Skip to content

Commit

Permalink
actions: read from /etc/polkit/actions too
Browse files Browse the repository at this point in the history 
In order to allow adding services running from other images than the
rootfs, read actions from /etc/polkit/actions too. This can happen
with systemd services using RootImage= or so, which are not installed
as packages and so their action files are not installed in /usr/, which
might be read-only.

Fixes polkit-org#180
  • Loading branch information
@bluca
bluca committed Sep 13, 2024
1 parent d68a3b4 commit 12afced
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 22 deletions.
6 changes: 4 additions & 2 deletions docs/man/polkit.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ System Context | |
+------------------+ |
^ |
| +--------------------------------------+
| | /etc/polkit-1/actions/*.policy |
| | /usr/share/polkit-1/actions/*.policy |
| +--------------------------------------+
|
Expand Down Expand Up @@ -217,8 +218,9 @@ System Context | |
order to use polkit. Actions correspond to operations that
clients can request the mechanism to carry out and are defined
in XML files that the mechanism installs into the <filename
class='directory'>/usr/share/polkit-1/actions</filename>
directory.
class='directory'>/etc/polkit-1/actions</filename> and the
<filename class='directory'>/usr/share/polkit-1/actions</filename>
directories.
</para>

<para>
Expand Down
69 changes: 49 additions & 20 deletions src/polkitbackend/polkitbackendinteractiveauthority.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,8 @@ static gboolean polkit_backend_interactive_authority_revoke_temporary_authorizat

typedef struct
{
PolkitBackendActionPool *action_pool;
PolkitBackendActionPool *action_pool_vendor;
PolkitBackendActionPool *action_pool_local;

PolkitBackendSessionMonitor *session_monitor;

Expand Down Expand Up @@ -288,18 +289,27 @@ static void
polkit_backend_interactive_authority_init (PolkitBackendInteractiveAuthority *authority)
{
PolkitBackendInteractiveAuthorityPrivate *priv;
GFile *directory;
GFile *vendor_directory;
GFile *local_directory;
GError *error;

/* Force registering error domain */
(void)POLKIT_ERROR;

priv = polkit_backend_interactive_authority_get_instance_private (authority);

directory = g_file_new_for_path (PACKAGE_DATA_DIR "/polkit-1/actions");
priv->action_pool = polkit_backend_action_pool_new (directory);
g_object_unref (directory);
g_signal_connect (priv->action_pool,
vendor_directory = g_file_new_for_path (PACKAGE_DATA_DIR "/polkit-1/actions");
priv->action_pool_vendor = polkit_backend_action_pool_new (vendor_directory);
g_object_unref (vendor_directory);
g_signal_connect (priv->action_pool_vendor,
"changed",
(GCallback) action_pool_changed,
authority);

local_directory = g_file_new_for_path (PACKAGE_SYSCONF_DIR "/polkit-1/actions");
priv->action_pool_local = polkit_backend_action_pool_new (local_directory);
g_object_unref (local_directory);
g_signal_connect (priv->action_pool_local,
"changed",
(GCallback) action_pool_changed,
authority);
Expand Down Expand Up @@ -356,8 +366,11 @@ polkit_backend_interactive_authority_finalize (GObject *object)
if (priv->system_bus_connection != NULL)
g_object_unref (priv->system_bus_connection);

if (priv->action_pool != NULL)
g_object_unref (priv->action_pool);
if (priv->action_pool_vendor != NULL)
g_object_unref (priv->action_pool_vendor);

if (priv->action_pool_local != NULL)
g_object_unref (priv->action_pool_local);

if (priv->session_monitor != NULL)
g_object_unref (priv->session_monitor);
Expand Down Expand Up @@ -422,14 +435,16 @@ polkit_backend_interactive_authority_enumerate_actions (PolkitBackendAuthority
{
PolkitBackendInteractiveAuthority *interactive_authority;
PolkitBackendInteractiveAuthorityPrivate *priv;
GList *actions;
GList *vendor_actions;
GList *local_actions;

interactive_authority = POLKIT_BACKEND_INTERACTIVE_AUTHORITY (authority);
priv = polkit_backend_interactive_authority_get_instance_private (interactive_authority);

actions = polkit_backend_action_pool_get_all_actions (priv->action_pool, interactivee);
vendor_actions = polkit_backend_action_pool_get_all_actions (priv->action_pool_vendor, interactivee);
local_actions = polkit_backend_action_pool_get_all_actions (priv->action_pool_local, interactivee);

return actions;
return g_list_concat(local_actions, vendor_actions);
}

/* ---------------------------------------------------------------------------------------------------- */
Expand Down Expand Up @@ -795,7 +810,9 @@ may_identity_check_authorization (PolkitBackendInteractiveAuthority *interacti
goto out;
}

action_desc = polkit_backend_action_pool_get_action (priv->action_pool, action_id, NULL);
action_desc = polkit_backend_action_pool_get_action (priv->action_pool_local, action_id, NULL);
if (action_desc == NULL)
action_desc = polkit_backend_action_pool_get_action (priv->action_pool_vendor, action_id, NULL);
if (action_desc == NULL)
goto out;

Expand Down Expand Up @@ -1080,15 +1097,17 @@ check_authorization_sync (PolkitBackendAuthority *authority,
gboolean session_is_active;
PolkitImplicitAuthorization implicit_authorization;
const gchar *tmp_authz_id;
GList *actions;
GList *local_actions;
GList *vendor_actions;
GList *l;

interactive_authority = POLKIT_BACKEND_INTERACTIVE_AUTHORITY (authority);
priv = polkit_backend_interactive_authority_get_instance_private (interactive_authority);

result = NULL;

actions = NULL;
local_actions = NULL;
vendor_actions = NULL;
user_of_subject = NULL;
groups_of_user = NULL;
subject_str = NULL;
Expand All @@ -1104,10 +1123,15 @@ check_authorization_sync (PolkitBackendAuthority *authority,
action_id);

/* get the action description */
action_desc = polkit_backend_action_pool_get_action (priv->action_pool,
action_desc = polkit_backend_action_pool_get_action (priv->action_pool_local,
action_id,
NULL);

if (action_desc == NULL)
action_desc = polkit_backend_action_pool_get_action (priv->action_pool_vendor,
action_id,
NULL);

if (action_desc == NULL)
{
g_set_error (error,
Expand Down Expand Up @@ -1203,8 +1227,9 @@ check_authorization_sync (PolkitBackendAuthority *authority,
*/
if (!checking_imply)
{
actions = polkit_backend_action_pool_get_all_actions (priv->action_pool, NULL);
for (l = actions; l != NULL; l = l->next)
local_actions = polkit_backend_action_pool_get_all_actions (priv->action_pool_local, NULL);
vendor_actions = polkit_backend_action_pool_get_all_actions (priv->action_pool_vendor, NULL);
for (l = g_list_concat(local_actions, vendor_actions); l != NULL; l = l->next)
{
PolkitActionDescription *imply_ad = POLKIT_ACTION_DESCRIPTION (l->data);
const gchar *imply;
Expand Down Expand Up @@ -1275,8 +1300,8 @@ check_authorization_sync (PolkitBackendAuthority *authority,
g_debug (" not authorized");
}
out:
g_list_foreach (actions, (GFunc) g_object_unref, NULL);
g_list_free (actions);
g_list_foreach (local_actions, (GFunc) g_object_unref, NULL);
g_list_free (local_actions);

g_free (subject_str);

Expand Down Expand Up @@ -2068,9 +2093,13 @@ get_localized_data_for_challenge (PolkitBackendInteractiveAuthority *authority,
*out_localized_icon_name = NULL;
*out_localized_details = NULL;

action_desc = polkit_backend_action_pool_get_action (priv->action_pool,
action_desc = polkit_backend_action_pool_get_action (priv->action_pool_local,
action_id,
locale);
if (action_desc == NULL)
action_desc = polkit_backend_action_pool_get_action (priv->action_pool_vendor,
action_id,
locale);
if (action_desc == NULL)
goto out;

Expand Down

0 comments on commit 12afced

Please sign in to comment.