sysprofd: require polkit authorization by the peer

2025-12-31 20:36:25 +00:00 · 2019-05-08 19:13:09 -07:00
parent e77310a511
commit ab2fdffa6d
4 changed files with 66 additions and 36 deletions
--- a/src/sysprofd/ipc-service-impl.c
+++ b/src/sysprofd/ipc-service-impl.c
@ -22,6 +22,8 @@

 #include "config.h"

+#include <polkit/polkit.h>
+
 #include "ipc-service-impl.h"

 struct _IpcServiceImpl
@ -108,6 +110,43 @@ ipc_service_impl_handle_get_proc_file (IpcService            *service,
  return TRUE;
 }

+static gboolean
+ipc_service_impl_g_authorize_method (GDBusInterfaceSkeleton *skeleton,
+                                     GDBusMethodInvocation  *invocation)
+{
+  PolkitAuthority *authority = NULL;
+  PolkitSubject *subject = NULL;
+  const gchar *peer_name;
+  gboolean ret = TRUE;
+
+  g_assert (IPC_IS_SERVICE_IMPL (skeleton));
+  g_assert (G_IS_DBUS_METHOD_INVOCATION (invocation));
+
+  peer_name = g_dbus_method_invocation_get_sender (invocation);
+
+  if (!(authority = polkit_authority_get_sync (NULL, NULL)) ||
+      !(subject = polkit_system_bus_name_new (peer_name)) ||
+      !polkit_authority_check_authorization_sync (authority,
+                                                  POLKIT_SUBJECT (subject),
+                                                  "org.gnome.sysprof3.profile",
+                                                  NULL,
+                                                  POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
+                                                  NULL,
+                                                  NULL))
+    {
+      g_dbus_method_invocation_return_error (g_steal_pointer (&invocation),
+                                             G_DBUS_ERROR,
+                                             G_DBUS_ERROR_ACCESS_DENIED,
+                                             "Not authorized to make request");
+      ret = FALSE;
+    }
+
+  g_clear_object (&authority);
+  g_clear_object (&subject);
+
+  return ret;
+}
+
 static void
 init_service_iface (IpcServiceIface *iface)
 {
@ -121,11 +160,16 @@ G_DEFINE_TYPE_WITH_CODE (IpcServiceImpl, ipc_service_impl, IPC_TYPE_SERVICE_SKEL
 static void
 ipc_service_impl_class_init (IpcServiceImplClass *klass)
 {
+  GDBusInterfaceSkeletonClass *skeleton_class = G_DBUS_INTERFACE_SKELETON_CLASS (klass);
+
+  skeleton_class->g_authorize_method = ipc_service_impl_g_authorize_method;
 }

 static void
 ipc_service_impl_init (IpcServiceImpl *self)
 {
+  g_dbus_interface_skeleton_set_flags (G_DBUS_INTERFACE_SKELETON (self),
+                                       G_DBUS_INTERFACE_SKELETON_FLAGS_HANDLE_METHOD_INVOCATIONS_IN_THREAD);
 }

 IpcService *
--- a/src/sysprofd/meson.build
+++ b/src/sysprofd/meson.build
@ -58,8 +58,8 @@ configure_file(
 )

 i18n.merge_file(
-        input: 'org.gnome.sysprof2.policy.in',
-       output: 'org.gnome.sysprof2.policy',
+        input: 'org.gnome.sysprof3.policy.in',
+       output: 'org.gnome.sysprof3.policy',
       po_dir: podir,
      install: true,
  install_dir: join_paths(datadir, 'polkit-1/actions'),
--- a/src/sysprofd/org.gnome.sysprof2.policy.in
+++ b/src/sysprofd/org.gnome.sysprof2.policy.in
@ -1,34 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-
-<!DOCTYPE policyconfig PUBLIC
- "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
-
-<policyconfig>
-  <vendor>The sysprof Project</vendor>
-  <vendor_url>https://wiki.gnome.org/Apps/Sysprof</vendor_url>
-  <icon_name>sysprof</icon_name>
-
-  <action id="org.gnome.sysprof2.perf-event-open">
-    <description>Open a perf event stream</description>
-    <message>Authentication is required to access system performance counters.</message>
-    <defaults>
-      <allow_any>auth_admin_keep</allow_any>
-      <allow_inactive>auth_admin_keep</allow_inactive>
-      <allow_active>auth_admin_keep</allow_active>
-    </defaults>
-    <annotate key="org.freedesktop.policykit.imply">org.gnome.sysprof2.get-kernel-symbols</annotate>
-  </action>
-
-  <action id="org.gnome.sysprof2.get-kernel-symbols">
-    <description>Get a list of kernel symbols and their address</description>
-    <message>Authentication is required to access Linux kernel information.</message>
-    <defaults>
-      <allow_any>auth_admin_keep</allow_any>
-      <allow_inactive>auth_admin_keep</allow_inactive>
-      <allow_active>auth_admin_keep</allow_active>
-    </defaults>
-    <annotate key="org.freedesktop.policykit.imply">org.gnome.sysprof2.perf-event-open</annotate>
-  </action>
-
-</policyconfig>
--- a/src/sysprofd/org.gnome.sysprof3.policy.in
+++ b/src/sysprofd/org.gnome.sysprof3.policy.in
@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
+
+<policyconfig>
+  <vendor>The sysprof Project</vendor>
+  <vendor_url>https://wiki.gnome.org/Apps/Sysprof</vendor_url>
+  <icon_name>org.gnome.Sysprof-symbolic</icon_name>
+  <action id="org.gnome.sysprof3.profile">
+    <description>Profile the system</description>
+    <message>Authentication is required to profile the system.</message>
+    <defaults>
+      <allow_any>auth_admin_keep</allow_any>
+      <allow_inactive>auth_admin_keep</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+</policyconfig>