Tree - rpms/systemd - CentOS Git server

rpms / systemd

Blame SOURCES/0354-logind-check-PolicyKit-before-allowing-VT-switch.patch

Blob History Raw

		c2dfb7	`From af20a66874296f71618819ebce9d4335b195728c Mon Sep 17 00:00:00 2001`
		c2dfb7	`From: Lennart Poettering <lennart@poettering.net>`
		c2dfb7	`Date: Wed, 22 Jan 2020 12:04:38 +0100`
		c2dfb7	`Subject: [PATCH] logind: check PolicyKit before allowing VT switch`
		c2dfb7
		c2dfb7	`Let's lock this down a bit. Effectively nothing much changes, since the`
		c2dfb7	`default PK policy will allow users on the VT to change VT. Only users`
		c2dfb7	`with no local VT session won't be able to switch VTs.`
		c2dfb7
		c2dfb7	`(cherry picked from commit 4acf0cfd2f92edb94ad48d04f1ce6c9ab4e19d55)`
		c2dfb7
		c2dfb7	`Resolves: #1797679`
		c2dfb7	`---`
		c2dfb7	`src/login/logind-dbus.c \| 16 +++++++`
		c2dfb7	`src/login/logind-seat-dbus.c \| 58 ++++++++++++++++++++++++-`
		c2dfb7	`src/login/logind-session-dbus.c \| 15 +++++++`
		c2dfb7	`src/login/org.freedesktop.login1.policy \| 10 +++++`
		c2dfb7	`4 files changed, 98 insertions(+), 1 deletion(-)`
		c2dfb7
		c2dfb7	`diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c`
		c2dfb7	`index dca7f4a30f..3f122fcbd9 100644`
		c2dfb7	`--- a/src/login/logind-dbus.c`
		c2dfb7	`+++ b/src/login/logind-dbus.c`
		c2dfb7	`@@ -913,6 +913,8 @@ static int method_activate_session(sd_bus_message message, void userdata, sd_b`
		c2dfb7	`if (r < 0)`
		c2dfb7	`return r;`
		c2dfb7
		c2dfb7	`+ /* PolicyKit is done by bus_session_method_activate() */`
		c2dfb7	`+`
		c2dfb7	`return bus_session_method_activate(message, session, error);`
		c2dfb7	`}`
		c2dfb7
		c2dfb7	`@@ -944,6 +946,20 @@ static int method_activate_session_on_seat(sd_bus_message message, void userda`
		c2dfb7	`if (session->seat != seat)`
		c2dfb7	`return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", session_name, seat_name);`
		c2dfb7
		c2dfb7	`+ r = bus_verify_polkit_async(`
		c2dfb7	`+ message,`
		c2dfb7	`+ CAP_SYS_ADMIN,`
		c2dfb7	`+ "org.freedesktop.login1.chvt",`
		c2dfb7	`+ NULL,`
		c2dfb7	`+ false,`
		c2dfb7	`+ UID_INVALID,`
		c2dfb7	`+ &m->polkit_registry,`
		c2dfb7	`+ error);`
		c2dfb7	`+ if (r < 0)`
		c2dfb7	`+ return r;`
		c2dfb7	`+ if (r == 0)`
		c2dfb7	`+ return 1; /* Will call us back */`
		c2dfb7	`+`
		c2dfb7	`r = session_activate(session);`
		c2dfb7	`if (r < 0)`
		c2dfb7	`return r;`
		c2dfb7	`diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c`
		c2dfb7	`index c4d9b067c6..2e590a8f21 100644`
		c2dfb7	`--- a/src/login/logind-seat-dbus.c`
		c2dfb7	`+++ b/src/login/logind-seat-dbus.c`
		c2dfb7	`@@ -174,6 +174,20 @@ static int method_activate_session(sd_bus_message message, void userdata, sd_b`
		c2dfb7	`if (session->seat != s)`
		c2dfb7	`return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);`
		c2dfb7
		c2dfb7	`+ r = bus_verify_polkit_async(`
		c2dfb7	`+ message,`
		c2dfb7	`+ CAP_SYS_ADMIN,`
		c2dfb7	`+ "org.freedesktop.login1.chvt",`
		c2dfb7	`+ NULL,`
		c2dfb7	`+ false,`
		c2dfb7	`+ UID_INVALID,`
		c2dfb7	`+ &s->manager->polkit_registry,`
		c2dfb7	`+ error);`
		c2dfb7	`+ if (r < 0)`
		c2dfb7	`+ return r;`
		c2dfb7	`+ if (r == 0)`
		c2dfb7	`+ return 1; /* Will call us back */`
		c2dfb7	`+`
		c2dfb7	`r = session_activate(session);`
		c2dfb7	`if (r < 0)`
		c2dfb7	`return r;`
		c2dfb7	`@@ -194,7 +208,21 @@ static int method_switch_to(sd_bus_message message, void userdata, sd_bus_erro`
		c2dfb7	`return r;`
		c2dfb7
		c2dfb7	`if (to <= 0)`
		c2dfb7	`- return -EINVAL;`
		c2dfb7	`+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");`
		c2dfb7	`+`
		c2dfb7	`+ r = bus_verify_polkit_async(`
		c2dfb7	`+ message,`
		c2dfb7	`+ CAP_SYS_ADMIN,`
		c2dfb7	`+ "org.freedesktop.login1.chvt",`
		c2dfb7	`+ NULL,`
		c2dfb7	`+ false,`
		c2dfb7	`+ UID_INVALID,`
		c2dfb7	`+ &s->manager->polkit_registry,`
		c2dfb7	`+ error);`
		c2dfb7	`+ if (r < 0)`
		c2dfb7	`+ return r;`
		c2dfb7	`+ if (r == 0)`
		c2dfb7	`+ return 1; /* Will call us back */`
		c2dfb7
		c2dfb7	`r = seat_switch_to(s, to);`
		c2dfb7	`if (r < 0)`
		c2dfb7	`@@ -210,6 +238,20 @@ static int method_switch_to_next(sd_bus_message message, void userdata, sd_bus`
		c2dfb7	`assert(message);`
		c2dfb7	`assert(s);`
		c2dfb7
		c2dfb7	`+ r = bus_verify_polkit_async(`
		c2dfb7	`+ message,`
		c2dfb7	`+ CAP_SYS_ADMIN,`
		c2dfb7	`+ "org.freedesktop.login1.chvt",`
		c2dfb7	`+ NULL,`
		c2dfb7	`+ false,`
		c2dfb7	`+ UID_INVALID,`
		c2dfb7	`+ &s->manager->polkit_registry,`
		c2dfb7	`+ error);`
		c2dfb7	`+ if (r < 0)`
		c2dfb7	`+ return r;`
		c2dfb7	`+ if (r == 0)`
		c2dfb7	`+ return 1; /* Will call us back */`
		c2dfb7	`+`
		c2dfb7	`r = seat_switch_to_next(s);`
		c2dfb7	`if (r < 0)`
		c2dfb7	`return r;`
		c2dfb7	`@@ -224,6 +266,20 @@ static int method_switch_to_previous(sd_bus_message message, void userdata, sd`
		c2dfb7	`assert(message);`
		c2dfb7	`assert(s);`
		c2dfb7
		c2dfb7	`+ r = bus_verify_polkit_async(`
		c2dfb7	`+ message,`
		c2dfb7	`+ CAP_SYS_ADMIN,`
		c2dfb7	`+ "org.freedesktop.login1.chvt",`
		c2dfb7	`+ NULL,`
		c2dfb7	`+ false,`
		c2dfb7	`+ UID_INVALID,`
		c2dfb7	`+ &s->manager->polkit_registry,`
		c2dfb7	`+ error);`
		c2dfb7	`+ if (r < 0)`
		c2dfb7	`+ return r;`
		c2dfb7	`+ if (r == 0)`
		c2dfb7	`+ return 1; /* Will call us back */`
		c2dfb7	`+`
		c2dfb7	`r = seat_switch_to_previous(s);`
		c2dfb7	`if (r < 0)`
		c2dfb7	`return r;`
		c2dfb7	`diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c`
		c2dfb7	`index 25c4981dc0..88a2d33dc8 100644`
		c2dfb7	`--- a/src/login/logind-session-dbus.c`
		c2dfb7	`+++ b/src/login/logind-session-dbus.c`
		c2dfb7	`@@ -13,6 +13,7 @@`
		c2dfb7	`#include "logind.h"`
		c2dfb7	`#include "signal-util.h"`
		c2dfb7	`#include "strv.h"`
		c2dfb7	`+#include "user-util.h"`
		c2dfb7	`#include "util.h"`
		c2dfb7
		c2dfb7	`static int property_get_user(`
		c2dfb7	`@@ -182,6 +183,20 @@ int bus_session_method_activate(sd_bus_message message, void userdata, sd_bus_`
		c2dfb7	`assert(message);`
		c2dfb7	`assert(s);`
		c2dfb7
		c2dfb7	`+ r = bus_verify_polkit_async(`
		c2dfb7	`+ message,`
		c2dfb7	`+ CAP_SYS_ADMIN,`
		c2dfb7	`+ "org.freedesktop.login1.chvt",`
		c2dfb7	`+ NULL,`
		c2dfb7	`+ false,`
		c2dfb7	`+ UID_INVALID,`
		c2dfb7	`+ &s->manager->polkit_registry,`
		c2dfb7	`+ error);`
		c2dfb7	`+ if (r < 0)`
		c2dfb7	`+ return r;`
		c2dfb7	`+ if (r == 0)`
		c2dfb7	`+ return 1; /* Will call us back */`
		c2dfb7	`+`
		c2dfb7	`r = session_activate(s);`
		c2dfb7	`if (r < 0)`
		c2dfb7	`return r;`
		c2dfb7	`diff --git a/src/login/org.freedesktop.login1.policy b/src/login/org.freedesktop.login1.policy`
		c2dfb7	`index f1d1f956d3..83760e1580 100644`
		c2dfb7	`--- a/src/login/org.freedesktop.login1.policy`
		c2dfb7	`+++ b/src/login/org.freedesktop.login1.policy`
		c2dfb7	`@@ -357,4 +357,14 @@`
		c2dfb7	`</defaults>`
		c2dfb7	`</action>`
		c2dfb7
		c2dfb7	`+ <action id="org.freedesktop.login1.chvt">`
		c2dfb7	`+ <description gettext-domain="systemd">Change Session</description>`
		c2dfb7	`+ <message gettext-domain="systemd">Authentication is required for changing the virtual terminal.</message>`
		c2dfb7	`+ <defaults>`
		c2dfb7	`+ <allow_any>auth_admin_keep</allow_any>`
		c2dfb7	`+ <allow_inactive>auth_admin_keep</allow_inactive>`
		c2dfb7	`+ <allow_active>yes</allow_active>`
		c2dfb7	`+ </defaults>`
		c2dfb7	`+ </action>`
		c2dfb7	`+`
		c2dfb7	`</policyconfig>`

rpms / systemd

Source Code

Blame SOURCES/0354-logind-check-PolicyKit-before-allowing-VT-switch.patch