From abcac570bfe1db867fda504942e6c782ada2aa00 Mon Sep 17 00:00:00 2001 Message-Id: From: Stefan Agner Date: Sat, 13 Mar 2021 14:39:31 +0100 Subject: [PATCH] Isolate authorization specific functions into new compile unit Introduce udisksauthorization.c for authorization related functionality. This allows to make polkit optional much easier. Signed-off-by: Stefan Agner --- src/Makefile.am | 1 + src/udisksauthorization.c | 382 ++++++++++++++++++++++++++++++++ src/udisksauthorization.h | 63 ++++++ src/udisksbasejob.c | 1 + src/udisksdaemon.h | 1 + src/udisksdaemontypes.h | 1 - src/udisksdaemonutil.c | 356 ----------------------------- src/udisksdaemonutil.h | 31 --- src/udiskslinuxblock.c | 1 + src/udiskslinuxdrive.c | 1 + src/udiskslinuxdriveata.c | 1 + src/udiskslinuxencrypted.c | 1 + src/udiskslinuxfilesystem.c | 1 + src/udiskslinuxloop.c | 1 + src/udiskslinuxmanager.c | 1 + src/udiskslinuxmdraid.c | 1 + src/udiskslinuxpartition.c | 1 + src/udiskslinuxpartitiontable.c | 1 + src/udiskslinuxswapspace.c | 1 + 19 files changed, 459 insertions(+), 388 deletions(-) create mode 100644 src/udisksauthorization.c create mode 100644 src/udisksauthorization.h diff --git a/src/Makefile.am b/src/Makefile.am index 4048854c..bb09560a 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -92,6 +92,7 @@ libudisks_daemon_la_SOURCES = \ udisksmount.h udisksmount.c \ udisksmountmonitor.h udisksmountmonitor.c \ udisksdaemonutil.h udisksdaemonutil.c \ + udisksauthorization.h udisksauthorization.c \ udiskslogging.h udiskslogging.c \ udisksstate.h udisksstate.c \ udisksprivate.h \ diff --git a/src/udisksauthorization.c b/src/udisksauthorization.c new file mode 100644 index 00000000..f74e194a --- /dev/null +++ b/src/udisksauthorization.c @@ -0,0 +1,382 @@ +/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- + * + * Copyright (C) 2007-2010 David Zeuthen + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +#include +#include +#include "udisksdaemon.h" +#include "udisksdaemonutil.h" +#include "udisksauthorization.h" + +/* Need this until we can depend on a libpolkit with this bugfix + * + * http://cgit.freedesktop.org/polkit/commit/?h=wip/js-rule-files&id=224f7b892478302dccbe7e567b013d3c73d376fd + */ +static void +_safe_polkit_details_insert (PolkitDetails *details, const gchar *key, const gchar *value) +{ + if (value != NULL && strlen (value) > 0) + polkit_details_insert (details, key, value); +} + +static void +_safe_polkit_details_insert_int (PolkitDetails *details, const gchar *key, gint value) +{ + gchar buf[32]; + snprintf (buf, sizeof buf, "%d", value); + polkit_details_insert (details, key, buf); +} + +static void +_safe_polkit_details_insert_uint64 (PolkitDetails *details, const gchar *key, guint64 value) +{ + gchar buf[32]; + snprintf (buf, sizeof buf, "0x%08llx", (unsigned long long int) value); + polkit_details_insert (details, key, buf); +} + +static gboolean +check_authorization_no_polkit (UDisksDaemon *daemon, + UDisksObject *object, + const gchar *action_id, + GVariant *options, + const gchar *message, + GDBusMethodInvocation *invocation, + GError **error) +{ + gboolean ret = FALSE; + uid_t caller_uid = -1; + GError *sub_error = NULL; + + if (!udisks_daemon_util_get_caller_uid_sync (daemon, + invocation, + NULL, /* GCancellable* */ + &caller_uid, + &sub_error)) + { + g_set_error (error, + UDISKS_ERROR, + UDISKS_ERROR_FAILED, + "Error getting uid for caller with bus name %s: %s (%s, %d)", + g_dbus_method_invocation_get_sender (invocation), + sub_error->message, g_quark_to_string (sub_error->domain), sub_error->code); + g_clear_error (&sub_error); + goto out; + } + + /* only allow root */ + if (caller_uid == 0) + { + ret = TRUE; + } + else + { + g_set_error (error, + UDISKS_ERROR, + UDISKS_ERROR_NOT_AUTHORIZED, + "Not authorized to perform operation (polkit authority not available and caller is not uid 0)"); + } + + out: + return ret; +} + +/** + * udisks_daemon_util_check_authorization_sync: + * @daemon: A #UDisksDaemon. + * @object: (allow-none): The #GDBusObject that the call is on or %NULL. + * @action_id: The action id to check for. + * @options: (allow-none): A #GVariant to check for the auth.no_user_interaction option or %NULL. + * @message: The message to convey (use N_). + * @invocation: The invocation to check for. + * + * Checks if the caller represented by @invocation is authorized for + * the action identified by @action_id, optionally displaying @message + * if authentication is needed. Additionally, if the caller is not + * authorized, the appropriate error is already returned to the caller + * via @invocation. + * + * The calling thread is blocked for the duration of the authorization + * check which could be a very long time since it may involve + * presenting an authentication dialog and having a human user use + * it. If auth.no_user_interaction in @options is %TRUE + * no authentication dialog will be presented and the check is not + * expected to take a long time. + * + * See for the variables that + * can be used in @message but note that not all variables can be used + * in all checks. For example, any check involving a #UDisksDrive or a + * #UDisksBlock object can safely include the fragment + * $(drive) since it will always expand to the name of + * the drive, e.g. INTEL SSDSA2MH080G1GC (/dev/sda1) or + * the block device file e.g. /dev/vg_lucifer/lv_root + * or /dev/sda1. However this won't work for operations + * that isn't on a drive or block device, for example calls on the + * Manager + * object. + * + * Returns: %TRUE if caller is authorized, %FALSE if not. + */ +gboolean +udisks_daemon_util_check_authorization_sync (UDisksDaemon *daemon, + UDisksObject *object, + const gchar *action_id, + GVariant *options, + const gchar *message, + GDBusMethodInvocation *invocation) +{ + GError *error = NULL; + if (!udisks_daemon_util_check_authorization_sync_with_error (daemon, + object, + action_id, + options, + message, + invocation, + &error)) + { + g_dbus_method_invocation_take_error (invocation, error); + return FALSE; + } + + return TRUE; +} + +gboolean +udisks_daemon_util_check_authorization_sync_with_error (UDisksDaemon *daemon, + UDisksObject *object, + const gchar *action_id, + GVariant *options, + const gchar *message, + GDBusMethodInvocation *invocation, + GError **error) +{ + PolkitAuthority *authority = NULL; + PolkitSubject *subject = NULL; + PolkitDetails *details = NULL; + PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE; + PolkitAuthorizationResult *result = NULL; + GError *sub_error = NULL; + gboolean ret = FALSE; + UDisksBlock *block = NULL; + UDisksDrive *drive = NULL; + UDisksPartition *partition = NULL; + UDisksObject *block_object = NULL; + UDisksObject *drive_object = NULL; + gboolean auth_no_user_interaction = FALSE; + const gchar *details_device = NULL; + gchar *details_drive = NULL; + + authority = udisks_daemon_get_authority (daemon); + if (authority == NULL) + { + ret = check_authorization_no_polkit (daemon, object, action_id, options, message, invocation, error); + goto out; + } + + subject = polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (invocation)); + if (options != NULL) + { + g_variant_lookup (options, + "auth.no_user_interaction", + "b", + &auth_no_user_interaction); + } + if (!auth_no_user_interaction) + flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION; + + details = polkit_details_new (); + polkit_details_insert (details, "polkit.message", message); + polkit_details_insert (details, "polkit.gettext_domain", "udisks2"); + + /* Find drive associated with the block device, if any */ + if (object != NULL) + { + block = udisks_object_get_block (object); + if (block != NULL) + { + block_object = g_object_ref (object); + drive_object = udisks_daemon_find_object (daemon, udisks_block_get_drive (block)); + if (drive_object != NULL) + drive = udisks_object_get_drive (drive_object); + } + + partition = udisks_object_get_partition (object); + + if (drive == NULL) + drive = udisks_object_get_drive (object); + } + + if (block != NULL) + details_device = udisks_block_get_preferred_device (block); + + /* If we have a drive, use vendor/model in the message (in addition to Block:preferred-device) */ + if (drive != NULL) + { + gchar *s; + const gchar *vendor; + const gchar *model; + + vendor = udisks_drive_get_vendor (drive); + model = udisks_drive_get_model (drive); + if (vendor == NULL) + vendor = ""; + if (model == NULL) + model = ""; + + if (strlen (vendor) > 0 && strlen (model) > 0) + s = g_strdup_printf ("%s %s", vendor, model); + else if (strlen (vendor) > 0) + s = g_strdup (vendor); + else + s = g_strdup (model); + + if (block != NULL) + { + details_drive = g_strdup_printf ("%s (%s)", s, udisks_block_get_preferred_device (block)); + } + else + { + details_drive = s; + s = NULL; + } + g_free (s); + + _safe_polkit_details_insert (details, "drive.wwn", udisks_drive_get_wwn (drive)); + _safe_polkit_details_insert (details, "drive.serial", udisks_drive_get_serial (drive)); + _safe_polkit_details_insert (details, "drive.vendor", udisks_drive_get_vendor (drive)); + _safe_polkit_details_insert (details, "drive.model", udisks_drive_get_model (drive)); + _safe_polkit_details_insert (details, "drive.revision", udisks_drive_get_revision (drive)); + if (udisks_drive_get_removable (drive)) + { + const gchar *const *media_compat; + GString *media_compat_str; + const gchar *sep = ","; + + polkit_details_insert (details, "drive.removable", "true"); + _safe_polkit_details_insert (details, "drive.removable.bus", udisks_drive_get_connection_bus (drive)); + + media_compat_str = g_string_new (NULL); + media_compat = udisks_drive_get_media_compatibility (drive); + if (media_compat) + { + guint i; + + for (i = 0; media_compat[i] && strlen(media_compat[i]); i++) + { + if (i) + g_string_append (media_compat_str, sep); + g_string_append (media_compat_str, media_compat[i]); + } + } + + _safe_polkit_details_insert (details, "drive.removable.media", media_compat_str->str); + g_string_free (media_compat_str, TRUE); + } + } + + if (block != NULL) + { + _safe_polkit_details_insert (details, "id.type", udisks_block_get_id_type (block)); + _safe_polkit_details_insert (details, "id.usage", udisks_block_get_id_usage (block)); + _safe_polkit_details_insert (details, "id.version", udisks_block_get_id_version (block)); + _safe_polkit_details_insert (details, "id.label", udisks_block_get_id_label (block)); + _safe_polkit_details_insert (details, "id.uuid", udisks_block_get_id_uuid (block)); + } + + if (partition != NULL) + { + _safe_polkit_details_insert_int (details, "partition.number", udisks_partition_get_number (partition)); + _safe_polkit_details_insert (details, "partition.type", udisks_partition_get_type_ (partition)); + _safe_polkit_details_insert_uint64 (details, "partition.flags", udisks_partition_get_flags (partition)); + _safe_polkit_details_insert (details, "partition.name", udisks_partition_get_name (partition)); + _safe_polkit_details_insert (details, "partition.uuid", udisks_partition_get_uuid (partition)); + } + + /* Fall back to Block:preferred-device */ + if (details_drive == NULL && block != NULL) + details_drive = udisks_block_dup_preferred_device (block); + + if (details_device != NULL) + polkit_details_insert (details, "device", details_device); + if (details_drive != NULL) + polkit_details_insert (details, "drive", details_drive); + + sub_error = NULL; + result = polkit_authority_check_authorization_sync (authority, + subject, + action_id, + details, + flags, + NULL, /* GCancellable* */ + &sub_error); + if (result == NULL) + { + if (sub_error->domain != POLKIT_ERROR) + { + /* assume polkit authority is not available (e.g. could be the service + * manager returning org.freedesktop.systemd1.Masked) + */ + g_clear_error (&sub_error); + ret = check_authorization_no_polkit (daemon, object, action_id, options, message, invocation, error); + } + else + { + g_set_error (error, + UDISKS_ERROR, + UDISKS_ERROR_FAILED, + "Error checking authorization: %s (%s, %d)", + sub_error->message, + g_quark_to_string (sub_error->domain), + sub_error->code); + g_clear_error (&sub_error); + } + goto out; + } + if (!polkit_authorization_result_get_is_authorized (result)) + { + if (polkit_authorization_result_get_dismissed (result)) + g_set_error (error, + UDISKS_ERROR, + UDISKS_ERROR_NOT_AUTHORIZED_DISMISSED, + "The authentication dialog was dismissed"); + else + g_set_error (error, + UDISKS_ERROR, + polkit_authorization_result_get_is_challenge (result) ? + UDISKS_ERROR_NOT_AUTHORIZED_CAN_OBTAIN : + UDISKS_ERROR_NOT_AUTHORIZED, + "Not authorized to perform operation"); + goto out; + } + + ret = TRUE; + + out: + g_free (details_drive); + g_clear_object (&block_object); + g_clear_object (&drive_object); + g_clear_object (&block); + g_clear_object (&partition); + g_clear_object (&drive); + g_clear_object (&subject); + g_clear_object (&details); + g_clear_object (&result); + return ret; +} + diff --git a/src/udisksauthorization.h b/src/udisksauthorization.h new file mode 100644 index 00000000..4903bb57 --- /dev/null +++ b/src/udisksauthorization.h @@ -0,0 +1,63 @@ +/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- + * + * Copyright (C) 2007-2010 David Zeuthen + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +#ifndef __UDISKS_AUTHORIZATION_H__ +#define __UDISKS_AUTHORIZATION_H__ + +#include "udisksdaemontypes.h" +#include + +G_BEGIN_DECLS + +gboolean udisks_daemon_util_check_authorization_sync (UDisksDaemon *daemon, + UDisksObject *object, + const gchar *action_id, + GVariant *options, + const gchar *message, + GDBusMethodInvocation *invocation); + +gboolean udisks_daemon_util_check_authorization_sync_with_error (UDisksDaemon *daemon, + UDisksObject *object, + const gchar *action_id, + GVariant *options, + const gchar *message, + GDBusMethodInvocation *invocation, + GError **error); + +/* Utility macro for policy verification. */ +#define UDISKS_DAEMON_CHECK_AUTHORIZATION(daemon, \ + object, \ + action_id, \ + options, \ + message, \ + invocation) \ + if (! udisks_daemon_util_check_authorization_sync ((daemon), \ + (object), \ + (action_id), \ + (options), \ + (message), \ + (invocation))) \ + { \ + goto out; \ + } + +G_END_DECLS + +#endif /* __UDISKS_AUTHORIZATION_H__ */ diff --git a/src/udisksbasejob.c b/src/udisksbasejob.c index 71038ec9..08da42ce 100644 --- a/src/udisksbasejob.c +++ b/src/udisksbasejob.c @@ -27,6 +27,7 @@ #include "udisksbasejob.h" #include "udisksdaemon.h" #include "udisksdaemonutil.h" +#include "udisksauthorization.h" #include "udisks-daemon-marshal.h" #define MAX_SAMPLES 100 diff --git a/src/udisksdaemon.h b/src/udisksdaemon.h index c175054d..19b4bda3 100644 --- a/src/udisksdaemon.h +++ b/src/udisksdaemon.h @@ -23,6 +23,7 @@ #include "config.h" #include "udisksdaemontypes.h" +#include "udisksauthorization.h" G_BEGIN_DECLS diff --git a/src/udisksdaemontypes.h b/src/udisksdaemontypes.h index f23a29c5..1f4e8ba1 100644 --- a/src/udisksdaemontypes.h +++ b/src/udisksdaemontypes.h @@ -23,7 +23,6 @@ #include "config.h" #include -#include #include #include diff --git a/src/udisksdaemonutil.c b/src/udisksdaemonutil.c index 60134765..66489cb9 100644 --- a/src/udisksdaemonutil.c +++ b/src/udisksdaemonutil.c @@ -617,362 +617,6 @@ udisks_daemon_util_setup_by_user (UDisksDaemon *daemon, return ret; } -/* Need this until we can depend on a libpolkit with this bugfix - * - * http://cgit.freedesktop.org/polkit/commit/?h=wip/js-rule-files&id=224f7b892478302dccbe7e567b013d3c73d376fd - */ -static void -_safe_polkit_details_insert (PolkitDetails *details, const gchar *key, const gchar *value) -{ - if (value != NULL && strlen (value) > 0) - polkit_details_insert (details, key, value); -} - -static void -_safe_polkit_details_insert_int (PolkitDetails *details, const gchar *key, gint value) -{ - gchar buf[32]; - snprintf (buf, sizeof buf, "%d", value); - polkit_details_insert (details, key, buf); -} - -static void -_safe_polkit_details_insert_uint64 (PolkitDetails *details, const gchar *key, guint64 value) -{ - gchar buf[32]; - snprintf (buf, sizeof buf, "0x%08llx", (unsigned long long int) value); - polkit_details_insert (details, key, buf); -} - -static gboolean -check_authorization_no_polkit (UDisksDaemon *daemon, - UDisksObject *object, - const gchar *action_id, - GVariant *options, - const gchar *message, - GDBusMethodInvocation *invocation, - GError **error) -{ - gboolean ret = FALSE; - uid_t caller_uid = -1; - GError *sub_error = NULL; - - if (!udisks_daemon_util_get_caller_uid_sync (daemon, - invocation, - NULL, /* GCancellable* */ - &caller_uid, - &sub_error)) - { - g_set_error (error, - UDISKS_ERROR, - UDISKS_ERROR_FAILED, - "Error getting uid for caller with bus name %s: %s (%s, %d)", - g_dbus_method_invocation_get_sender (invocation), - sub_error->message, g_quark_to_string (sub_error->domain), sub_error->code); - g_clear_error (&sub_error); - goto out; - } - - /* only allow root */ - if (caller_uid == 0) - { - ret = TRUE; - } - else - { - g_set_error (error, - UDISKS_ERROR, - UDISKS_ERROR_NOT_AUTHORIZED, - "Not authorized to perform operation (polkit authority not available and caller is not uid 0)"); - } - - out: - return ret; -} - -/** - * udisks_daemon_util_check_authorization_sync: - * @daemon: A #UDisksDaemon. - * @object: (allow-none): The #GDBusObject that the call is on or %NULL. - * @action_id: The action id to check for. - * @options: (allow-none): A #GVariant to check for the auth.no_user_interaction option or %NULL. - * @message: The message to convey (use N_). - * @invocation: The invocation to check for. - * - * Checks if the caller represented by @invocation is authorized for - * the action identified by @action_id, optionally displaying @message - * if authentication is needed. Additionally, if the caller is not - * authorized, the appropriate error is already returned to the caller - * via @invocation. - * - * The calling thread is blocked for the duration of the authorization - * check which could be a very long time since it may involve - * presenting an authentication dialog and having a human user use - * it. If auth.no_user_interaction in @options is %TRUE - * no authentication dialog will be presented and the check is not - * expected to take a long time. - * - * See for the variables that - * can be used in @message but note that not all variables can be used - * in all checks. For example, any check involving a #UDisksDrive or a - * #UDisksBlock object can safely include the fragment - * $(drive) since it will always expand to the name of - * the drive, e.g. INTEL SSDSA2MH080G1GC (/dev/sda1) or - * the block device file e.g. /dev/vg_lucifer/lv_root - * or /dev/sda1. However this won't work for operations - * that isn't on a drive or block device, for example calls on the - * Manager - * object. - * - * Returns: %TRUE if caller is authorized, %FALSE if not. - */ -gboolean -udisks_daemon_util_check_authorization_sync (UDisksDaemon *daemon, - UDisksObject *object, - const gchar *action_id, - GVariant *options, - const gchar *message, - GDBusMethodInvocation *invocation) -{ - GError *error = NULL; - if (!udisks_daemon_util_check_authorization_sync_with_error (daemon, - object, - action_id, - options, - message, - invocation, - &error)) - { - g_dbus_method_invocation_take_error (invocation, error); - return FALSE; - } - - return TRUE; -} - -gboolean -udisks_daemon_util_check_authorization_sync_with_error (UDisksDaemon *daemon, - UDisksObject *object, - const gchar *action_id, - GVariant *options, - const gchar *message, - GDBusMethodInvocation *invocation, - GError **error) -{ - PolkitAuthority *authority = NULL; - PolkitSubject *subject = NULL; - PolkitDetails *details = NULL; - PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE; - PolkitAuthorizationResult *result = NULL; - GError *sub_error = NULL; - gboolean ret = FALSE; - UDisksBlock *block = NULL; - UDisksDrive *drive = NULL; - UDisksPartition *partition = NULL; - UDisksObject *block_object = NULL; - UDisksObject *drive_object = NULL; - gboolean auth_no_user_interaction = FALSE; - const gchar *details_device = NULL; - gchar *details_drive = NULL; - - authority = udisks_daemon_get_authority (daemon); - if (authority == NULL) - { - ret = check_authorization_no_polkit (daemon, object, action_id, options, message, invocation, error); - goto out; - } - - subject = polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (invocation)); - if (options != NULL) - { - g_variant_lookup (options, - "auth.no_user_interaction", - "b", - &auth_no_user_interaction); - } - if (!auth_no_user_interaction) - flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION; - - details = polkit_details_new (); - polkit_details_insert (details, "polkit.message", message); - polkit_details_insert (details, "polkit.gettext_domain", "udisks2"); - - /* Find drive associated with the block device, if any */ - if (object != NULL) - { - block = udisks_object_get_block (object); - if (block != NULL) - { - block_object = g_object_ref (object); - drive_object = udisks_daemon_find_object (daemon, udisks_block_get_drive (block)); - if (drive_object != NULL) - drive = udisks_object_get_drive (drive_object); - } - - partition = udisks_object_get_partition (object); - - if (drive == NULL) - drive = udisks_object_get_drive (object); - } - - if (block != NULL) - details_device = udisks_block_get_preferred_device (block); - - /* If we have a drive, use vendor/model in the message (in addition to Block:preferred-device) */ - if (drive != NULL) - { - gchar *s; - const gchar *vendor; - const gchar *model; - - vendor = udisks_drive_get_vendor (drive); - model = udisks_drive_get_model (drive); - if (vendor == NULL) - vendor = ""; - if (model == NULL) - model = ""; - - if (strlen (vendor) > 0 && strlen (model) > 0) - s = g_strdup_printf ("%s %s", vendor, model); - else if (strlen (vendor) > 0) - s = g_strdup (vendor); - else - s = g_strdup (model); - - if (block != NULL) - { - details_drive = g_strdup_printf ("%s (%s)", s, udisks_block_get_preferred_device (block)); - } - else - { - details_drive = s; - s = NULL; - } - g_free (s); - - _safe_polkit_details_insert (details, "drive.wwn", udisks_drive_get_wwn (drive)); - _safe_polkit_details_insert (details, "drive.serial", udisks_drive_get_serial (drive)); - _safe_polkit_details_insert (details, "drive.vendor", udisks_drive_get_vendor (drive)); - _safe_polkit_details_insert (details, "drive.model", udisks_drive_get_model (drive)); - _safe_polkit_details_insert (details, "drive.revision", udisks_drive_get_revision (drive)); - if (udisks_drive_get_removable (drive)) - { - const gchar *const *media_compat; - GString *media_compat_str; - const gchar *sep = ","; - - polkit_details_insert (details, "drive.removable", "true"); - _safe_polkit_details_insert (details, "drive.removable.bus", udisks_drive_get_connection_bus (drive)); - - media_compat_str = g_string_new (NULL); - media_compat = udisks_drive_get_media_compatibility (drive); - if (media_compat) - { - guint i; - - for (i = 0; media_compat[i] && strlen(media_compat[i]); i++) - { - if (i) - g_string_append (media_compat_str, sep); - g_string_append (media_compat_str, media_compat[i]); - } - } - - _safe_polkit_details_insert (details, "drive.removable.media", media_compat_str->str); - g_string_free (media_compat_str, TRUE); - } - } - - if (block != NULL) - { - _safe_polkit_details_insert (details, "id.type", udisks_block_get_id_type (block)); - _safe_polkit_details_insert (details, "id.usage", udisks_block_get_id_usage (block)); - _safe_polkit_details_insert (details, "id.version", udisks_block_get_id_version (block)); - _safe_polkit_details_insert (details, "id.label", udisks_block_get_id_label (block)); - _safe_polkit_details_insert (details, "id.uuid", udisks_block_get_id_uuid (block)); - } - - if (partition != NULL) - { - _safe_polkit_details_insert_int (details, "partition.number", udisks_partition_get_number (partition)); - _safe_polkit_details_insert (details, "partition.type", udisks_partition_get_type_ (partition)); - _safe_polkit_details_insert_uint64 (details, "partition.flags", udisks_partition_get_flags (partition)); - _safe_polkit_details_insert (details, "partition.name", udisks_partition_get_name (partition)); - _safe_polkit_details_insert (details, "partition.uuid", udisks_partition_get_uuid (partition)); - } - - /* Fall back to Block:preferred-device */ - if (details_drive == NULL && block != NULL) - details_drive = udisks_block_dup_preferred_device (block); - - if (details_device != NULL) - polkit_details_insert (details, "device", details_device); - if (details_drive != NULL) - polkit_details_insert (details, "drive", details_drive); - - sub_error = NULL; - result = polkit_authority_check_authorization_sync (authority, - subject, - action_id, - details, - flags, - NULL, /* GCancellable* */ - &sub_error); - if (result == NULL) - { - if (sub_error->domain != POLKIT_ERROR) - { - /* assume polkit authority is not available (e.g. could be the service - * manager returning org.freedesktop.systemd1.Masked) - */ - g_clear_error (&sub_error); - ret = check_authorization_no_polkit (daemon, object, action_id, options, message, invocation, error); - } - else - { - g_set_error (error, - UDISKS_ERROR, - UDISKS_ERROR_FAILED, - "Error checking authorization: %s (%s, %d)", - sub_error->message, - g_quark_to_string (sub_error->domain), - sub_error->code); - g_clear_error (&sub_error); - } - goto out; - } - if (!polkit_authorization_result_get_is_authorized (result)) - { - if (polkit_authorization_result_get_dismissed (result)) - g_set_error (error, - UDISKS_ERROR, - UDISKS_ERROR_NOT_AUTHORIZED_DISMISSED, - "The authentication dialog was dismissed"); - else - g_set_error (error, - UDISKS_ERROR, - polkit_authorization_result_get_is_challenge (result) ? - UDISKS_ERROR_NOT_AUTHORIZED_CAN_OBTAIN : - UDISKS_ERROR_NOT_AUTHORIZED, - "Not authorized to perform operation"); - goto out; - } - - ret = TRUE; - - out: - g_free (details_drive); - g_clear_object (&block_object); - g_clear_object (&drive_object); - g_clear_object (&block); - g_clear_object (&partition); - g_clear_object (&drive); - g_clear_object (&subject); - g_clear_object (&details); - g_clear_object (&result); - return ret; -} - /* ---------------------------------------------------------------------------------------------------- */ static gboolean diff --git a/src/udisksdaemonutil.h b/src/udisksdaemonutil.h index 2d7ac981..bd628acb 100644 --- a/src/udisksdaemonutil.h +++ b/src/udisksdaemonutil.h @@ -74,21 +74,6 @@ gboolean udisks_daemon_util_on_user_seat (UDisksDaemon *daemon, UDisksObject *object, uid_t user); -gboolean udisks_daemon_util_check_authorization_sync (UDisksDaemon *daemon, - UDisksObject *object, - const gchar *action_id, - GVariant *options, - const gchar *message, - GDBusMethodInvocation *invocation); - -gboolean udisks_daemon_util_check_authorization_sync_with_error (UDisksDaemon *daemon, - UDisksObject *object, - const gchar *action_id, - GVariant *options, - const gchar *message, - GDBusMethodInvocation *invocation, - GError **error); - gboolean udisks_daemon_util_get_user_info (const uid_t uid, gid_t *out_gid, gchar **out_user_name, @@ -129,22 +114,6 @@ gchar *udisks_daemon_util_get_free_mdraid_device (void); guint16 udisks_ata_identify_get_word (const guchar *identify_data, guint word_number); -/* Utility macro for policy verification. */ -#define UDISKS_DAEMON_CHECK_AUTHORIZATION(daemon, \ - object, \ - action_id, \ - options, \ - message, \ - invocation) \ - if (! udisks_daemon_util_check_authorization_sync ((daemon), \ - (object), \ - (action_id), \ - (options), \ - (message), \ - (invocation))) \ - { \ - goto out; \ - } G_END_DECLS diff --git a/src/udiskslinuxblock.c b/src/udiskslinuxblock.c index 901426ad..b1dd869c 100644 --- a/src/udiskslinuxblock.c +++ b/src/udiskslinuxblock.c @@ -53,6 +53,7 @@ #include "udisksprivate.h" #include "udisksconfigmanager.h" #include "udisksdaemonutil.h" +#include "udisksauthorization.h" #include "udiskslinuxprovider.h" #include "udisksfstabentry.h" #include "udiskscrypttabmonitor.h" diff --git a/src/udiskslinuxdrive.c b/src/udiskslinuxdrive.c index 592d3edc..f2f39b57 100644 --- a/src/udiskslinuxdrive.c +++ b/src/udiskslinuxdrive.c @@ -49,6 +49,7 @@ #include "udiskslinuxblockobject.h" #include "udisksdaemon.h" #include "udisksdaemonutil.h" +#include "udisksauthorization.h" #include "udiskslinuxdevice.h" #include "udisksconfigmanager.h" diff --git a/src/udiskslinuxdriveata.c b/src/udiskslinuxdriveata.c index 5ebdcd76..cd153d72 100644 --- a/src/udiskslinuxdriveata.c +++ b/src/udiskslinuxdriveata.c @@ -45,6 +45,7 @@ #include "udiskslinuxblockobject.h" #include "udisksdaemon.h" #include "udisksdaemonutil.h" +#include "udisksauthorization.h" #include "udisksbasejob.h" #include "udiskssimplejob.h" #include "udisksthreadedjob.h" diff --git a/src/udiskslinuxencrypted.c b/src/udiskslinuxencrypted.c index c3a0821a..5678cd47 100644 --- a/src/udiskslinuxencrypted.c +++ b/src/udiskslinuxencrypted.c @@ -37,6 +37,7 @@ #include "udiskslinuxblockobject.h" #include "udisksdaemon.h" #include "udisksdaemonutil.h" +#include "udisksauthorization.h" #include "udisksstate.h" #include "udiskslinuxdevice.h" #include "udiskslinuxblock.h" diff --git a/src/udiskslinuxfilesystem.c b/src/udiskslinuxfilesystem.c index 279d952b..5355fc8d 100644 --- a/src/udiskslinuxfilesystem.c +++ b/src/udiskslinuxfilesystem.c @@ -50,6 +50,7 @@ #include "udisksdaemon.h" #include "udisksstate.h" #include "udisksdaemonutil.h" +#include "udisksauthorization.h" #include "udisksmountmonitor.h" #include "udisksmount.h" #include "udiskslinuxdevice.h" diff --git a/src/udiskslinuxloop.c b/src/udiskslinuxloop.c index 5d7e3553..5854220e 100644 --- a/src/udiskslinuxloop.c +++ b/src/udiskslinuxloop.c @@ -42,6 +42,7 @@ #include "udisksdaemon.h" #include "udisksstate.h" #include "udisksdaemonutil.h" +#include "udisksauthorization.h" #include "udiskslinuxdevice.h" #include "udiskssimplejob.h" diff --git a/src/udiskslinuxmanager.c b/src/udiskslinuxmanager.c index 8af65d97..f6601195 100644 --- a/src/udiskslinuxmanager.c +++ b/src/udiskslinuxmanager.c @@ -41,6 +41,7 @@ #include "udiskslinuxmanager.h" #include "udisksdaemon.h" #include "udisksdaemonutil.h" +#include "udisksauthorization.h" #include "udisksstate.h" #include "udiskslinuxblockobject.h" #include "udiskslinuxdevice.h" diff --git a/src/udiskslinuxmdraid.c b/src/udiskslinuxmdraid.c index 4560a7ab..361383c9 100644 --- a/src/udiskslinuxmdraid.c +++ b/src/udiskslinuxmdraid.c @@ -43,6 +43,7 @@ #include "udisksdaemon.h" #include "udisksstate.h" #include "udisksdaemonutil.h" +#include "udisksauthorization.h" #include "udiskslinuxdevice.h" #include "udiskslinuxblock.h" #include "udiskssimplejob.h" diff --git a/src/udiskslinuxpartition.c b/src/udiskslinuxpartition.c index ff0fdfc0..7937257a 100644 --- a/src/udiskslinuxpartition.c +++ b/src/udiskslinuxpartition.c @@ -40,6 +40,7 @@ #include "udiskslinuxblockobject.h" #include "udisksdaemon.h" #include "udisksdaemonutil.h" +#include "udisksauthorization.h" #include "udiskslinuxdevice.h" #include "udiskslinuxblock.h" #include "udiskssimplejob.h" diff --git a/src/udiskslinuxpartitiontable.c b/src/udiskslinuxpartitiontable.c index e43a0708..63c295bb 100644 --- a/src/udiskslinuxpartitiontable.c +++ b/src/udiskslinuxpartitiontable.c @@ -39,6 +39,7 @@ #include "udiskslinuxblockobject.h" #include "udisksdaemon.h" #include "udisksdaemonutil.h" +#include "udisksauthorization.h" #include "udiskslinuxdevice.h" #include "udiskslinuxblock.h" #include "udiskslinuxpartition.h" diff --git a/src/udiskslinuxswapspace.c b/src/udiskslinuxswapspace.c index bb47f3d4..6998b6ab 100644 --- a/src/udiskslinuxswapspace.c +++ b/src/udiskslinuxswapspace.c @@ -35,6 +35,7 @@ #include "udiskslinuxblockobject.h" #include "udisksdaemon.h" #include "udisksdaemonutil.h" +#include "udisksauthorization.h" #include "udisksmountmonitor.h" #include "udiskslinuxdevice.h" #include "udisksthreadedjob.h" -- 2.30.2