mirror of
https://github.com/systemd/systemd.git
synced 2025-01-05 16:13:41 +08:00
resolved: consult Polkit for privileges when manipulating DNS-SD
This commit is contained in:
parent
e7c1b0e456
commit
84b0f133e4
@ -165,6 +165,15 @@ if conf.get('ENABLE_RESOLVE') == 1
|
||||
|
||||
install_data('resolv.conf',
|
||||
install_dir : rootlibexecdir)
|
||||
|
||||
i18n.merge_file(
|
||||
'org.freedesktop.resolve1.policy',
|
||||
input : 'org.freedesktop.resolve1.policy.in',
|
||||
output : 'org.freedesktop.resolve1.policy',
|
||||
po_dir : po_dir,
|
||||
data_dirs : po_dir,
|
||||
install : install_polkit,
|
||||
install_dir : polkitpolicydir)
|
||||
endif
|
||||
|
||||
tests += [
|
||||
|
43
src/resolve/org.freedesktop.resolve1.policy.in
Normal file
43
src/resolve/org.freedesktop.resolve1.policy.in
Normal file
@ -0,0 +1,43 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
|
||||
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
|
||||
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
|
||||
|
||||
<!--
|
||||
SPDX-License-Identifier: LGPL-2.1+
|
||||
|
||||
This file is part of systemd.
|
||||
|
||||
systemd is free software; you can redistribute it and/or modify it
|
||||
under the terms of the GNU Lesser General Public License as published by
|
||||
the Free Software Foundation; either version 2.1 of the License, or
|
||||
(at your option) any later version.
|
||||
-->
|
||||
|
||||
<policyconfig>
|
||||
|
||||
<vendor>The systemd Project</vendor>
|
||||
<vendor_url>http://www.freedesktop.org/wiki/Software/systemd</vendor_url>
|
||||
|
||||
<action id="org.freedesktop.resolve1.register-service">
|
||||
<description>Register a DNS-SD service</description>
|
||||
<message>Authentication is required to register a DNS-SD service</message>
|
||||
<defaults>
|
||||
<allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>auth_admin</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
|
||||
</action>
|
||||
|
||||
<action id="org.freedesktop.resolve1.unregister-service">
|
||||
<description>Unregister a DNS-SD service</description>
|
||||
<message>Authentication is required to unregister a DNS-SD service</message>
|
||||
<defaults>
|
||||
<allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>auth_admin</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
<annotate key="org.freedesktop.policykit.owner">unix-user:systemd-resolve</annotate>
|
||||
</action>
|
||||
|
||||
</policyconfig>
|
@ -28,6 +28,7 @@
|
||||
#include "resolved-dnssd.h"
|
||||
#include "resolved-dnssd-bus.h"
|
||||
#include "resolved-link-bus.h"
|
||||
#include "user-util.h"
|
||||
#include "utf8.h"
|
||||
|
||||
static int reply_query_state(DnsQuery *q) {
|
||||
@ -1597,6 +1598,7 @@ static int on_bus_track(sd_bus_track *t, void *userdata) {
|
||||
}
|
||||
|
||||
static int bus_method_register_service(sd_bus_message *message, void *userdata, sd_bus_error *error) {
|
||||
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
|
||||
_cleanup_(dnssd_service_freep) DnssdService *service = NULL;
|
||||
_cleanup_(sd_bus_track_unrefp) sd_bus_track *bus_track = NULL;
|
||||
_cleanup_free_ char *path = NULL;
|
||||
@ -1607,6 +1609,7 @@ static int bus_method_register_service(sd_bus_message *message, void *userdata,
|
||||
const char *name;
|
||||
const char *name_template;
|
||||
const char *type;
|
||||
uid_t euid;
|
||||
int r;
|
||||
|
||||
assert(message);
|
||||
@ -1615,10 +1618,28 @@ static int bus_method_register_service(sd_bus_message *message, void *userdata,
|
||||
if (m->mdns_support != RESOLVE_SUPPORT_YES)
|
||||
return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Support for MulticastDNS is disabled");
|
||||
|
||||
r = bus_verify_polkit_async(message, CAP_SYS_ADMIN,
|
||||
"org.freedesktop.resolve1.register-service",
|
||||
NULL, false, UID_INVALID,
|
||||
&m->polkit_registry, error);
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r == 0)
|
||||
return 1; /* Polkit will call us back */
|
||||
|
||||
service = new0(DnssdService, 1);
|
||||
if (!service)
|
||||
return log_oom();
|
||||
|
||||
r = sd_bus_query_sender_creds(message, SD_BUS_CREDS_EUID, &creds);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = sd_bus_creds_get_euid(creds, &euid);
|
||||
if (r < 0)
|
||||
return r;
|
||||
service->originator = euid;
|
||||
|
||||
r = sd_bus_message_read(message, "sssqqq", &name, &name_template, &type,
|
||||
&service->port, &service->priority,
|
||||
&service->weight);
|
||||
@ -1783,8 +1804,8 @@ static const sd_bus_vtable resolve_vtable[] = {
|
||||
SD_BUS_METHOD("SetLinkDNSSECNegativeTrustAnchors", "ias", NULL, bus_method_set_link_dnssec_negative_trust_anchors, 0),
|
||||
SD_BUS_METHOD("RevertLink", "i", NULL, bus_method_revert_link, 0),
|
||||
|
||||
SD_BUS_METHOD("RegisterService", "sssqqqa{say}", "o", bus_method_register_service, 0),
|
||||
SD_BUS_METHOD("UnregisterService", "o", NULL, bus_method_unregister_service, 0),
|
||||
SD_BUS_METHOD("RegisterService", "sssqqqa{say}", "o", bus_method_register_service, SD_BUS_VTABLE_UNPRIVILEGED),
|
||||
SD_BUS_METHOD("UnregisterService", "o", NULL, bus_method_unregister_service, SD_BUS_VTABLE_UNPRIVILEGED),
|
||||
SD_BUS_VTABLE_END,
|
||||
};
|
||||
|
||||
|
@ -18,10 +18,12 @@
|
||||
***/
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "bus-util.h"
|
||||
#include "resolved-dnssd.h"
|
||||
#include "resolved-dnssd-bus.h"
|
||||
#include "resolved-link.h"
|
||||
#include "strv.h"
|
||||
#include "user-util.h"
|
||||
|
||||
int bus_dnssd_method_unregister(sd_bus_message *message, void *userdata, sd_bus_error *error) {
|
||||
DnssdService *s = userdata;
|
||||
@ -35,6 +37,15 @@ int bus_dnssd_method_unregister(sd_bus_message *message, void *userdata, sd_bus_
|
||||
|
||||
m = s->manager;
|
||||
|
||||
r = bus_verify_polkit_async(message, CAP_SYS_ADMIN,
|
||||
"org.freedesktop.resolve1.unregister-service",
|
||||
NULL, false, s->originator,
|
||||
&m->polkit_registry, error);
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r == 0)
|
||||
return 1; /* Polkit will call us back */
|
||||
|
||||
HASHMAP_FOREACH(l, m->links, i) {
|
||||
if (l->mdns_ipv4_scope) {
|
||||
r = dns_scope_announce(l->mdns_ipv4_scope, true);
|
||||
@ -67,7 +78,7 @@ int bus_dnssd_method_unregister(sd_bus_message *message, void *userdata, sd_bus_
|
||||
const sd_bus_vtable dnssd_vtable[] = {
|
||||
SD_BUS_VTABLE_START(0),
|
||||
|
||||
SD_BUS_METHOD("Unregister", NULL, NULL, bus_dnssd_method_unregister, 0),
|
||||
SD_BUS_METHOD("Unregister", NULL, NULL, bus_dnssd_method_unregister, SD_BUS_VTABLE_UNPRIVILEGED),
|
||||
SD_BUS_SIGNAL("Conflicted", NULL, 0),
|
||||
|
||||
SD_BUS_VTABLE_END
|
||||
|
@ -47,6 +47,7 @@ struct DnssdService {
|
||||
Manager *manager;
|
||||
|
||||
bool withdrawn:1;
|
||||
uid_t originator;
|
||||
};
|
||||
|
||||
DnssdService *dnssd_service_free(DnssdService *service);
|
||||
|
@ -146,6 +146,8 @@ struct Manager {
|
||||
|
||||
sd_event_source *dns_stub_udp_event_source;
|
||||
sd_event_source *dns_stub_tcp_event_source;
|
||||
|
||||
Hashmap *polkit_registry;
|
||||
};
|
||||
|
||||
/* Manager */
|
||||
|
Loading…
Reference in New Issue
Block a user