Skip to content

Commit

Permalink
polkit: Pass caller uid to PolicyKit authority
Browse files Browse the repository at this point in the history
  • Loading branch information
chrisccoulson committed Mar 22, 2018
1 parent 8917e08 commit fb37ced
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 9 deletions.
4 changes: 2 additions & 2 deletions daemon/daemon.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ const (
accessForbidden
)

var polkitCheckAuthorizationForPid = polkit.CheckAuthorizationForPid
var polkitCheckAuthorization = polkit.CheckAuthorization

// canAccess checks the following properties:
//
Expand Down Expand Up @@ -162,7 +162,7 @@ func (c *Command) canAccess(r *http.Request, user *auth.UserState) accessResult
flags |= polkit.CheckAllowInteraction
}
}
if authorized, err := polkitCheckAuthorizationForPid(pid, c.PolkitOK, nil, flags); err == nil {
if authorized, err := polkitCheckAuthorization(pid, uid, c.PolkitOK, nil, flags); err == nil {
if authorized {
// polkit says user is authorised
return accessOK
Expand Down
10 changes: 5 additions & 5 deletions daemon/daemon_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ type daemonSuite struct {

var _ = check.Suite(&daemonSuite{})

func (s *daemonSuite) checkAuthorizationForPid(pid uint32, actionId string, details map[string]string, flags polkit.CheckFlags) (bool, error) {
func (s *daemonSuite) checkAuthorization(pid uint32, uid uint32, actionId string, details map[string]string, flags polkit.CheckFlags) (bool, error) {
s.lastPolkitFlags = flags
return s.authorized, s.err
}
Expand All @@ -66,7 +66,7 @@ func (s *daemonSuite) SetUpTest(c *check.C) {
dirs.SetRootDir(c.MkDir())
err := os.MkdirAll(filepath.Dir(dirs.SnapStateFile), 0755)
c.Assert(err, check.IsNil)
polkitCheckAuthorizationForPid = s.checkAuthorizationForPid
polkitCheckAuthorization = s.checkAuthorization
}

func (s *daemonSuite) TearDownTest(c *check.C) {
Expand All @@ -77,7 +77,7 @@ func (s *daemonSuite) TearDownTest(c *check.C) {
}

func (s *daemonSuite) TearDownSuite(c *check.C) {
polkitCheckAuthorizationForPid = polkit.CheckAuthorizationForPid
polkitCheckAuthorization = polkit.CheckAuthorization
}

// build a new daemon, with only a little of Init(), suitable for the tests
Expand Down Expand Up @@ -269,8 +269,8 @@ func (s *daemonSuite) TestPolkitAccessForGet(c *check.C) {

// for UserOK commands, polkit is not consulted
cmd.UserOK = true
polkitCheckAuthorizationForPid = func(pid uint32, actionId string, details map[string]string, flags polkit.CheckFlags) (bool, error) {
panic("polkit.CheckAuthorizationForPid called")
polkitCheckAuthorization = func(pid uint32, uid uint32, actionId string, details map[string]string, flags polkit.CheckFlags) (bool, error) {
panic("polkit.CheckAuthorization called")
}
c.Check(cmd.canAccess(get, nil), check.Equals, accessOK)
}
Expand Down
5 changes: 3 additions & 2 deletions polkit/authority.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,9 @@ func checkAuthorization(subject authSubject, actionId string, details map[string
return result.IsAuthorized, err
}

// CheckAuthorizationForPid queries polkit to determine whether a process is
// CheckAuthorization queries polkit to determine whether a process is
// authorized to perform an action.
func CheckAuthorizationForPid(pid uint32, actionId string, details map[string]string, flags CheckFlags) (bool, error) {
func CheckAuthorization(pid uint32, uid uint32, actionId string, details map[string]string, flags CheckFlags) (bool, error) {
subject := authSubject{
Kind: "unix-process",
Details: make(map[string]dbus.Variant),
Expand All @@ -75,6 +75,7 @@ func CheckAuthorizationForPid(pid uint32, actionId string, details map[string]st
return false, err
}
subject.Details["start-time"] = dbus.MakeVariant(startTime)
subject.Details["uid"] = dbus.MakeVariant(uid)
return checkAuthorization(subject, actionId, details, flags)
}

Expand Down

0 comments on commit fb37ced

Please sign in to comment.