External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-30 21:47:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove Policy-Kit support

Browse Source 
Policy-Kit has been replaced by polkit (referred to, respectively,
as POLKIT0 and POLKIT1 in our Makefiles).

The last build fix with old Policy-Kit was in May 2013:
commit <442eb2ba> and build with -Wunused-label was broken
since April 2016: commit <8437130>

Signed-off-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Ján Tomko 2018-03-06 16:47:44 +01:00
parent 07141541fb
commit af41cf5957
6 changed files with 2 additions and 252 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
m4/virt-polkit.m4
View File

@ -25,12 +25,8 @@ AC_DEFUN([LIBVIRT_ARG_POLKIT], [
AC_DEFUN([LIBVIRT_CHECK_POLKIT], [
AC_REQUIRE([LIBVIRT_CHECK_DBUS])
POLKIT_REQUIRED="0.6"
POLKIT_CFLAGS=
POLKIT_LIBS=
PKCHECK_PATH=
with_polkit0=no
with_polkit1=no
if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then
@ -56,52 +52,14 @@ AC_DEFUN([LIBVIRT_CHECK_POLKIT], [
[You must install dbus to compile libvirt with polkit-1])
fi
fi
else
dnl Check for old polkit second - library + binary
PKG_CHECK_MODULES(POLKIT, polkit-dbus >= $POLKIT_REQUIRED,
[with_polkit=yes], [
if test "x$with_polkit" = "xcheck" ; then
with_polkit=no
else
AC_MSG_ERROR(
[You must install PolicyKit >= $POLKIT_REQUIRED to compile libvirt])
fi
])
if test "x$with_polkit" = "xyes" ; then
AC_DEFINE_UNQUOTED([WITH_POLKIT], 1,
[use PolicyKit for UNIX socket access checks])
AC_DEFINE_UNQUOTED([WITH_POLKIT0], 1,
[use PolicyKit for UNIX socket access checks])
old_CFLAGS=$CFLAGS
old_LIBS=$LIBS
CFLAGS="$CFLAGS $POLKIT_CFLAGS"
LIBS="$LIBS $POLKIT_LIBS"
AC_CHECK_FUNCS([polkit_context_is_caller_authorized])
CFLAGS="$old_CFLAGS"
LIBS="$old_LIBS"
AC_PATH_PROG([POLKIT_AUTH], [polkit-auth])
if test "x$POLKIT_AUTH" != "x"; then
AC_DEFINE_UNQUOTED([POLKIT_AUTH],["$POLKIT_AUTH"],[Location of polkit-auth program])
fi
with_polkit0="yes"
fi
fi
fi
AM_CONDITIONAL([WITH_POLKIT], [test "x$with_polkit" = "xyes"])
AM_CONDITIONAL([WITH_POLKIT0], [test "x$with_polkit0" = "xyes"])
AM_CONDITIONAL([WITH_POLKIT1], [test "x$with_polkit1" = "xyes"])
AC_SUBST([POLKIT_CFLAGS])
AC_SUBST([POLKIT_LIBS])
])
AC_DEFUN([LIBVIRT_RESULT_POLKIT], [
if test "$with_polkit0" = "yes" ; then
msg="$POLKIT_CFLAGS $POLKIT_LIBS (version 0)"
else
msg="$PKCHECK_PATH (version 1)"
fi
msg="$PKCHECK_PATH (version 1)"
LIBVIRT_RESULT([polkit], [$with_polkit], [$msg])
])

27
src/libvirt.c
View File

@ -121,28 +121,6 @@ static virSecretDriverPtr virSharedSecretDriver;
static virNWFilterDriverPtr virSharedNWFilterDriver;
#if defined(POLKIT_AUTH)
static int
virConnectAuthGainPolkit(const char *privilege)
{
virCommandPtr cmd;
int ret = -1;
if (geteuid() == 0)
return 0;
cmd = virCommandNewArgList(POLKIT_AUTH, "--obtain", privilege, NULL);
if (virCommandRun(cmd, NULL) < 0)
goto cleanup;
ret = 0;
cleanup:
virCommandFree(cmd);
return ret;
}
#endif
static int
virConnectAuthCallbackDefault(virConnectCredentialPtr cred,
unsigned int ncred,
@ -160,16 +138,11 @@ virConnectAuthCallbackDefault(virConnectCredentialPtr cred,
if (STRNEQ(cred[i].challenge, "PolicyKit"))
return -1;
#if defined(POLKIT_AUTH)
if (virConnectAuthGainPolkit(cred[i].prompt) < 0)
return -1;
#else
/*
* Ignore & carry on. Although we can't auth
* directly, the user may have authenticated
* themselves already outside context of libvirt
*/
#endif
break;
}

9
src/remote/Makefile.inc.am
View File

@ -120,13 +120,8 @@ conf_DATA += remote/libvirtd.conf
CLEANFILES += test_libvirtd.aug
if WITH_POLKIT
if WITH_POLKIT0
policydir = $(datadir)/PolicyKit/policy
policyauth = auth_admin_keep_session
else ! WITH_POLKIT0
policydir = $(datadir)/polkit-1/actions
policyauth = auth_admin_keep
endif ! WITH_POLKIT0
endif WITH_POLKIT
BUILT_SOURCES += libvirtd.policy
@ -219,19 +214,15 @@ if WITH_POLKIT
install-polkit::
$(MKDIR_P) $(DESTDIR)$(policydir)
$(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
if ! WITH_POLKIT0
$(MKDIR_P) $(DESTDIR)$(datadir)/polkit-1/rules.d
$(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \
$(DESTDIR)$(datadir)/polkit-1/rules.d/50-libvirt.rules
endif ! WITH_POLKIT0
uninstall-polkit::
rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
rmdir $(DESTDIR)$(policydir) || :
if ! WITH_POLKIT0
rm -f $(DESTDIR)$(datadir)/polkit-1/rules.d/50-libvirt.rules
rmdir $(DESTDIR)$(datadir)/polkit-1/rules.d || :
endif ! WITH_POLKIT0
else ! WITH_POLKIT
install-polkit::

63
src/remote/remote_driver.c
View File

@ -4289,64 +4289,6 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv,
#endif /* WITH_SASL */
#if WITH_POLKIT0
/* Perform the PolicyKit0 authentication process */
static int
remoteAuthPolkit0(virConnectPtr conn, struct private_data *priv,
virConnectAuthPtr auth)
{
remote_auth_polkit_ret ret;
size_t i;
int allowcb = 0;
virConnectCredential cred = {
VIR_CRED_EXTERNAL,
conn->flags & VIR_CONNECT_RO ? "org.libvirt.unix.monitor" : "org.libvirt.unix.manage",
"PolicyKit",
NULL,
NULL,
0,
};
VIR_DEBUG("Client initialize PolicyKit-0 authentication");
/* We only make it here if auth already failed
* Ask client to obtain it and check again. */
if (auth && auth->cb) {
/* Check if the necessary credential type for PolicyKit is supported */
for (i = 0; i < auth->ncredtype; i++) {
if (auth->credtype[i] == VIR_CRED_EXTERNAL)
allowcb = 1;
}
if (allowcb) {
VIR_DEBUG("Client run callback for PolicyKit authentication");
/* Run the authentication callback */
if ((*(auth->cb))(&cred, 1, auth->cbdata) < 0) {
virReportError(VIR_ERR_AUTH_FAILED, "%s",
_("Failed to collect auth credentials"));
return -1;
}
} else {
VIR_DEBUG("Client auth callback does not support PolicyKit");
return -1;
}
} else {
VIR_DEBUG("No auth callback provided");
return -1;
}
memset(&ret, 0, sizeof(ret));
if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT,
(xdrproc_t) xdr_void, (char *)NULL,
(xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) {
return -1; /* virError already set by call */
}
out:
VIR_DEBUG("PolicyKit-0 authentication complete");
return 0;
}
#endif /* WITH_POLKIT0 */
static int
remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
virConnectAuthPtr auth ATTRIBUTE_UNUSED)
@ -4361,11 +4303,6 @@ remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
return -1; /* virError already set by call */
}
#if WITH_POLKIT0
if (remoteAuthPolkit0(conn, priv, auth) < 0)
return -1;
#endif /* WITH_POLKIT0 */
VIR_DEBUG("PolicyKit authentication complete");
return 0;
}

2
src/util/Makefile.inc.am
View File

@ -251,7 +251,6 @@ libvirt_util_la_CFLAGS = \
$(DBUS_CFLAGS) \
$(LDEXP_LIBM) \
$(NUMACTL_CFLAGS) \
$(POLKIT_CFLAGS) \
$(GNUTLS_CFLAGS) \
$(ACL_CFLAGS) \
$(NULL)
@ -269,7 +268,6 @@ libvirt_util_la_LIBADD = \
$(SECDRIVER_LIBS) \
$(NUMACTL_LIBS) \
$(ACL_LIBS) \
$(POLKIT_LIBS) \
$(GNUTLS_LIBS) \
$(NULL)

109
src/util/virpolkit.c
View File

@ -22,11 +22,6 @@
#include <config.h>
#include <poll.h>
#if WITH_POLKIT0
# include <polkit/polkit.h>
# include <polkit-dbus/polkit-dbus.h>
#endif
#include "virpolkit.h"
#include "virerror.h"
#include "virlog.h"
@ -211,109 +206,7 @@ virPolkitAgentCreate(void)
}
#elif WITH_POLKIT0
int virPolkitCheckAuth(const char *actionid,
pid_t pid,
unsigned long long startTime ATTRIBUTE_UNUSED,
uid_t uid,
const char **details,
bool allowInteraction ATTRIBUTE_UNUSED)
{
PolKitCaller *pkcaller = NULL;
PolKitAction *pkaction = NULL;
PolKitContext *pkcontext = NULL;
PolKitError *pkerr = NULL;
PolKitResult pkresult;
DBusError err;
DBusConnection *sysbus;
int ret = -1;
if (details) {
virReportError(VIR_ERR_AUTH_FAILED, "%s",
_("Details not supported with polkit v0"));
return -1;
}
if (!(sysbus = virDBusGetSystemBus()))
goto cleanup;
VIR_INFO("Checking PID %lld running as %d",
(long long) pid, uid);
dbus_error_init(&err);
if (!(pkcaller = polkit_caller_new_from_pid(sysbus,
pid, &err))) {
VIR_DEBUG("Failed to lookup policy kit caller: %s", err.message);
dbus_error_free(&err);
goto cleanup;
}
if (!(pkaction = polkit_action_new())) {
char ebuf[1024];
VIR_DEBUG("Failed to create polkit action %s",
virStrerror(errno, ebuf, sizeof(ebuf)));
goto cleanup;
}
polkit_action_set_action_id(pkaction, actionid);
if (!(pkcontext = polkit_context_new()) ||
!polkit_context_init(pkcontext, &pkerr)) {
char ebuf[1024];
VIR_DEBUG("Failed to create polkit context %s",
(pkerr ? polkit_error_get_error_message(pkerr)
: virStrerror(errno, ebuf, sizeof(ebuf))));
if (pkerr)
polkit_error_free(pkerr);
dbus_error_free(&err);
goto cleanup;
}
# if HAVE_POLKIT_CONTEXT_IS_CALLER_AUTHORIZED
pkresult = polkit_context_is_caller_authorized(pkcontext,
pkaction,
pkcaller,
0,
&pkerr);
if (pkerr && polkit_error_is_set(pkerr)) {
VIR_DEBUG("Policy kit failed to check authorization %d %s",
polkit_error_get_error_code(pkerr),
polkit_error_get_error_message(pkerr));
goto cleanup;
}
# else
pkresult = polkit_context_can_caller_do_action(pkcontext,
pkaction,
pkcaller);
# endif
if (pkresult != POLKIT_RESULT_YES) {
VIR_DEBUG("Policy kit denied action %s from pid %lld, uid %d, result: %s",
actionid, (long long) pid, uid,
polkit_result_to_string_representation(pkresult));
ret = -2;
goto cleanup;
}
VIR_DEBUG("Policy allowed action %s from pid %lld, uid %d",
actionid, (long long)pid, (int)uid);
ret = 0;
cleanup:
if (ret < 0) {
virResetLastError();
virReportError(VIR_ERR_AUTH_FAILED, "%s",
_("authentication failed"));
}
if (pkcontext)
polkit_context_unref(pkcontext);
if (pkcaller)
polkit_caller_unref(pkcaller);
if (pkaction)
polkit_action_unref(pkaction);
return ret;
}
#else /* ! WITH_POLKIT1 && ! WITH_POLKIT0 */
#else /* ! WITH_POLKIT1 */
int virPolkitCheckAuth(const char *actionid ATTRIBUTE_UNUSED,
pid_t pid ATTRIBUTE_UNUSED,