AC_DEFUN([LIBVIRT_CHECK_POLKIT], [
AC_REQUIRE([LIBVIRT_CHECK_DBUS])
- POLKIT_REQUIRED="0.6"
- POLKIT_CFLAGS=
- POLKIT_LIBS=
PKCHECK_PATH=
- with_polkit0=no
with_polkit1=no
if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then
[You must install dbus to compile libvirt with polkit-1])
fi
fi
- else
- dnl Check for old polkit second - library + binary
- PKG_CHECK_MODULES(POLKIT, polkit-dbus >= $POLKIT_REQUIRED,
- [with_polkit=yes], [
- if test "x$with_polkit" = "xcheck" ; then
- with_polkit=no
- else
- AC_MSG_ERROR(
- [You must install PolicyKit >= $POLKIT_REQUIRED to compile libvirt])
- fi
- ])
- if test "x$with_polkit" = "xyes" ; then
- AC_DEFINE_UNQUOTED([WITH_POLKIT], 1,
- [use PolicyKit for UNIX socket access checks])
- AC_DEFINE_UNQUOTED([WITH_POLKIT0], 1,
- [use PolicyKit for UNIX socket access checks])
-
- old_CFLAGS=$CFLAGS
- old_LIBS=$LIBS
- CFLAGS="$CFLAGS $POLKIT_CFLAGS"
- LIBS="$LIBS $POLKIT_LIBS"
- AC_CHECK_FUNCS([polkit_context_is_caller_authorized])
- CFLAGS="$old_CFLAGS"
- LIBS="$old_LIBS"
-
- AC_PATH_PROG([POLKIT_AUTH], [polkit-auth])
- if test "x$POLKIT_AUTH" != "x"; then
- AC_DEFINE_UNQUOTED([POLKIT_AUTH],["$POLKIT_AUTH"],[Location of polkit-auth program])
- fi
- with_polkit0="yes"
- fi
fi
fi
AM_CONDITIONAL([WITH_POLKIT], [test "x$with_polkit" = "xyes"])
- AM_CONDITIONAL([WITH_POLKIT0], [test "x$with_polkit0" = "xyes"])
AM_CONDITIONAL([WITH_POLKIT1], [test "x$with_polkit1" = "xyes"])
- AC_SUBST([POLKIT_CFLAGS])
- AC_SUBST([POLKIT_LIBS])
])
AC_DEFUN([LIBVIRT_RESULT_POLKIT], [
- if test "$with_polkit0" = "yes" ; then
- msg="$POLKIT_CFLAGS $POLKIT_LIBS (version 0)"
- else
- msg="$PKCHECK_PATH (version 1)"
- fi
+ msg="$PKCHECK_PATH (version 1)"
LIBVIRT_RESULT([polkit], [$with_polkit], [$msg])
])
static virNWFilterDriverPtr virSharedNWFilterDriver;
-#if defined(POLKIT_AUTH)
-static int
-virConnectAuthGainPolkit(const char *privilege)
-{
- virCommandPtr cmd;
- int ret = -1;
-
- if (geteuid() == 0)
- return 0;
-
- cmd = virCommandNewArgList(POLKIT_AUTH, "--obtain", privilege, NULL);
- if (virCommandRun(cmd, NULL) < 0)
- goto cleanup;
-
- ret = 0;
- cleanup:
- virCommandFree(cmd);
- return ret;
-}
-#endif
-
-
static int
virConnectAuthCallbackDefault(virConnectCredentialPtr cred,
unsigned int ncred,
if (STRNEQ(cred[i].challenge, "PolicyKit"))
return -1;
-#if defined(POLKIT_AUTH)
- if (virConnectAuthGainPolkit(cred[i].prompt) < 0)
- return -1;
-#else
/*
* Ignore & carry on. Although we can't auth
* directly, the user may have authenticated
* themselves already outside context of libvirt
*/
-#endif
break;
}
CLEANFILES += test_libvirtd.aug
if WITH_POLKIT
-if WITH_POLKIT0
-policydir = $(datadir)/PolicyKit/policy
-policyauth = auth_admin_keep_session
-else ! WITH_POLKIT0
policydir = $(datadir)/polkit-1/actions
policyauth = auth_admin_keep
-endif ! WITH_POLKIT0
endif WITH_POLKIT
BUILT_SOURCES += libvirtd.policy
install-polkit::
$(MKDIR_P) $(DESTDIR)$(policydir)
$(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
-if ! WITH_POLKIT0
$(MKDIR_P) $(DESTDIR)$(datadir)/polkit-1/rules.d
$(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \
$(DESTDIR)$(datadir)/polkit-1/rules.d/50-libvirt.rules
-endif ! WITH_POLKIT0
uninstall-polkit::
rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
rmdir $(DESTDIR)$(policydir) || :
-if ! WITH_POLKIT0
rm -f $(DESTDIR)$(datadir)/polkit-1/rules.d/50-libvirt.rules
rmdir $(DESTDIR)$(datadir)/polkit-1/rules.d || :
-endif ! WITH_POLKIT0
else ! WITH_POLKIT
install-polkit::
#endif /* WITH_SASL */
-#if WITH_POLKIT0
-/* Perform the PolicyKit0 authentication process */
-static int
-remoteAuthPolkit0(virConnectPtr conn, struct private_data *priv,
- virConnectAuthPtr auth)
-{
- remote_auth_polkit_ret ret;
- size_t i;
- int allowcb = 0;
- virConnectCredential cred = {
- VIR_CRED_EXTERNAL,
- conn->flags & VIR_CONNECT_RO ? "org.libvirt.unix.monitor" : "org.libvirt.unix.manage",
- "PolicyKit",
- NULL,
- NULL,
- 0,
- };
- VIR_DEBUG("Client initialize PolicyKit-0 authentication");
-
- /* We only make it here if auth already failed
- * Ask client to obtain it and check again. */
- if (auth && auth->cb) {
- /* Check if the necessary credential type for PolicyKit is supported */
- for (i = 0; i < auth->ncredtype; i++) {
- if (auth->credtype[i] == VIR_CRED_EXTERNAL)
- allowcb = 1;
- }
-
- if (allowcb) {
- VIR_DEBUG("Client run callback for PolicyKit authentication");
- /* Run the authentication callback */
- if ((*(auth->cb))(&cred, 1, auth->cbdata) < 0) {
- virReportError(VIR_ERR_AUTH_FAILED, "%s",
- _("Failed to collect auth credentials"));
- return -1;
- }
- } else {
- VIR_DEBUG("Client auth callback does not support PolicyKit");
- return -1;
- }
- } else {
- VIR_DEBUG("No auth callback provided");
- return -1;
- }
-
- memset(&ret, 0, sizeof(ret));
- if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT,
- (xdrproc_t) xdr_void, (char *)NULL,
- (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) {
- return -1; /* virError already set by call */
- }
-
- out:
- VIR_DEBUG("PolicyKit-0 authentication complete");
- return 0;
-}
-#endif /* WITH_POLKIT0 */
-
static int
remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
virConnectAuthPtr auth ATTRIBUTE_UNUSED)
return -1; /* virError already set by call */
}
-#if WITH_POLKIT0
- if (remoteAuthPolkit0(conn, priv, auth) < 0)
- return -1;
-#endif /* WITH_POLKIT0 */
-
VIR_DEBUG("PolicyKit authentication complete");
return 0;
}
$(DBUS_CFLAGS) \
$(LDEXP_LIBM) \
$(NUMACTL_CFLAGS) \
- $(POLKIT_CFLAGS) \
$(GNUTLS_CFLAGS) \
$(ACL_CFLAGS) \
$(NULL)
$(SECDRIVER_LIBS) \
$(NUMACTL_LIBS) \
$(ACL_LIBS) \
- $(POLKIT_LIBS) \
$(GNUTLS_LIBS) \
$(NULL)
#include <config.h>
#include <poll.h>
-#if WITH_POLKIT0
-# include <polkit/polkit.h>
-# include <polkit-dbus/polkit-dbus.h>
-#endif
-
#include "virpolkit.h"
#include "virerror.h"
#include "virlog.h"
}
-#elif WITH_POLKIT0
-int virPolkitCheckAuth(const char *actionid,
- pid_t pid,
- unsigned long long startTime ATTRIBUTE_UNUSED,
- uid_t uid,
- const char **details,
- bool allowInteraction ATTRIBUTE_UNUSED)
-{
- PolKitCaller *pkcaller = NULL;
- PolKitAction *pkaction = NULL;
- PolKitContext *pkcontext = NULL;
- PolKitError *pkerr = NULL;
- PolKitResult pkresult;
- DBusError err;
- DBusConnection *sysbus;
- int ret = -1;
-
- if (details) {
- virReportError(VIR_ERR_AUTH_FAILED, "%s",
- _("Details not supported with polkit v0"));
- return -1;
- }
-
- if (!(sysbus = virDBusGetSystemBus()))
- goto cleanup;
-
- VIR_INFO("Checking PID %lld running as %d",
- (long long) pid, uid);
- dbus_error_init(&err);
- if (!(pkcaller = polkit_caller_new_from_pid(sysbus,
- pid, &err))) {
- VIR_DEBUG("Failed to lookup policy kit caller: %s", err.message);
- dbus_error_free(&err);
- goto cleanup;
- }
-
- if (!(pkaction = polkit_action_new())) {
- char ebuf[1024];
- VIR_DEBUG("Failed to create polkit action %s",
- virStrerror(errno, ebuf, sizeof(ebuf)));
- goto cleanup;
- }
- polkit_action_set_action_id(pkaction, actionid);
-
- if (!(pkcontext = polkit_context_new()) ||
- !polkit_context_init(pkcontext, &pkerr)) {
- char ebuf[1024];
- VIR_DEBUG("Failed to create polkit context %s",
- (pkerr ? polkit_error_get_error_message(pkerr)
- : virStrerror(errno, ebuf, sizeof(ebuf))));
- if (pkerr)
- polkit_error_free(pkerr);
- dbus_error_free(&err);
- goto cleanup;
- }
-
-# if HAVE_POLKIT_CONTEXT_IS_CALLER_AUTHORIZED
- pkresult = polkit_context_is_caller_authorized(pkcontext,
- pkaction,
- pkcaller,
- 0,
- &pkerr);
- if (pkerr && polkit_error_is_set(pkerr)) {
- VIR_DEBUG("Policy kit failed to check authorization %d %s",
- polkit_error_get_error_code(pkerr),
- polkit_error_get_error_message(pkerr));
- goto cleanup;
- }
-# else
- pkresult = polkit_context_can_caller_do_action(pkcontext,
- pkaction,
- pkcaller);
-# endif
- if (pkresult != POLKIT_RESULT_YES) {
- VIR_DEBUG("Policy kit denied action %s from pid %lld, uid %d, result: %s",
- actionid, (long long) pid, uid,
- polkit_result_to_string_representation(pkresult));
- ret = -2;
- goto cleanup;
- }
-
- VIR_DEBUG("Policy allowed action %s from pid %lld, uid %d",
- actionid, (long long)pid, (int)uid);
-
- ret = 0;
-
- cleanup:
- if (ret < 0) {
- virResetLastError();
- virReportError(VIR_ERR_AUTH_FAILED, "%s",
- _("authentication failed"));
- }
- if (pkcontext)
- polkit_context_unref(pkcontext);
- if (pkcaller)
- polkit_caller_unref(pkcaller);
- if (pkaction)
- polkit_action_unref(pkaction);
- return ret;
-}
-
-
-#else /* ! WITH_POLKIT1 && ! WITH_POLKIT0 */
+#else /* ! WITH_POLKIT1 */
int virPolkitCheckAuth(const char *actionid ATTRIBUTE_UNUSED,
pid_t pid ATTRIBUTE_UNUSED,
projects / libvirt.git / commitdiff