From af41cf5957af5c98b221a9dd48774c6a9df27737 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A1n=20Tomko?= Date: Tue, 6 Mar 2018 16:47:44 +0100 Subject: [PATCH] Remove Policy-Kit support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Policy-Kit has been replaced by polkit (referred to, respectively, as POLKIT0 and POLKIT1 in our Makefiles). The last build fix with old Policy-Kit was in May 2013: commit <442eb2ba> and build with -Wunused-label was broken since April 2016: commit <8437130> Signed-off-by: Ján Tomko --- m4/virt-polkit.m4 | 44 +-------------- src/libvirt.c | 27 --------- src/remote/Makefile.inc.am | 9 --- src/remote/remote_driver.c | 63 --------------------- src/util/Makefile.inc.am | 2 - src/util/virpolkit.c | 109 +------------------------------------ 6 files changed, 2 insertions(+), 252 deletions(-) diff --git a/m4/virt-polkit.m4 b/m4/virt-polkit.m4 index 7bdbf804d3..9426c7d5da 100644 --- a/m4/virt-polkit.m4 +++ b/m4/virt-polkit.m4 @@ -25,12 +25,8 @@ AC_DEFUN([LIBVIRT_ARG_POLKIT], [ AC_DEFUN([LIBVIRT_CHECK_POLKIT], [ AC_REQUIRE([LIBVIRT_CHECK_DBUS]) - POLKIT_REQUIRED="0.6" - POLKIT_CFLAGS= - POLKIT_LIBS= PKCHECK_PATH= - with_polkit0=no with_polkit1=no if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then @@ -56,52 +52,14 @@ AC_DEFUN([LIBVIRT_CHECK_POLKIT], [ [You must install dbus to compile libvirt with polkit-1]) fi fi - else - dnl Check for old polkit second - library + binary - PKG_CHECK_MODULES(POLKIT, polkit-dbus >= $POLKIT_REQUIRED, - [with_polkit=yes], [ - if test "x$with_polkit" = "xcheck" ; then - with_polkit=no - else - AC_MSG_ERROR( - [You must install PolicyKit >= $POLKIT_REQUIRED to compile libvirt]) - fi - ]) - if test "x$with_polkit" = "xyes" ; then - AC_DEFINE_UNQUOTED([WITH_POLKIT], 1, - [use PolicyKit for UNIX socket access checks]) - AC_DEFINE_UNQUOTED([WITH_POLKIT0], 1, - [use PolicyKit for UNIX socket access checks]) - - old_CFLAGS=$CFLAGS - old_LIBS=$LIBS - CFLAGS="$CFLAGS $POLKIT_CFLAGS" - LIBS="$LIBS $POLKIT_LIBS" - AC_CHECK_FUNCS([polkit_context_is_caller_authorized]) - CFLAGS="$old_CFLAGS" - LIBS="$old_LIBS" - - AC_PATH_PROG([POLKIT_AUTH], [polkit-auth]) - if test "x$POLKIT_AUTH" != "x"; then - AC_DEFINE_UNQUOTED([POLKIT_AUTH],["$POLKIT_AUTH"],[Location of polkit-auth program]) - fi - with_polkit0="yes" - fi fi fi AM_CONDITIONAL([WITH_POLKIT], [test "x$with_polkit" = "xyes"]) - AM_CONDITIONAL([WITH_POLKIT0], [test "x$with_polkit0" = "xyes"]) AM_CONDITIONAL([WITH_POLKIT1], [test "x$with_polkit1" = "xyes"]) - AC_SUBST([POLKIT_CFLAGS]) - AC_SUBST([POLKIT_LIBS]) ]) AC_DEFUN([LIBVIRT_RESULT_POLKIT], [ - if test "$with_polkit0" = "yes" ; then - msg="$POLKIT_CFLAGS $POLKIT_LIBS (version 0)" - else - msg="$PKCHECK_PATH (version 1)" - fi + msg="$PKCHECK_PATH (version 1)" LIBVIRT_RESULT([polkit], [$with_polkit], [$msg]) ]) diff --git a/src/libvirt.c b/src/libvirt.c index 536d56f0a5..b7bcf80224 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -121,28 +121,6 @@ static virSecretDriverPtr virSharedSecretDriver; static virNWFilterDriverPtr virSharedNWFilterDriver; -#if defined(POLKIT_AUTH) -static int -virConnectAuthGainPolkit(const char *privilege) -{ - virCommandPtr cmd; - int ret = -1; - - if (geteuid() == 0) - return 0; - - cmd = virCommandNewArgList(POLKIT_AUTH, "--obtain", privilege, NULL); - if (virCommandRun(cmd, NULL) < 0) - goto cleanup; - - ret = 0; - cleanup: - virCommandFree(cmd); - return ret; -} -#endif - - static int virConnectAuthCallbackDefault(virConnectCredentialPtr cred, unsigned int ncred, @@ -160,16 +138,11 @@ virConnectAuthCallbackDefault(virConnectCredentialPtr cred, if (STRNEQ(cred[i].challenge, "PolicyKit")) return -1; -#if defined(POLKIT_AUTH) - if (virConnectAuthGainPolkit(cred[i].prompt) < 0) - return -1; -#else /* * Ignore & carry on. Although we can't auth * directly, the user may have authenticated * themselves already outside context of libvirt */ -#endif break; } diff --git a/src/remote/Makefile.inc.am b/src/remote/Makefile.inc.am index a6e8ecabf9..2fb6056fcc 100644 --- a/src/remote/Makefile.inc.am +++ b/src/remote/Makefile.inc.am @@ -120,13 +120,8 @@ conf_DATA += remote/libvirtd.conf CLEANFILES += test_libvirtd.aug if WITH_POLKIT -if WITH_POLKIT0 -policydir = $(datadir)/PolicyKit/policy -policyauth = auth_admin_keep_session -else ! WITH_POLKIT0 policydir = $(datadir)/polkit-1/actions policyauth = auth_admin_keep -endif ! WITH_POLKIT0 endif WITH_POLKIT BUILT_SOURCES += libvirtd.policy @@ -219,19 +214,15 @@ if WITH_POLKIT install-polkit:: $(MKDIR_P) $(DESTDIR)$(policydir) $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy -if ! WITH_POLKIT0 $(MKDIR_P) $(DESTDIR)$(datadir)/polkit-1/rules.d $(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \ $(DESTDIR)$(datadir)/polkit-1/rules.d/50-libvirt.rules -endif ! WITH_POLKIT0 uninstall-polkit:: rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy rmdir $(DESTDIR)$(policydir) || : -if ! WITH_POLKIT0 rm -f $(DESTDIR)$(datadir)/polkit-1/rules.d/50-libvirt.rules rmdir $(DESTDIR)$(datadir)/polkit-1/rules.d || : -endif ! WITH_POLKIT0 else ! WITH_POLKIT install-polkit:: diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 93cba5daa3..f765c09416 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -4289,64 +4289,6 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv, #endif /* WITH_SASL */ -#if WITH_POLKIT0 -/* Perform the PolicyKit0 authentication process */ -static int -remoteAuthPolkit0(virConnectPtr conn, struct private_data *priv, - virConnectAuthPtr auth) -{ - remote_auth_polkit_ret ret; - size_t i; - int allowcb = 0; - virConnectCredential cred = { - VIR_CRED_EXTERNAL, - conn->flags & VIR_CONNECT_RO ? "org.libvirt.unix.monitor" : "org.libvirt.unix.manage", - "PolicyKit", - NULL, - NULL, - 0, - }; - VIR_DEBUG("Client initialize PolicyKit-0 authentication"); - - /* We only make it here if auth already failed - * Ask client to obtain it and check again. */ - if (auth && auth->cb) { - /* Check if the necessary credential type for PolicyKit is supported */ - for (i = 0; i < auth->ncredtype; i++) { - if (auth->credtype[i] == VIR_CRED_EXTERNAL) - allowcb = 1; - } - - if (allowcb) { - VIR_DEBUG("Client run callback for PolicyKit authentication"); - /* Run the authentication callback */ - if ((*(auth->cb))(&cred, 1, auth->cbdata) < 0) { - virReportError(VIR_ERR_AUTH_FAILED, "%s", - _("Failed to collect auth credentials")); - return -1; - } - } else { - VIR_DEBUG("Client auth callback does not support PolicyKit"); - return -1; - } - } else { - VIR_DEBUG("No auth callback provided"); - return -1; - } - - memset(&ret, 0, sizeof(ret)); - if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT, - (xdrproc_t) xdr_void, (char *)NULL, - (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) { - return -1; /* virError already set by call */ - } - - out: - VIR_DEBUG("PolicyKit-0 authentication complete"); - return 0; -} -#endif /* WITH_POLKIT0 */ - static int remoteAuthPolkit(virConnectPtr conn, struct private_data *priv, virConnectAuthPtr auth ATTRIBUTE_UNUSED) @@ -4361,11 +4303,6 @@ remoteAuthPolkit(virConnectPtr conn, struct private_data *priv, return -1; /* virError already set by call */ } -#if WITH_POLKIT0 - if (remoteAuthPolkit0(conn, priv, auth) < 0) - return -1; -#endif /* WITH_POLKIT0 */ - VIR_DEBUG("PolicyKit authentication complete"); return 0; } diff --git a/src/util/Makefile.inc.am b/src/util/Makefile.inc.am index d0e1ec3625..4928c5282b 100644 --- a/src/util/Makefile.inc.am +++ b/src/util/Makefile.inc.am @@ -251,7 +251,6 @@ libvirt_util_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(LDEXP_LIBM) \ $(NUMACTL_CFLAGS) \ - $(POLKIT_CFLAGS) \ $(GNUTLS_CFLAGS) \ $(ACL_CFLAGS) \ $(NULL) @@ -269,7 +268,6 @@ libvirt_util_la_LIBADD = \ $(SECDRIVER_LIBS) \ $(NUMACTL_LIBS) \ $(ACL_LIBS) \ - $(POLKIT_LIBS) \ $(GNUTLS_LIBS) \ $(NULL) diff --git a/src/util/virpolkit.c b/src/util/virpolkit.c index 4559431baf..2e8660188b 100644 --- a/src/util/virpolkit.c +++ b/src/util/virpolkit.c @@ -22,11 +22,6 @@ #include #include -#if WITH_POLKIT0 -# include -# include -#endif - #include "virpolkit.h" #include "virerror.h" #include "virlog.h" @@ -211,109 +206,7 @@ virPolkitAgentCreate(void) } -#elif WITH_POLKIT0 -int virPolkitCheckAuth(const char *actionid, - pid_t pid, - unsigned long long startTime ATTRIBUTE_UNUSED, - uid_t uid, - const char **details, - bool allowInteraction ATTRIBUTE_UNUSED) -{ - PolKitCaller *pkcaller = NULL; - PolKitAction *pkaction = NULL; - PolKitContext *pkcontext = NULL; - PolKitError *pkerr = NULL; - PolKitResult pkresult; - DBusError err; - DBusConnection *sysbus; - int ret = -1; - - if (details) { - virReportError(VIR_ERR_AUTH_FAILED, "%s", - _("Details not supported with polkit v0")); - return -1; - } - - if (!(sysbus = virDBusGetSystemBus())) - goto cleanup; - - VIR_INFO("Checking PID %lld running as %d", - (long long) pid, uid); - dbus_error_init(&err); - if (!(pkcaller = polkit_caller_new_from_pid(sysbus, - pid, &err))) { - VIR_DEBUG("Failed to lookup policy kit caller: %s", err.message); - dbus_error_free(&err); - goto cleanup; - } - - if (!(pkaction = polkit_action_new())) { - char ebuf[1024]; - VIR_DEBUG("Failed to create polkit action %s", - virStrerror(errno, ebuf, sizeof(ebuf))); - goto cleanup; - } - polkit_action_set_action_id(pkaction, actionid); - - if (!(pkcontext = polkit_context_new()) || - !polkit_context_init(pkcontext, &pkerr)) { - char ebuf[1024]; - VIR_DEBUG("Failed to create polkit context %s", - (pkerr ? polkit_error_get_error_message(pkerr) - : virStrerror(errno, ebuf, sizeof(ebuf)))); - if (pkerr) - polkit_error_free(pkerr); - dbus_error_free(&err); - goto cleanup; - } - -# if HAVE_POLKIT_CONTEXT_IS_CALLER_AUTHORIZED - pkresult = polkit_context_is_caller_authorized(pkcontext, - pkaction, - pkcaller, - 0, - &pkerr); - if (pkerr && polkit_error_is_set(pkerr)) { - VIR_DEBUG("Policy kit failed to check authorization %d %s", - polkit_error_get_error_code(pkerr), - polkit_error_get_error_message(pkerr)); - goto cleanup; - } -# else - pkresult = polkit_context_can_caller_do_action(pkcontext, - pkaction, - pkcaller); -# endif - if (pkresult != POLKIT_RESULT_YES) { - VIR_DEBUG("Policy kit denied action %s from pid %lld, uid %d, result: %s", - actionid, (long long) pid, uid, - polkit_result_to_string_representation(pkresult)); - ret = -2; - goto cleanup; - } - - VIR_DEBUG("Policy allowed action %s from pid %lld, uid %d", - actionid, (long long)pid, (int)uid); - - ret = 0; - - cleanup: - if (ret < 0) { - virResetLastError(); - virReportError(VIR_ERR_AUTH_FAILED, "%s", - _("authentication failed")); - } - if (pkcontext) - polkit_context_unref(pkcontext); - if (pkcaller) - polkit_caller_unref(pkcaller); - if (pkaction) - polkit_action_unref(pkaction); - return ret; -} - - -#else /* ! WITH_POLKIT1 && ! WITH_POLKIT0 */ +#else /* ! WITH_POLKIT1 */ int virPolkitCheckAuth(const char *actionid ATTRIBUTE_UNUSED, pid_t pid ATTRIBUTE_UNUSED,