116
get_pk_seat_from_ck_seat (CKSeat *seat)
120
pk_seat = polkit_seat_new ();
121
str = g_strdup_printf ("/org/freedesktop/ConsoleKit/%s", ck_seat_get_id (seat));
122
polkit_seat_set_ck_objref (pk_seat, str);
127
static PolKitSession *
128
get_pk_session_from_ck_session (CKSession *session)
133
PolKitSession *pk_session;
135
seat = ck_session_get_seat (session);
139
pk_seat = get_pk_seat_from_ck_seat (seat);
142
pk_session = polkit_session_new ();
143
if (pk_seat != NULL) {
144
polkit_session_set_seat (pk_session, pk_seat);
145
polkit_seat_unref (pk_seat);
147
str = g_strdup_printf ("/org/freedesktop/ConsoleKit/%s", ck_session_get_id (session));
148
polkit_session_set_ck_objref (pk_session, str);
150
polkit_session_set_uid (pk_session, ck_session_get_user (session));
151
polkit_session_set_ck_is_active (pk_session, ck_session_is_active (session));
152
polkit_session_set_ck_is_local (pk_session, ck_session_is_local (session));
153
if (!ck_session_is_local (session)) {
154
polkit_session_set_ck_remote_host (pk_session, ck_session_get_hostname (session));
159
static PolKitCaller *
160
get_pk_caller_from_ci_tracker (CITracker *cit, const char *caller_unique_sysbus_name)
163
PolKitSession *pk_session;
164
PolKitCaller *pk_caller;
165
const char *ck_session_objpath;
166
const char *selinux_context;
170
ci = ci_tracker_get_info (cit, caller_unique_sysbus_name);
172
HAL_ERROR (("Cannot get caller info for %s", caller_unique_sysbus_name));
176
ck_session_objpath = ci_tracker_caller_get_ck_session_path (ci);
177
if (ck_session_objpath == NULL) {
182
session = ck_tracker_find_session (hald_dbus_get_ck_tracker (), ck_session_objpath);
183
if (session == NULL) {
184
/* this should never happen */
185
HAL_ERROR (("ck_session_objpath is not NULL, but CKTracker don't know about the session!"));
189
pk_session = get_pk_session_from_ck_session (session);
192
pk_caller = polkit_caller_new ();
193
polkit_caller_set_dbus_name (pk_caller, caller_unique_sysbus_name);
194
polkit_caller_set_uid (pk_caller, ci_tracker_caller_get_uid (ci));
195
polkit_caller_set_pid (pk_caller, ci_tracker_caller_get_pid (ci));
196
selinux_context = ci_tracker_caller_get_selinux_context (ci);
197
if (selinux_context != NULL) {
198
polkit_caller_set_selinux_context (pk_caller, selinux_context);
200
if (pk_session != NULL) {
201
polkit_caller_set_ck_session (pk_caller, pk_session);
202
polkit_session_unref (pk_session);
110
211
* access_check_caller_have_access_to_device:
111
212
* @cit: the CITracker object
112
* @device: The device to check for
113
* @privilege: the type of access; right now this can be #NULL or
114
* "lock"; will be replaced by PolicyKit privileges in the future
213
* @device: the device to check for
214
* @action: the PolicyKit action to check for
115
215
* @caller_unique_sysbus_name: The unique system bus connection
116
216
* name (e.g. ":1.43") of the caller
217
* @polkit_result_out: where to store the #PolicyKitResult return
218
* code. Will be ignored if HAL is not built with PolicyKit support
118
221
* Determine if a given caller should have access to a device. This
119
222
* depends on how the security is set up and may change according to
274
/* HAL user and uid 0 are always allowed
275
* (TODO: is this sane? probably needs to go through PolicyKit too..)
162
277
if (ci_tracker_caller_get_uid (ci) == 0 ||
163
278
ci_tracker_caller_get_uid (ci) == geteuid ()) {
281
if (polkit_result_out != NULL)
282
*polkit_result_out = POLKIT_RESULT_YES;
287
/* allow inactive sessions to lock interfaces on root computer device object
288
* (TODO FIXME: restrict to local sessions?)
290
if (action != NULL &&
291
strcmp (action, "hal-lock") == 0 &&
292
strcmp (hal_device_get_udi (device), "/org/freedesktop/Hal/devices/computer") == 0) {
295
if (polkit_result_out != NULL)
296
*polkit_result_out = POLKIT_RESULT_YES;
302
pk_action = polkit_action_new ();
303
polkit_action_set_action_id (pk_action, action);
305
pk_caller = get_pk_caller_from_ci_tracker (cit, caller_unique_sysbus_name);
306
if (pk_caller == NULL)
309
pk_result = polkit_context_can_caller_do_action (pk_context,
313
if (polkit_result_out != NULL)
314
*polkit_result_out = pk_result;
316
if (pk_result != POLKIT_RESULT_YES)
168
319
/* must be tracked by ConsoleKit */
169
320
if (ci_tracker_caller_get_ck_session_path (ci) == NULL) {
173
324
/* require caller to be local */
174
325
if (!ci_tracker_caller_is_local (ci))
177
/* allow inactive sessions to lock interfaces on root computer device object */
178
if (privilege != NULL &&
179
strcmp (privilege, "lock") == 0 &&
180
strcmp (hal_device_get_udi (device), "/org/freedesktop/Hal/devices/computer") == 0) {
185
328
/* require caller to be in active session */
186
329
if (!ci_tracker_caller_in_active_session (ci))
336
if (pk_caller != NULL)
337
polkit_caller_unref (pk_caller);
338
if (pk_action != NULL)
339
polkit_action_unref (pk_action);
193
343
#else /* HAVE_CONKIT */
278
428
for (n = 0; global_holders[n] != NULL; n++) {
279
429
if (strcmp (global_holders[n], caller_unique_sysbus_name) == 0) {
280
430
/* we are holding the global lock... */
281
if (access_check_caller_have_access_to_device (cit, device, NULL, global_holders[n])) {
431
if (access_check_caller_have_access_to_device (
432
cit, device, "hal-lock", global_holders[n], NULL)) {
282
433
/* only applies if the caller can access the device... */
283
434
is_locked_by_self = TRUE;
284
435
/* this is good enough; we are holding the lock ourselves */
375
527
if (caller_unique_sysbus_name == NULL || /* <-- callers using direct connection to hald */
376
528
strcmp (global_holders[n], caller_unique_sysbus_name) != 0) {
377
529
/* someone else is holding the global lock... */
378
if (access_check_caller_have_access_to_device (cit, device, NULL, global_holders[n])) {
530
if (access_check_caller_have_access_to_device (
531
cit, device, "hal-lock", global_holders[n], NULL)) {
379
532
/* ... and they can can access the device */
added
removed
hald/access-check.c
