static gboolean check_polkit_for_action (GConfDefaults *mechanism, DBusGMethodInvocation *context, const char *action) { const char *sender; GError *error; DBusError dbus_error; PolKitCaller *pk_caller; PolKitAction *pk_action; PolKitResult pk_result; error = NULL; /* Check that caller is privileged */ sender = dbus_g_method_get_sender (context); dbus_error_init (&dbus_error); pk_caller = polkit_caller_new_from_dbus_name ( dbus_g_connection_get_connection (mechanism->priv->system_bus_connection), sender, &dbus_error); if (pk_caller == NULL) { error = g_error_new (GCONF_DEFAULTS_ERROR, GCONF_DEFAULTS_ERROR_GENERAL, "Error getting information about caller: %s: %s", dbus_error.name, dbus_error.message); dbus_error_free (&dbus_error); dbus_g_method_return_error (context, error); g_error_free (error); return FALSE; } pk_action = polkit_action_new (); polkit_action_set_action_id (pk_action, action); pk_result = polkit_context_is_caller_authorized (mechanism->priv->pol_ctx, pk_action, pk_caller, TRUE, NULL); polkit_caller_unref (pk_caller); if (pk_result != POLKIT_RESULT_YES) { dbus_error_init (&dbus_error); polkit_dbus_error_generate (pk_action, pk_result, &dbus_error); dbus_set_g_error (&error, &dbus_error); dbus_g_method_return_error (context, error); dbus_error_free (&dbus_error); g_error_free (error); polkit_action_unref (pk_action); return FALSE; } polkit_action_unref (pk_action); return TRUE; }
static gboolean _check_polkit_for_action (GnomeClockAppletMechanism *mechanism, DBusGMethodInvocation *context, const char *action) { const char *sender; GError *error; DBusError dbus_error; PolKitCaller *pk_caller; PolKitAction *pk_action; PolKitResult pk_result; error = NULL; /* Check that caller is privileged */ sender = dbus_g_method_get_sender (context); dbus_error_init (&dbus_error); pk_caller = polkit_caller_new_from_dbus_name ( dbus_g_connection_get_connection (mechanism->priv->system_bus_connection), sender, &dbus_error); if (pk_caller == NULL) { error = g_error_new (GNOME_CLOCK_APPLET_MECHANISM_ERROR, GNOME_CLOCK_APPLET_MECHANISM_ERROR_GENERAL, "Error getting information about caller: %s: %s", dbus_error.name, dbus_error.message); dbus_error_free (&dbus_error); dbus_g_method_return_error (context, error); g_error_free (error); return FALSE; } pk_action = polkit_action_new (); polkit_action_set_action_id (pk_action, action); pk_result = polkit_context_can_caller_do_action (mechanism->priv->pol_ctx, pk_action, pk_caller); polkit_caller_unref (pk_caller); polkit_action_unref (pk_action); if (pk_result != POLKIT_RESULT_YES) { error = g_error_new (GNOME_CLOCK_APPLET_MECHANISM_ERROR, GNOME_CLOCK_APPLET_MECHANISM_ERROR_NOT_PRIVILEGED, "%s %s <-- (action, result)", action, polkit_result_to_string_representation (pk_result)); dbus_error_free (&dbus_error); dbus_g_method_return_error (context, error); g_error_free (error); return FALSE; } return TRUE; }
int virPolkitCheckAuth(const char *actionid, pid_t pid, unsigned long long startTime ATTRIBUTE_UNUSED, uid_t uid, const char **details, bool allowInteraction ATTRIBUTE_UNUSED) { PolKitCaller *pkcaller = NULL; PolKitAction *pkaction = NULL; PolKitContext *pkcontext = NULL; PolKitError *pkerr = NULL; PolKitResult pkresult; DBusError err; DBusConnection *sysbus; int ret = -1; if (details) { virReportError(VIR_ERR_AUTH_FAILED, "%s", _("Details not supported with polkit v0")); return -1; } if (!(sysbus = virDBusGetSystemBus())) goto cleanup; VIR_INFO("Checking PID %lld running as %d", (long long) pid, uid); dbus_error_init(&err); if (!(pkcaller = polkit_caller_new_from_pid(sysbus, pid, &err))) { VIR_DEBUG("Failed to lookup policy kit caller: %s", err.message); dbus_error_free(&err); goto cleanup; } if (!(pkaction = polkit_action_new())) { char ebuf[1024]; VIR_DEBUG("Failed to create polkit action %s", virStrerror(errno, ebuf, sizeof(ebuf))); goto cleanup; } polkit_action_set_action_id(pkaction, actionid); if (!(pkcontext = polkit_context_new()) || !polkit_context_init(pkcontext, &pkerr)) { char ebuf[1024]; VIR_DEBUG("Failed to create polkit context %s", (pkerr ? polkit_error_get_error_message(pkerr) : virStrerror(errno, ebuf, sizeof(ebuf)))); if (pkerr) polkit_error_free(pkerr); dbus_error_free(&err); goto cleanup; } # if HAVE_POLKIT_CONTEXT_IS_CALLER_AUTHORIZED pkresult = polkit_context_is_caller_authorized(pkcontext, pkaction, pkcaller, 0, &pkerr); if (pkerr && polkit_error_is_set(pkerr)) { VIR_DEBUG("Policy kit failed to check authorization %d %s", polkit_error_get_error_code(pkerr), polkit_error_get_error_message(pkerr)); goto cleanup; } # else pkresult = polkit_context_can_caller_do_action(pkcontext, pkaction, pkcaller); # endif if (pkresult != POLKIT_RESULT_YES) { VIR_DEBUG("Policy kit denied action %s from pid %lld, uid %d, result: %s", actionid, (long long) pid, uid, polkit_result_to_string_representation(pkresult)); ret = -2; goto cleanup; } VIR_DEBUG("Policy allowed action %s from pid %lld, uid %d", actionid, (long long)pid, (int)uid); ret = 0; cleanup: if (ret < 0) { virResetLastError(); virReportError(VIR_ERR_AUTH_FAILED, "%s", _("authentication failed")); } if (pkcontext) polkit_context_unref(pkcontext); if (pkcaller) polkit_caller_unref(pkcaller); if (pkaction) polkit_action_unref(pkaction); return ret; }