189 lines
7.0 KiB
Diff
189 lines
7.0 KiB
Diff
From 4acf0cfd2f92edb94ad48d04f1ce6c9ab4e19d55 Mon Sep 17 00:00:00 2001
|
|
From: Lennart Poettering <lennart@poettering.net>
|
|
Date: Wed, 22 Jan 2020 12:04:38 +0100
|
|
Subject: [PATCH] logind: check PolicyKit before allowing VT switch
|
|
|
|
Let's lock this down a bit. Effectively nothing much changes, since the
|
|
default PK policy will allow users on the VT to change VT. Only users
|
|
with no local VT session won't be able to switch VTs.
|
|
Reference: https://github.com/systemd/systemd/commit/4acf0cfd2f92edb94ad48d04f1ce6c9ab4e19d55
|
|
Conflict: NA
|
|
---
|
|
src/login/logind-dbus.c | 16 +++++++
|
|
src/login/logind-seat-dbus.c | 58 ++++++++++++++++++++++++-
|
|
src/login/logind-session-dbus.c | 14 ++++++
|
|
src/login/org.freedesktop.login1.policy | 10 +++++
|
|
4 files changed, 97 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
|
|
index 8017aa5c3c..52a7ea3c77 100644
|
|
--- a/src/login/logind-dbus.c
|
|
+++ b/src/login/logind-dbus.c
|
|
@@ -1016,6 +1016,8 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
|
|
if (r < 0)
|
|
return r;
|
|
|
|
+ /* PolicyKit is done by bus_session_method_activate() */
|
|
+
|
|
return bus_session_method_activate(message, session, error);
|
|
}
|
|
|
|
@@ -1047,6 +1049,20 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda
|
|
return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT,
|
|
"Session %s not on seat %s", session_name, seat_name);
|
|
|
|
+ r = bus_verify_polkit_async(
|
|
+ message,
|
|
+ CAP_SYS_ADMIN,
|
|
+ "org.freedesktop.login1.chvt",
|
|
+ NULL,
|
|
+ false,
|
|
+ UID_INVALID,
|
|
+ &m->polkit_registry,
|
|
+ error);
|
|
+ if (r < 0)
|
|
+ return r;
|
|
+ if (r == 0)
|
|
+ return 1; /* Will call us back */
|
|
+
|
|
r = session_activate(session);
|
|
if (r < 0)
|
|
return r;
|
|
diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
|
|
index 5b41e60fd6..0a5df937cc 100644
|
|
--- a/src/login/logind-seat-dbus.c
|
|
+++ b/src/login/logind-seat-dbus.c
|
|
@@ -178,6 +178,20 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
|
|
if (session->seat != s)
|
|
return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);
|
|
|
|
+ r = bus_verify_polkit_async(
|
|
+ message,
|
|
+ CAP_SYS_ADMIN,
|
|
+ "org.freedesktop.login1.chvt",
|
|
+ NULL,
|
|
+ false,
|
|
+ UID_INVALID,
|
|
+ &s->manager->polkit_registry,
|
|
+ error);
|
|
+ if (r < 0)
|
|
+ return r;
|
|
+ if (r == 0)
|
|
+ return 1; /* Will call us back */
|
|
+
|
|
r = session_activate(session);
|
|
if (r < 0)
|
|
return r;
|
|
@@ -198,7 +212,21 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro
|
|
return r;
|
|
|
|
if (to <= 0)
|
|
- return -EINVAL;
|
|
+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
|
|
+
|
|
+ r = bus_verify_polkit_async(
|
|
+ message,
|
|
+ CAP_SYS_ADMIN,
|
|
+ "org.freedesktop.login1.chvt",
|
|
+ NULL,
|
|
+ false,
|
|
+ UID_INVALID,
|
|
+ &s->manager->polkit_registry,
|
|
+ error);
|
|
+ if (r < 0)
|
|
+ return r;
|
|
+ if (r == 0)
|
|
+ return 1; /* Will call us back */
|
|
|
|
r = seat_switch_to(s, to);
|
|
if (r < 0)
|
|
@@ -214,6 +242,20 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus
|
|
assert(message);
|
|
assert(s);
|
|
|
|
+ r = bus_verify_polkit_async(
|
|
+ message,
|
|
+ CAP_SYS_ADMIN,
|
|
+ "org.freedesktop.login1.chvt",
|
|
+ NULL,
|
|
+ false,
|
|
+ UID_INVALID,
|
|
+ &s->manager->polkit_registry,
|
|
+ error);
|
|
+ if (r < 0)
|
|
+ return r;
|
|
+ if (r == 0)
|
|
+ return 1; /* Will call us back */
|
|
+
|
|
r = seat_switch_to_next(s);
|
|
if (r < 0)
|
|
return r;
|
|
@@ -228,6 +270,20 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd
|
|
assert(message);
|
|
assert(s);
|
|
|
|
+ r = bus_verify_polkit_async(
|
|
+ message,
|
|
+ CAP_SYS_ADMIN,
|
|
+ "org.freedesktop.login1.chvt",
|
|
+ NULL,
|
|
+ false,
|
|
+ UID_INVALID,
|
|
+ &s->manager->polkit_registry,
|
|
+ error);
|
|
+ if (r < 0)
|
|
+ return r;
|
|
+ if (r == 0)
|
|
+ return 1; /* Will call us back */
|
|
+
|
|
r = seat_switch_to_previous(s);
|
|
if (r < 0)
|
|
return r;
|
|
diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
|
|
index 3738514282..80ec89ba0a 100644
|
|
--- a/src/login/logind-session-dbus.c
|
|
+++ b/src/login/logind-session-dbus.c
|
|
@@ -191,6 +191,20 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_
|
|
assert(message);
|
|
assert(s);
|
|
|
|
+ r = bus_verify_polkit_async(
|
|
+ message,
|
|
+ CAP_SYS_ADMIN,
|
|
+ "org.freedesktop.login1.chvt",
|
|
+ NULL,
|
|
+ false,
|
|
+ UID_INVALID,
|
|
+ &s->manager->polkit_registry,
|
|
+ error);
|
|
+ if (r < 0)
|
|
+ return r;
|
|
+ if (r == 0)
|
|
+ return 1; /* Will call us back */
|
|
+
|
|
r = session_activate(s);
|
|
if (r < 0)
|
|
return r;
|
|
diff --git a/src/login/org.freedesktop.login1.policy b/src/login/org.freedesktop.login1.policy
|
|
index 6dc79aa32a..a269c8e313 100644
|
|
--- a/src/login/org.freedesktop.login1.policy
|
|
+++ b/src/login/org.freedesktop.login1.policy
|
|
@@ -391,4 +391,14 @@
|
|
</defaults>
|
|
</action>
|
|
|
|
+ <action id="org.freedesktop.login1.chvt">
|
|
+ <description gettext-domain="systemd">Change Session</description>
|
|
+ <message gettext-domain="systemd">Authentication is required for changing the virtual terminal.</message>
|
|
+ <defaults>
|
|
+ <allow_any>auth_admin_keep</allow_any>
|
|
+ <allow_inactive>auth_admin_keep</allow_inactive>
|
|
+ <allow_active>yes</allow_active>
|
|
+ </defaults>
|
|
+ </action>
|
|
+
|
|
</policyconfig>
|
|
--
|
|
2.23.0
|
|
|