL; + unsigned n_changes = 0; + Manager *m = userdata; + UnitFilePresetMode mm; + UnitFileScope scope; + const char *mode; + int force, runtime, r; + + assert(bus); + assert(message); + assert(m); + + r = bus_verify_manage_unit_files_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = mac_selinux_access_check(message, "enable", error); + if (r < 0) + return r; + + r = sd_bus_message_read(message, "sbb", &mode, &runtime, &force); + if (r < 0) + return r; + + if (isempty(mode)) + mm = UNIT_FILE_PRESET_FULL; + else { + mm = unit_file_preset_mode_from_string(mode); + if (mm < 0) + return -EINVAL; + } + + scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; + + r = unit_file_preset_all(scope, runtime, NULL, mm, force, &changes, &n_changes); + if (r < 0) + return r; + + return reply_unit_file_changes_and_free(m, bus, message, -1, changes, n_changes); +} + +static int method_add_dependency_unit_files(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { + _cleanup_strv_free_ char **l = NULL; + Manager *m = userdata; + UnitFileChange *changes = NULL; + unsigned n_changes = 0; + UnitFileScope scope; + int runtime, force, r; + char *target; + char *type; + UnitDependency dep; + + assert(bus); + assert(message); + assert(m); + + r = bus_verify_manage_unit_files_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = sd_bus_message_read_strv(message, &l); + if (r < 0) + return r; + + r = sd_bus_message_read(message, "ssbb", &target, &type, &runtime, &force); + if (r < 0) + return r; + + dep = unit_dependency_from_string(type); + if (dep < 0) + return -EINVAL; + + r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error); + if (r < 0) + return r; + + scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; + + r = unit_file_add_dependency(scope, runtime, NULL, l, target, dep, force, &changes, &n_changes); + if (r < 0) + return r; + + return reply_unit_file_changes_and_free(m, bus, message, -1, changes, n_changes); +} + const sd_bus_vtable bus_manager_vtable[] = { SD_BUS_VTABLE_START(0), @@ -1674,20 +1892,20 @@ const sd_bus_vtable bus_manager_vtable[] = { SD_BUS_METHOD("GetUnit", "s", "o", method_get_unit, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("GetUnitByPID", "u", "o", method_get_unit_by_pid, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("LoadUnit", "s", "o", method_load_unit, SD_BUS_VTABLE_UNPRIVILEGED), - SD_BUS_METHOD("StartUnit", "ss", "o", method_start_unit, 0), - SD_BUS_METHOD("StartUnitReplace", "sss", "o", method_start_unit_replace, 0), - SD_BUS_METHOD("StopUnit", "ss", "o", method_stop_unit, 0), - SD_BUS_METHOD("ReloadUnit", "ss", "o", method_reload_unit, 0), - SD_BUS_METHOD("RestartUnit", "ss", "o", method_restart_unit, 0), - SD_BUS_METHOD("TryRestartUnit", "ss", "o", method_try_restart_unit, 0), - SD_BUS_METHOD("ReloadOrRestartUnit", "ss", "o", method_reload_or_restart_unit, 0), - SD_BUS_METHOD("ReloadOrTryRestartUnit", "ss", "o", method_reload_or_try_restart_unit, 0), - SD_BUS_METHOD("KillUnit", "ssi", NULL, method_kill_unit, SD_BUS_VTABLE_CAPABILITY(CAP_KILL)), - SD_BUS_METHOD("ResetFailedUnit", "s", NULL, method_reset_failed_unit, 0), - SD_BUS_METHOD("SetUnitProperties", "sba(sv)", NULL, method_set_unit_properties, 0), - SD_BUS_METHOD("StartTransientUnit", "ssa(sv)a(sa(sv))", "o", method_start_transient_unit, 0), + SD_BUS_METHOD("StartUnit", "ss", "o", method_start_unit, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("StartUnitReplace", "sss", "o", method_start_unit_replace, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("StopUnit", "ss", "o", method_stop_unit, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("ReloadUnit", "ss", "o", method_reload_unit, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("RestartUnit", "ss", "o", method_restart_unit, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("TryRestartUnit", "ss", "o", method_try_restart_unit, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("ReloadOrRestartUnit", "ss", "o", method_reload_or_restart_unit, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("ReloadOrTryRestartUnit", "ss", "o", method_reload_or_try_restart_unit, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("KillUnit", "ssi", NULL, method_kill_unit, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("ResetFailedUnit", "s", NULL, method_reset_failed_unit, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("SetUnitProperties", "sba(sv)", NULL, method_set_unit_properties, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("StartTransientUnit", "ssa(sv)a(sa(sv))", "o", method_start_transient_unit, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("GetJob", "u", "o", method_get_job, SD_BUS_VTABLE_UNPRIVILEGED), - SD_BUS_METHOD("CancelJob", "u", NULL, method_cancel_job, 0), + SD_BUS_METHOD("CancelJob", "u", NULL, method_cancel_job, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("ClearJobs", NULL, NULL, method_clear_jobs, 0), SD_BUS_METHOD("ResetFailed", NULL, NULL, method_reset_failed, 0), SD_BUS_METHOD("ListUnits", NULL, "a(ssssssouso)", method_list_units, SD_BUS_VTABLE_UNPRIVILEGED), @@ -1698,8 +1916,8 @@ const sd_bus_vtable bus_manager_vtable[] = { SD_BUS_METHOD("Dump", NULL, "s", method_dump, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("CreateSnapshot", "sb", "o", method_create_snapshot, 0), SD_BUS_METHOD("RemoveSnapshot", "s", NULL, method_remove_snapshot, 0), - SD_BUS_METHOD("Reload", NULL, NULL, method_reload, 0), - SD_BUS_METHOD("Reexecute", NULL, NULL, method_reexecute, 0), + SD_BUS_METHOD("Reload", NULL, NULL, method_reload, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("Reexecute", NULL, NULL, method_reexecute, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("Exit", NULL, NULL, method_exit, 0), SD_BUS_METHOD("Reboot", NULL, NULL, method_reboot, SD_BUS_VTABLE_CAPABILITY(CAP_SYS_BOOT)), SD_BUS_METHOD("PowerOff", NULL, NULL, method_poweroff, SD_BUS_VTABLE_CAPABILITY(CAP_SYS_BOOT)), @@ -1711,15 +1929,18 @@ const sd_bus_vtable bus_manager_vtable[] = { SD_BUS_METHOD("UnsetAndSetEnvironment", "asas", NULL, method_unset_and_set_environment, 0), SD_BUS_METHOD("ListUnitFiles", NULL, "a(ss)", method_list_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("GetUnitFileState", "s", "s", method_get_unit_file_state, SD_BUS_VTABLE_UNPRIVILEGED), - SD_BUS_METHOD("EnableUnitFiles", "asbb", "ba(sss)", method_enable_unit_files, 0), - SD_BUS_METHOD("DisableUnitFiles", "asb", "a(sss)", method_disable_unit_files, 0), - SD_BUS_METHOD("ReenableUnitFiles", "asbb", "ba(sss)", method_reenable_unit_files, 0), - SD_BUS_METHOD("LinkUnitFiles", "asbb", "a(sss)", method_link_unit_files, 0), - SD_BUS_METHOD("PresetUnitFiles", "asbb", "ba(sss)", method_preset_unit_files, 0), - SD_BUS_METHOD("MaskUnitFiles", "asbb", "a(sss)", method_mask_unit_files, 0), - SD_BUS_METHOD("UnmaskUnitFiles", "asb", "a(sss)", method_unmask_unit_files, 0), - SD_BUS_METHOD("SetDefaultTarget", "sb", "a(sss)", method_set_default_target, 0), + SD_BUS_METHOD("EnableUnitFiles", "asbb", "ba(sss)", method_enable_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("DisableUnitFiles", "asb", "a(sss)", method_disable_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("ReenableUnitFiles", "asbb", "ba(sss)", method_reenable_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("LinkUnitFiles", "asbb", "a(sss)", method_link_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("PresetUnitFiles", "asbb", "ba(sss)", method_preset_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("PresetUnitFilesWithMode", "assbb", "ba(sss)", method_preset_unit_files_with_mode, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("MaskUnitFiles", "asbb", "a(sss)", method_mask_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("UnmaskUnitFiles", "asb", "a(sss)", method_unmask_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("SetDefaultTarget", "sb", "a(sss)", method_set_default_target, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("GetDefaultTarget", NULL, "s", method_get_default_target, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("PresetAllUnitFiles", "sbb", "a(sss)", method_preset_all_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("AddDependencyUnitFiles", "asssbb", "a(sss)", method_add_dependency_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_SIGNAL("UnitNew", "so", 0), SD_BUS_SIGNAL("UnitRemoved", "so", 0),