morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

machined: use different polkit actions for registering and creating a machine

Browse Source 
The difference between these two operations are large: one is relatively
superficial: for "registration" all resources remain associated with the
invoking user, only the cgroup is reported to machined which then keeps
track of the machine, too. OTOH "creation" a scope is allocated in
system context, hence the invoked code will be owned by the system, and
its resource usage charged against the system.

Hence, use two distinct polkit actions for this, so that we can relax
access to registration, but keep access to creation tough.
This commit is contained in:
Lennart Poettering
2025-05-23 22:10:36 +02:00
parent 276d200186
commit adaff8eb35
3 changed files with 16 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/machine/machine-varlink.c
View File

@@ -155,7 +155,7 @@ int vl_method_register(sd_varlink *link, sd_json_variant *parameters, sd_varlink
r = varlink_verify_polkit_async(
link,
manager->bus,
"org.freedesktop.machine1.create-machine",
machine->allocate_unit ? "org.freedesktop.machine1.create-machine" : "org.freedesktop.machine1.register-machine",
(const char**) STRV_MAKE("name", machine->name,
"class", machine_class_to_string(machine->class)),
&manager->polkit_registry);

7
src/machine/machined-dbus.c
View File

@@ -228,6 +228,7 @@ static int method_list_machines(sd_bus_message *message, void *userdata, sd_bus_
static int method_create_or_register_machine(
Manager *manager,
sd_bus_message *message,
const char *polkit_action,
bool read_network,
Machine **ret,
sd_bus_error *error) {
@@ -318,7 +319,7 @@ static int method_create_or_register_machine(
r = bus_verify_polkit_async(
message,
"org.freedesktop.machine1.create-machine",
polkit_action,
details,
&manager->polkit_registry,
error);
@@ -378,7 +379,7 @@ static int method_create_machine_internal(sd_bus_message *message, bool read_net
assert(message);
r = method_create_or_register_machine(manager, message, read_network, &m, error);
r = method_create_or_register_machine(manager, message, "org.freedesktop.machine1.create-machine", read_network, &m, error);
if (r < 0)
return r;
if (r == 0)
@@ -416,7 +417,7 @@ static int method_register_machine_internal(sd_bus_message *message, bool read_n
assert(message);
r = method_create_or_register_machine(manager, message, read_network, &m, error);
r = method_create_or_register_machine(manager, message, "org.freedesktop.machine1.register-machine", read_network, &m, error);
if (r < 0)
return r;
if (r == 0)

12
src/machine/org.freedesktop.machine1.policy
View File

@@ -99,7 +99,17 @@
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.shell org.freedesktop.login1.login</annotate>
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.shell org.freedesktop.login1.login org.freedesktop.machine1.register-machine</annotate>
</action>
<action id="org.freedesktop.machine1.register-machine">
<description gettext-domain="systemd">Register a local virtual machine or container</description>
<message gettext-domain="systemd">Authentication is required to register a local virtual machine or container.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
<action id="org.freedesktop.machine1.manage-images">