Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
systemd.14146
0001-polkit-on-async-pk-requests-re-validate-ac...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-polkit-on-async-pk-requests-re-validate-action-detai.patch of Package systemd.14146
From e5b27eea8901287ed752a3d074c6cc9c71bc1103 Mon Sep 17 00:00:00 2001 From: Lennart Poettering <lennart@poettering.net> Date: Wed, 22 Jan 2020 16:52:10 +0100 Subject: [PATCH 1/3] polkit: on async pk requests, re-validate action/details When we do an async pk request, let's store which action/details we used for the original request, and when we are called for the second time, let's compare. If the action/details changed, let's not allow the access to go through. [fbui: adjust context] --- src/shared/bus-util.c | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c index 207b5e66fc..770e15acba 100644 --- a/src/shared/bus-util.c +++ b/src/shared/bus-util.c @@ -334,6 +334,9 @@ int bus_test_polkit( #ifdef ENABLE_POLKIT typedef struct AsyncPolkitQuery { + char *action; + char **details; + sd_bus_message *request, *reply; sd_bus_message_handler_t callback; void *userdata; @@ -354,6 +357,9 @@ static void async_polkit_query_free(AsyncPolkitQuery *q) { sd_bus_message_unref(q->request); sd_bus_message_unref(q->reply); + free(q->action); + strv_free(q->details); + free(q); } @@ -418,11 +424,17 @@ int bus_verify_polkit_async( if (q) { int authorized, challenge; - /* This is the second invocation of this function, and - * there's already a response from polkit, let's - * process it */ + /* This is the second invocation of this function, and there's already a response from + * polkit, let's process it */ assert(q->reply); + /* If the operation we want to authenticate changed between the first and the second time, + * let's not use this authentication, it might be out of date as the object and context we + * operate on might have changed. */ + if (!streq(q->action, action) || + !strv_equal(q->details, (char**) details)) + return -ESTALE; + if (sd_bus_message_is_method_error(q->reply, NULL)) { const sd_bus_error *e; @@ -528,6 +540,18 @@ int bus_verify_polkit_async( q->callback = callback; q->userdata = userdata; + q->action = strdup(action); + if (!q->action) { + async_polkit_query_free(q); + return -ENOMEM; + } + + q->details = strv_copy((char**) details); + if (!q->details) { + async_polkit_query_free(q); + return -ENOMEM; + } + r = hashmap_put(*registry, call, q); if (r < 0) { async_polkit_query_free(q); -- 2.16.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor