External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-11-01 10:51:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
4ab46435f1
libvirt/src/util/virpolkit.c

241 lines
6.7 KiB
C
Raw Normal View History

Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
/*
* virpolkit.c: helpers for using polkit APIs
*
polkit: Adjust message when authentication agent isn't found When there isn't a ssh -X type session running and a user has not been added to the libvirt group, attempts to run 'virsh -c qemu:///system' commands from an otherwise unprivileged user will fail with rather generic or opaque error message: "error: authentication failed: no agent is available to authenticate" This patch will adjust the error code and message to help reflect the situation that the problem is the requested mechanism is UNAVAILABLE and a slightly more descriptive error. The result on a failure then becomes: "error: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'" A bit more history on this - at one time a failure generated the following type message when running the 'pkcheck' as a subprocess: "error: authentication failed: polkit\56retains_authorization_after_challenge=1 Authorization requires authentication but no agent is available." but, a patch was generated to adjust the error message to help provide more details about what failed. This was pushed as commit id '96a108c99'. That patch prepended a "polkit: " to the output. It really didn't solve the problem, but gave a hint. After some time it was deemed using DBus API calls directly was a better way to go (since pkcheck calls them anyway). So, commit id '1b854c76' (more or less) copied the code from remoteDispatchAuthPolkit and adjusted it. Then commit id 'c7542573' adjusted the remote.c code to call the new API (virPolkitCheckAuth). Finally, commit id '308c0c5a' altered the code to call DBus APIs directly. In doing so, it reverted the failing error message to the generic message that would have been received from DBus anyway.
2016-01-14 19:34:28 +00:00
* Copyright (C) 2013, 2014, 2016 Red Hat, Inc.
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*
*/
#include <config.h>
util: Introduce API's for Polkit text authentication Introduce virPolkitAgentCreate and virPolkitAgentDestroy virPolkitAgentCreate will run the polkit pkttyagent image as an asynchronous command in order to handle the local agent authentication via stdin/stdout. The code makes use of the pkttyagent --notify-fd mechanism to let it know when the agent is successfully registered. virPolkitAgentDestroy will close the command effectively reaping our child process
2016-02-09 15:09:44 +00:00
#include <poll.h>
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
#include "virpolkit.h"
#include "virerror.h"
#include "virlog.h"
#include "virstring.h"
#include "virprocess.h"
#include "viralloc.h"
#include "virdbus.h"
util: Introduce API's for Polkit text authentication Introduce virPolkitAgentCreate and virPolkitAgentDestroy virPolkitAgentCreate will run the polkit pkttyagent image as an asynchronous command in order to handle the local agent authentication via stdin/stdout. The code makes use of the pkttyagent --notify-fd mechanism to let it know when the agent is successfully registered. virPolkitAgentDestroy will close the command effectively reaping our child process
2016-02-09 15:09:44 +00:00
#include "virfile.h"
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
#define VIR_FROM_THIS VIR_FROM_POLKIT
VIR_LOG_INIT("util.polkit");
Merge WITH_POLKIT1 and WITH_POLKIT There is just one polkit now. Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-03-07 09:14:23 +00:00
#if WITH_POLKIT
util: Introduce API's for Polkit text authentication Introduce virPolkitAgentCreate and virPolkitAgentDestroy virPolkitAgentCreate will run the polkit pkttyagent image as an asynchronous command in order to handle the local agent authentication via stdin/stdout. The code makes use of the pkttyagent --notify-fd mechanism to let it know when the agent is successfully registered. virPolkitAgentDestroy will close the command effectively reaping our child process
2016-02-09 15:09:44 +00:00
struct _virPolkitAgent {
virCommandPtr cmd;
};
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
/*
* virPolkitCheckAuth:
* @actionid: permission to check
* @pid: client process ID
* @startTime: process start time, or 0
* @uid: client process user ID
* @details: NULL terminated (key, value) pair list
* @allowInteraction: true if auth prompts are allowed
*
* Check if a client is authenticated with polkit
*
* Returns 0 on success, -1 on failure, -2 on auth denied
*/
int virPolkitCheckAuth(const char *actionid,
pid_t pid,
unsigned long long startTime,
uid_t uid,
const char **details,
bool allowInteraction)
{
Convert polkit code to use DBus API instead of CLI helper Spawning the pkcheck program every time a permission check is required is hugely expensive on CPU. The pkcheck program is just a dumb wrapper for the DBus API, so rewrite the code to use the DBus API directly. This also simplifies error handling a bit. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-09-10 13:52:48 +00:00
DBusConnection *sysbus;
DBusMessage *reply = NULL;
char **retdetails = NULL;
size_t nretdetails = 0;
virdbus: don't force users to pass int for bool values Use of an 'int' to represent a 'bool' value is confusing. Just because dbus made the mistake of cementing their 4-byte wire format of dbus_bool_t into their API doesn't mean we have to repeat the mistake. With a little bit of finesse, we can guarantee that we provide a large-enough value to the DBus code, while still copying only the relevant one-byte bool to the client code, and isolate the rest of our code base from the DBus stupidity. * src/util/virdbus.c (GET_NEXT_VAL): Add parameter. (virDBusMessageIterDecode): Adjust all clients. * src/util/virpolkit.c (virPolkitCheckAuth): Use nicer type. * tests/virdbustest.c (testMessageSimple, testMessageStruct): Test new behavior. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-11-18 00:18:58 +00:00
bool is_authorized;
bool is_challenge;
Convert polkit code to use DBus API instead of CLI helper Spawning the pkcheck program every time a permission check is required is hugely expensive on CPU. The pkcheck program is just a dumb wrapper for the DBus API, so rewrite the code to use the DBus API directly. This also simplifies error handling a bit. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-09-10 13:52:48 +00:00
bool is_dismissed = false;
size_t i;
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
int ret = -1;
Convert polkit code to use DBus API instead of CLI helper Spawning the pkcheck program every time a permission check is required is hugely expensive on CPU. The pkcheck program is just a dumb wrapper for the DBus API, so rewrite the code to use the DBus API directly. This also simplifies error handling a bit. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-09-10 13:52:48 +00:00
if (!(sysbus = virDBusGetSystemBus()))
goto cleanup;
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
Convert polkit code to use DBus API instead of CLI helper Spawning the pkcheck program every time a permission check is required is hugely expensive on CPU. The pkcheck program is just a dumb wrapper for the DBus API, so rewrite the code to use the DBus API directly. This also simplifies error handling a bit. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-09-10 13:52:48 +00:00
VIR_INFO("Checking PID %lld running as %d",
(long long) pid, uid);
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
Convert polkit code to use DBus API instead of CLI helper Spawning the pkcheck program every time a permission check is required is hugely expensive on CPU. The pkcheck program is just a dumb wrapper for the DBus API, so rewrite the code to use the DBus API directly. This also simplifies error handling a bit. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-09-10 13:52:48 +00:00
if (virDBusCallMethod(sysbus,
&reply,
NULL,
"org.freedesktop.PolicyKit1",
"/org/freedesktop/PolicyKit1/Authority",
"org.freedesktop.PolicyKit1.Authority",
"CheckAuthorization",
"(sa{sv})sa&{ss}us",
"unix-process",
3,
"pid", "u", (unsigned int)pid,
"start-time", "t", startTime,
"uid", "i", (int)uid,
actionid,
util: Get rid of virStringListLen() It does exactly the same thing as virStringListLength() and it's used in one place only. Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2016-02-09 15:01:33 +00:00
virStringListLength(details) / 2,
Convert polkit code to use DBus API instead of CLI helper Spawning the pkcheck program every time a permission check is required is hugely expensive on CPU. The pkcheck program is just a dumb wrapper for the DBus API, so rewrite the code to use the DBus API directly. This also simplifies error handling a bit. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-09-10 13:52:48 +00:00
details,
allowInteraction,
"" /* cancellation ID */) < 0)
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
goto cleanup;
util: eliminate duplicate function virDBusMessageRead When virDBusMessageRead() and virDBusMessageDecode were first added in commit 834c9c94, they were identical except that virDBusMessageRead() would unref the message after decoding it. This difference was eliminated later in commit dc7f3ffc after it became apparent that unref-ing the message so soon was never the right thing to do. The two identical functions remained though, with the tests and virDBus library itself calling the Decode variant, and all other users calling the Read variant. This patch eliminates the duplication, switching all users to virDBusMessageDecode (and moving the nice API documentation comment from the Read function up to the Decode function). Signed-off-by: Laine Stump <laine@laine.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-12 16:58:01 +00:00
if (virDBusMessageDecode(reply,
"(bba&{ss})",
&is_authorized,
&is_challenge,
&nretdetails,
&retdetails) < 0)
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
goto cleanup;
Convert polkit code to use DBus API instead of CLI helper Spawning the pkcheck program every time a permission check is required is hugely expensive on CPU. The pkcheck program is just a dumb wrapper for the DBus API, so rewrite the code to use the DBus API directly. This also simplifies error handling a bit. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-09-10 13:52:48 +00:00
for (i = 0; i < (nretdetails / 2); i++) {
if (STREQ(retdetails[(i * 2)], "polkit.dismissed") &&
STREQ(retdetails[(i * 2) + 1], "true"))
is_dismissed = true;
}
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
Convert polkit code to use DBus API instead of CLI helper Spawning the pkcheck program every time a permission check is required is hugely expensive on CPU. The pkcheck program is just a dumb wrapper for the DBus API, so rewrite the code to use the DBus API directly. This also simplifies error handling a bit. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-09-10 13:52:48 +00:00
VIR_DEBUG("is auth %d is challenge %d",
is_authorized, is_challenge);
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
Convert polkit code to use DBus API instead of CLI helper Spawning the pkcheck program every time a permission check is required is hugely expensive on CPU. The pkcheck program is just a dumb wrapper for the DBus API, so rewrite the code to use the DBus API directly. This also simplifies error handling a bit. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-09-10 13:52:48 +00:00
if (is_authorized) {
ret = 0;
} else {
ret = -2;
if (is_dismissed)
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
virReportError(VIR_ERR_AUTH_CANCELLED, "%s",
Convert polkit code to use DBus API instead of CLI helper Spawning the pkcheck program every time a permission check is required is hugely expensive on CPU. The pkcheck program is just a dumb wrapper for the DBus API, so rewrite the code to use the DBus API directly. This also simplifies error handling a bit. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-09-10 13:52:48 +00:00
_("user cancelled authentication process"));
else if (is_challenge)
polkit: Adjust message when authentication agent isn't found When there isn't a ssh -X type session running and a user has not been added to the libvirt group, attempts to run 'virsh -c qemu:///system' commands from an otherwise unprivileged user will fail with rather generic or opaque error message: "error: authentication failed: no agent is available to authenticate" This patch will adjust the error code and message to help reflect the situation that the problem is the requested mechanism is UNAVAILABLE and a slightly more descriptive error. The result on a failure then becomes: "error: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'" A bit more history on this - at one time a failure generated the following type message when running the 'pkcheck' as a subprocess: "error: authentication failed: polkit\56retains_authorization_after_challenge=1 Authorization requires authentication but no agent is available." but, a patch was generated to adjust the error message to help provide more details about what failed. This was pushed as commit id '96a108c99'. That patch prepended a "polkit: " to the output. It really didn't solve the problem, but gave a hint. After some time it was deemed using DBus API calls directly was a better way to go (since pkcheck calls them anyway). So, commit id '1b854c76' (more or less) copied the code from remoteDispatchAuthPolkit and adjusted it. Then commit id 'c7542573' adjusted the remote.c code to call the new API (virPolkitCheckAuth). Finally, commit id '308c0c5a' altered the code to call DBus APIs directly. In doing so, it reverted the failing error message to the generic message that would have been received from DBus anyway.
2016-01-14 19:34:28 +00:00
virReportError(VIR_ERR_AUTH_UNAVAILABLE,
_("no polkit agent available to authenticate "
"action '%s'"),
actionid);
Convert polkit code to use DBus API instead of CLI helper Spawning the pkcheck program every time a permission check is required is hugely expensive on CPU. The pkcheck program is just a dumb wrapper for the DBus API, so rewrite the code to use the DBus API directly. This also simplifies error handling a bit. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-09-10 13:52:48 +00:00
else
virReportError(VIR_ERR_AUTH_FAILED, "%s",
_("access denied by policy"));
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
}
Convert polkit code to use DBus API instead of CLI helper Spawning the pkcheck program every time a permission check is required is hugely expensive on CPU. The pkcheck program is just a dumb wrapper for the DBus API, so rewrite the code to use the DBus API directly. This also simplifies error handling a bit. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-09-10 13:52:48 +00:00
cleanup:
virstring: Unify string list function names We have couple of functions that operate over NULL terminated lits of strings. However, our naming sucks: virStringJoin virStringFreeList virStringFreeListCount virStringArrayHasString virStringGetFirstWithPrefix We can do better: virStringListJoin virStringListFree virStringListFreeCount virStringListHasString virStringListGetFirstWithPrefix Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-11-25 08:18:35 +00:00
virStringListFreeCount(retdetails, nretdetails);
util: Free a pointer in virPolkitCheckAuth Free DBusMessage pointer in virPolkitCheckAuth Signed-off-by: Kothapally Madhu Pavan <kmp@linux.vnet.ibm.com>
2017-10-04 08:38:45 +00:00
virDBusMessageUnref(reply);
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
return ret;
}
util: Introduce API's for Polkit text authentication Introduce virPolkitAgentCreate and virPolkitAgentDestroy virPolkitAgentCreate will run the polkit pkttyagent image as an asynchronous command in order to handle the local agent authentication via stdin/stdout. The code makes use of the pkttyagent --notify-fd mechanism to let it know when the agent is successfully registered. virPolkitAgentDestroy will close the command effectively reaping our child process
2016-02-09 15:09:44 +00:00
/* virPolkitAgentDestroy:
* @cmd: Pointer to the virCommandPtr created during virPolkitAgentCreate
*
* Destroy resources used by Polkit Agent
*/
void
virPolkitAgentDestroy(virPolkitAgentPtr agent)
{
if (!agent)
return;
virCommandFree(agent->cmd);
VIR_FREE(agent);
}
/* virPolkitAgentCreate:
*
* Allocate and setup a polkit agent
*
* Returns a virCommandPtr on success and NULL on failure
*/
virPolkitAgentPtr
virPolkitAgentCreate(void)
{
util: Fix missing initializer for agent In virPolkitAgentCreate neglected to initialize agent to NULL. If there was an error in the pipe, then we jump to error and would have an issue. Found by coverity.
2016-03-02 00:36:37 +00:00
virPolkitAgentPtr agent = NULL;
util: Introduce API's for Polkit text authentication Introduce virPolkitAgentCreate and virPolkitAgentDestroy virPolkitAgentCreate will run the polkit pkttyagent image as an asynchronous command in order to handle the local agent authentication via stdin/stdout. The code makes use of the pkttyagent --notify-fd mechanism to let it know when the agent is successfully registered. virPolkitAgentDestroy will close the command effectively reaping our child process
2016-02-09 15:09:44 +00:00
int pipe_fd[2] = {-1, -1};
struct pollfd pollfd;
int outfd = STDOUT_FILENO;
int errfd = STDERR_FILENO;
if (!isatty(STDIN_FILENO))
goto error;
if (pipe2(pipe_fd, 0) < 0)
goto error;
if (VIR_ALLOC(agent) < 0)
goto error;
util: polkit: Fix polkit agent startup Commit 0b36b0e9 broke polkit agent startup when attempting to fix a coverity warning. Refactor it properly so that we don't need the 'cmd' intermediate variable.
2016-05-09 09:02:51 +00:00
agent->cmd = virCommandNewArgList(PKTTYAGENT, "--process", NULL);
virCommandAddArgFormat(agent->cmd, "%lld", (long long int) getpid());
virCommandAddArg(agent->cmd, "--notify-fd");
virCommandAddArgFormat(agent->cmd, "%d", pipe_fd[1]);
virCommandAddArg(agent->cmd, "--fallback");
virCommandSetInputFD(agent->cmd, STDIN_FILENO);
virCommandSetOutputFD(agent->cmd, &outfd);
virCommandSetErrorFD(agent->cmd, &errfd);
virCommandPassFD(agent->cmd, pipe_fd[1], VIR_COMMAND_PASS_FD_CLOSE_PARENT);
lib: Avoid double close when passing FDs with virCommandPassFD() If an FD is passed into a child using: virCommandPassFD(cmd, fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT); then the parent should refrain from touching @fd thereafter. This is even documented in virCommandPassFD() comment. The reason is that either at virCommandRun()/virCommandRunAsync() or virCommandFree() time the @fd will be closed. Closing it earlier, e.g. right after virCommandPassFD() call might result in undesired results. Another thread might open a file and receive the same FD which is then unexpectedly closed by virCommandFree() or virCommandRun(). Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-30 09:17:22 +00:00
pipe_fd[1] = -1;
util: polkit: Fix polkit agent startup Commit 0b36b0e9 broke polkit agent startup when attempting to fix a coverity warning. Refactor it properly so that we don't need the 'cmd' intermediate variable.
2016-05-09 09:02:51 +00:00
if (virCommandRunAsync(agent->cmd, NULL) < 0)
util: Introduce API's for Polkit text authentication Introduce virPolkitAgentCreate and virPolkitAgentDestroy virPolkitAgentCreate will run the polkit pkttyagent image as an asynchronous command in order to handle the local agent authentication via stdin/stdout. The code makes use of the pkttyagent --notify-fd mechanism to let it know when the agent is successfully registered. virPolkitAgentDestroy will close the command effectively reaping our child process
2016-02-09 15:09:44 +00:00
goto error;
pollfd.fd = pipe_fd[0];
pollfd.events = POLLHUP;
if (poll(&pollfd, 1, -1) < 0)
goto error;
return agent;
error:
VIR_FORCE_CLOSE(pipe_fd[0]);
VIR_FORCE_CLOSE(pipe_fd[1]);
virPolkitAgentDestroy(agent);
return NULL;
}
Merge WITH_POLKIT1 and WITH_POLKIT There is just one polkit now. Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-03-07 09:14:23 +00:00
#else /* ! WITH_POLKIT */
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
Fix build without polkit The commit 1b854c76 introduced a new function 'virPolkitCheckAuth' and in the #else section when you don't have polkit all attributes should be follwed by ATTRIBUTE_UNUSED. Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2014-09-25 08:57:24 +00:00
int virPolkitCheckAuth(const char *actionid ATTRIBUTE_UNUSED,
pid_t pid ATTRIBUTE_UNUSED,
unsigned long long startTime ATTRIBUTE_UNUSED,
uid_t uid ATTRIBUTE_UNUSED,
const char **details ATTRIBUTE_UNUSED,
bool allowInteraction ATTRIBUTE_UNUSED)
Add common API for doing polkit authentication There are now two places in libvirt which use polkit. Currently they use pkexec, which is set to be replaced by direct DBus API calls. Add a common API which they will both be able to use for this purpose. No tests are added at this time, since the impl will be gutted in favour of a DBus API call shortly. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-22 13:27:19 +00:00
{
VIR_ERROR(_("Polkit auth attempted, even though polkit is not available"));
virReportError(VIR_ERR_AUTH_FAILED, "%s",
_("authentication failed"));
return -1;
}
util: Introduce API's for Polkit text authentication Introduce virPolkitAgentCreate and virPolkitAgentDestroy virPolkitAgentCreate will run the polkit pkttyagent image as an asynchronous command in order to handle the local agent authentication via stdin/stdout. The code makes use of the pkttyagent --notify-fd mechanism to let it know when the agent is successfully registered. virPolkitAgentDestroy will close the command effectively reaping our child process
2016-02-09 15:09:44 +00:00
void
util: Fix build without polkit Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2016-03-01 14:51:37 +00:00
virPolkitAgentDestroy(virPolkitAgentPtr agent ATTRIBUTE_UNUSED)
util: Introduce API's for Polkit text authentication Introduce virPolkitAgentCreate and virPolkitAgentDestroy virPolkitAgentCreate will run the polkit pkttyagent image as an asynchronous command in order to handle the local agent authentication via stdin/stdout. The code makes use of the pkttyagent --notify-fd mechanism to let it know when the agent is successfully registered. virPolkitAgentDestroy will close the command effectively reaping our child process
2016-02-09 15:09:44 +00:00
{
return; /* do nothing */
}
util: Fix build without polkit Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2016-03-01 14:51:37 +00:00
virPolkitAgentPtr
util: Introduce API's for Polkit text authentication Introduce virPolkitAgentCreate and virPolkitAgentDestroy virPolkitAgentCreate will run the polkit pkttyagent image as an asynchronous command in order to handle the local agent authentication via stdin/stdout. The code makes use of the pkttyagent --notify-fd mechanism to let it know when the agent is successfully registered. virPolkitAgentDestroy will close the command effectively reaping our child process
2016-02-09 15:09:44 +00:00
virPolkitAgentCreate(void)
{
virReportError(VIR_ERR_AUTH_FAILED, "%s",
_("polkit text authentication agent unavailable"));
return NULL;
}
Merge WITH_POLKIT1 and WITH_POLKIT There is just one polkit now. Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-03-07 09:14:23 +00:00
#endif /* WITH_POLKIT */
Reference in New Issue Copy Permalink