int bus_job_method_cancel(sd_bus_message *message, void *userdata, sd_bus_error *error) {
Job *j = userdata;
int r;
assert(message);
assert(j);
r = mac_selinux_unit_access_check(j->unit, message, "stop", error);
if (r < 0)
return r;
/* Access is granted to the job owner */
if (!sd_bus_track_contains(j->clients, sd_bus_message_get_sender(message))) {
/* And for everybody else consult PolicyKit */
r = bus_verify_manage_units_async(j->unit->manager, message, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
}
job_finish_and_invalidate(j, JOB_CANCELED, true);
return sd_bus_reply_method_return(message, NULL);
}
int bus_scope_method_abandon(sd_bus_message *message, void *userdata, sd_bus_error *error) {
Scope *s = userdata;
int r;
assert(message);
assert(s);
r = mac_selinux_unit_access_check(UNIT(s), message, "stop", error);
if (r < 0)
return r;
r = bus_verify_manage_units_async(UNIT(s)->manager, message, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
r = scope_abandon(s);
if (r == -ESTALE)
return sd_bus_error_setf(error, BUS_ERROR_SCOPE_NOT_RUNNING, "Scope %s is not running, cannot abandon.", UNIT(s)->id);
if (r < 0)
return r;
return sd_bus_reply_method_return(message, NULL);
}
int mac_selinux_unit_access_check_strv(char **units,
sd_bus_message *message,
Manager *m,
const char *permission,
sd_bus_error *error) {
#ifdef HAVE_SELINUX
char **i;
Unit *u;
int r;
STRV_FOREACH(i, units) {
u = manager_get_unit(m, *i);
if (u) {
r = mac_selinux_unit_access_check(u, message, permission, error);
if (r < 0)
return r;
}
}
int bus_job_method_cancel(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) {
Job *j = userdata;
int r;
assert(bus);
assert(message);
assert(j);
r = verify_sys_admin_or_owner_sync(message, j, error);
if (r < 0)
return r;
r = mac_selinux_unit_access_check(j->unit, message, "stop", error);
if (r < 0)
return r;
job_finish_and_invalidate(j, JOB_CANCELED, true);
return sd_bus_reply_method_return(message, NULL);
}
int bus_snapshot_method_remove(sd_bus_message *message, void *userdata, sd_bus_error *error) {
Snapshot *s = userdata;
int r;
assert(message);
assert(s);
r = mac_selinux_unit_access_check(UNIT(s), message, "stop", error);
if (r < 0)
return r;
r = bus_verify_manage_units_async(UNIT(s)->manager, message, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
snapshot_remove(s);
return sd_bus_reply_method_return(message, NULL);
}
int mac_selinux_unit_access_check_strv(char **units,
sd_bus_message *message,
Manager *m,
const char *permission,
sd_bus_error *error) {
#ifdef HAVE_SELINUX
char **i;
Unit *u;
int r;
STRV_FOREACH(i, units) {
if (is_path(*i))
r = manager_load_unit(m, NULL, *i, error, &u);
else
r = manager_load_unit(m, *i, NULL, error, &u);
if (r < 0)
return r;
r = mac_selinux_unit_access_check(u, message, permission, error);
if (r < 0)
return r;
}
#endif
return 0;
}
