daandemeyer / rpms / systemd

Forked from rpms/systemd 2 years ago
Clone
c2dfb7
From af20a66874296f71618819ebce9d4335b195728c Mon Sep 17 00:00:00 2001
c2dfb7
From: Lennart Poettering <lennart@poettering.net>
c2dfb7
Date: Wed, 22 Jan 2020 12:04:38 +0100
c2dfb7
Subject: [PATCH] logind: check PolicyKit before allowing VT switch
c2dfb7
c2dfb7
Let's lock this down a bit. Effectively nothing much changes, since the
c2dfb7
default PK policy will allow users on the VT to change VT. Only users
c2dfb7
with no local VT session won't be able to switch VTs.
c2dfb7
c2dfb7
(cherry picked from commit 4acf0cfd2f92edb94ad48d04f1ce6c9ab4e19d55)
c2dfb7
c2dfb7
Resolves: #1797679
c2dfb7
---
c2dfb7
 src/login/logind-dbus.c                 | 16 +++++++
c2dfb7
 src/login/logind-seat-dbus.c            | 58 ++++++++++++++++++++++++-
c2dfb7
 src/login/logind-session-dbus.c         | 15 +++++++
c2dfb7
 src/login/org.freedesktop.login1.policy | 10 +++++
c2dfb7
 4 files changed, 98 insertions(+), 1 deletion(-)
c2dfb7
c2dfb7
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
c2dfb7
index dca7f4a30f..3f122fcbd9 100644
c2dfb7
--- a/src/login/logind-dbus.c
c2dfb7
+++ b/src/login/logind-dbus.c
c2dfb7
@@ -913,6 +913,8 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
c2dfb7
         if (r < 0)
c2dfb7
                 return r;
c2dfb7
 
c2dfb7
+        /* PolicyKit is done by bus_session_method_activate() */
c2dfb7
+
c2dfb7
         return bus_session_method_activate(message, session, error);
c2dfb7
 }
c2dfb7
 
c2dfb7
@@ -944,6 +946,20 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda
c2dfb7
         if (session->seat != seat)
c2dfb7
                 return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", session_name, seat_name);
c2dfb7
 
c2dfb7
+        r = bus_verify_polkit_async(
c2dfb7
+                        message,
c2dfb7
+                        CAP_SYS_ADMIN,
c2dfb7
+                        "org.freedesktop.login1.chvt",
c2dfb7
+                        NULL,
c2dfb7
+                        false,
c2dfb7
+                        UID_INVALID,
c2dfb7
+                        &m->polkit_registry,
c2dfb7
+                        error);
c2dfb7
+        if (r < 0)
c2dfb7
+                return r;
c2dfb7
+        if (r == 0)
c2dfb7
+                return 1; /* Will call us back */
c2dfb7
+
c2dfb7
         r = session_activate(session);
c2dfb7
         if (r < 0)
c2dfb7
                 return r;
c2dfb7
diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
c2dfb7
index c4d9b067c6..2e590a8f21 100644
c2dfb7
--- a/src/login/logind-seat-dbus.c
c2dfb7
+++ b/src/login/logind-seat-dbus.c
c2dfb7
@@ -174,6 +174,20 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
c2dfb7
         if (session->seat != s)
c2dfb7
                 return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);
c2dfb7
 
c2dfb7
+        r = bus_verify_polkit_async(
c2dfb7
+                        message,
c2dfb7
+                        CAP_SYS_ADMIN,
c2dfb7
+                        "org.freedesktop.login1.chvt",
c2dfb7
+                        NULL,
c2dfb7
+                        false,
c2dfb7
+                        UID_INVALID,
c2dfb7
+                        &s->manager->polkit_registry,
c2dfb7
+                        error);
c2dfb7
+        if (r < 0)
c2dfb7
+                return r;
c2dfb7
+        if (r == 0)
c2dfb7
+                return 1; /* Will call us back */
c2dfb7
+
c2dfb7
         r = session_activate(session);
c2dfb7
         if (r < 0)
c2dfb7
                 return r;
c2dfb7
@@ -194,7 +208,21 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro
c2dfb7
                 return r;
c2dfb7
 
c2dfb7
         if (to <= 0)
c2dfb7
-                return -EINVAL;
c2dfb7
+                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
c2dfb7
+
c2dfb7
+        r = bus_verify_polkit_async(
c2dfb7
+                        message,
c2dfb7
+                        CAP_SYS_ADMIN,
c2dfb7
+                        "org.freedesktop.login1.chvt",
c2dfb7
+                        NULL,
c2dfb7
+                        false,
c2dfb7
+                        UID_INVALID,
c2dfb7
+                        &s->manager->polkit_registry,
c2dfb7
+                        error);
c2dfb7
+        if (r < 0)
c2dfb7
+                return r;
c2dfb7
+        if (r == 0)
c2dfb7
+                return 1; /* Will call us back */
c2dfb7
 
c2dfb7
         r = seat_switch_to(s, to);
c2dfb7
         if (r < 0)
c2dfb7
@@ -210,6 +238,20 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus
c2dfb7
         assert(message);
c2dfb7
         assert(s);
c2dfb7
 
c2dfb7
+        r = bus_verify_polkit_async(
c2dfb7
+                        message,
c2dfb7
+                        CAP_SYS_ADMIN,
c2dfb7
+                        "org.freedesktop.login1.chvt",
c2dfb7
+                        NULL,
c2dfb7
+                        false,
c2dfb7
+                        UID_INVALID,
c2dfb7
+                        &s->manager->polkit_registry,
c2dfb7
+                        error);
c2dfb7
+        if (r < 0)
c2dfb7
+                return r;
c2dfb7
+        if (r == 0)
c2dfb7
+                return 1; /* Will call us back */
c2dfb7
+
c2dfb7
         r = seat_switch_to_next(s);
c2dfb7
         if (r < 0)
c2dfb7
                 return r;
c2dfb7
@@ -224,6 +266,20 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd
c2dfb7
         assert(message);
c2dfb7
         assert(s);
c2dfb7
 
c2dfb7
+        r = bus_verify_polkit_async(
c2dfb7
+                        message,
c2dfb7
+                        CAP_SYS_ADMIN,
c2dfb7
+                        "org.freedesktop.login1.chvt",
c2dfb7
+                        NULL,
c2dfb7
+                        false,
c2dfb7
+                        UID_INVALID,
c2dfb7
+                        &s->manager->polkit_registry,
c2dfb7
+                        error);
c2dfb7
+        if (r < 0)
c2dfb7
+                return r;
c2dfb7
+        if (r == 0)
c2dfb7
+                return 1; /* Will call us back */
c2dfb7
+
c2dfb7
         r = seat_switch_to_previous(s);
c2dfb7
         if (r < 0)
c2dfb7
                 return r;
c2dfb7
diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
c2dfb7
index 25c4981dc0..88a2d33dc8 100644
c2dfb7
--- a/src/login/logind-session-dbus.c
c2dfb7
+++ b/src/login/logind-session-dbus.c
c2dfb7
@@ -13,6 +13,7 @@
c2dfb7
 #include "logind.h"
c2dfb7
 #include "signal-util.h"
c2dfb7
 #include "strv.h"
c2dfb7
+#include "user-util.h"
c2dfb7
 #include "util.h"
c2dfb7
 
c2dfb7
 static int property_get_user(
c2dfb7
@@ -182,6 +183,20 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_
c2dfb7
         assert(message);
c2dfb7
         assert(s);
c2dfb7
 
c2dfb7
+        r = bus_verify_polkit_async(
c2dfb7
+                        message,
c2dfb7
+                        CAP_SYS_ADMIN,
c2dfb7
+                        "org.freedesktop.login1.chvt",
c2dfb7
+                        NULL,
c2dfb7
+                        false,
c2dfb7
+                        UID_INVALID,
c2dfb7
+                        &s->manager->polkit_registry,
c2dfb7
+                        error);
c2dfb7
+        if (r < 0)
c2dfb7
+                return r;
c2dfb7
+        if (r == 0)
c2dfb7
+                return 1; /* Will call us back */
c2dfb7
+
c2dfb7
         r = session_activate(s);
c2dfb7
         if (r < 0)
c2dfb7
                 return r;
c2dfb7
diff --git a/src/login/org.freedesktop.login1.policy b/src/login/org.freedesktop.login1.policy
c2dfb7
index f1d1f956d3..83760e1580 100644
c2dfb7
--- a/src/login/org.freedesktop.login1.policy
c2dfb7
+++ b/src/login/org.freedesktop.login1.policy
c2dfb7
@@ -357,4 +357,14 @@
c2dfb7
                 </defaults>
c2dfb7
         </action>
c2dfb7
 
c2dfb7
+        <action id="org.freedesktop.login1.chvt">
c2dfb7
+                <description gettext-domain="systemd">Change Session</description>
c2dfb7
+                <message gettext-domain="systemd">Authentication is required for changing the virtual terminal.</message>
c2dfb7
+                <defaults>
c2dfb7
+                        <allow_any>auth_admin_keep</allow_any>
c2dfb7
+                        <allow_inactive>auth_admin_keep</allow_inactive>
c2dfb7
+                        <allow_active>yes</allow_active>
c2dfb7
+                </defaults>
c2dfb7
+        </action>
c2dfb7
+
c2dfb7
 </policyconfig>