[libvirt] [PATCH 1/3] Remove Policy-Kit support

Policy-Kit has been replaced by polkit (referred to as POLKIT0 and POLKIT1 in our Makefiles). The last build fix with old Policy-Kit was in May 2013: commit <442eb2ba> and build with -Wunused-label was broken since April 2016: commit <8437130> This includes a partial revert of commit <e1019e9>, which added an extra step to generating the policy file. Signed-off-by: Ján Tomko <jtomko(a)redhat.com&gt; --- .gitignore | 1 - m4/virt-polkit.m4 | 44 +-------- src/libvirt.c | 27 ----- src/remote/Makefile.inc.am | 24 +---- src/remote/{libvirtd.policy.in => libvirtd.policy} | 6 +- src/remote/remote_driver.c | 63 ------------ src/util/Makefile.inc.am | 2 - src/util/virpolkit.c | 109 +-------------------- 8 files changed, 8 insertions(+), 268 deletions(-) rename src/remote/{libvirtd.policy.in => libvirtd.policy} (92%) diff --git a/.gitignore b/.gitignore index 2ca7d9776..dd00fc5cc 100644 --- a/.gitignore +++ b/.gitignore @@ -135,7 +135,6 @@ /src/libvirt_lxc /src/libvirtd /src/libvirtd*.logrotate -/src/libvirtd.policy /src/locking/libxl-lockd.conf /src/locking/libxl-sanlock.conf /src/locking/lock_daemon_dispatch_stubs.h diff --git a/m4/virt-polkit.m4 b/m4/virt-polkit.m4 index 7bdbf804d..9426c7d5d 100644 --- a/m4/virt-polkit.m4 +++ b/m4/virt-polkit.m4 @@ -25,12 +25,8 @@ AC_DEFUN([LIBVIRT_ARG_POLKIT], [ AC_DEFUN([LIBVIRT_CHECK_POLKIT], [ AC_REQUIRE([LIBVIRT_CHECK_DBUS]) - POLKIT_REQUIRED="0.6" - POLKIT_CFLAGS= - POLKIT_LIBS= PKCHECK_PATH= - with_polkit0=no with_polkit1=no if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then @@ -56,52 +52,14 @@ AC_DEFUN([LIBVIRT_CHECK_POLKIT], [ [You must install dbus to compile libvirt with polkit-1]) fi fi - else - dnl Check for old polkit second - library + binary - PKG_CHECK_MODULES(POLKIT, polkit-dbus >= $POLKIT_REQUIRED, - [with_polkit=yes], [ - if test "x$with_polkit" = "xcheck" ; then - with_polkit=no - else - AC_MSG_ERROR( - [You must install PolicyKit >= $POLKIT_REQUIRED to compile libvirt]) - fi - ]) - if test "x$with_polkit" = "xyes" ; then - AC_DEFINE_UNQUOTED([WITH_POLKIT], 1, - [use PolicyKit for UNIX socket access checks]) - AC_DEFINE_UNQUOTED([WITH_POLKIT0], 1, - [use PolicyKit for UNIX socket access checks]) - - old_CFLAGS=$CFLAGS - old_LIBS=$LIBS - CFLAGS="$CFLAGS $POLKIT_CFLAGS" - LIBS="$LIBS $POLKIT_LIBS" - AC_CHECK_FUNCS([polkit_context_is_caller_authorized]) - CFLAGS="$old_CFLAGS" - LIBS="$old_LIBS" - - AC_PATH_PROG([POLKIT_AUTH], [polkit-auth]) - if test "x$POLKIT_AUTH" != "x"; then - AC_DEFINE_UNQUOTED([POLKIT_AUTH],["$POLKIT_AUTH"],[Location of polkit-auth program]) - fi - with_polkit0="yes" - fi fi fi AM_CONDITIONAL([WITH_POLKIT], [test "x$with_polkit" = "xyes"]) - AM_CONDITIONAL([WITH_POLKIT0], [test "x$with_polkit0" = "xyes"]) AM_CONDITIONAL([WITH_POLKIT1], [test "x$with_polkit1" = "xyes"]) - AC_SUBST([POLKIT_CFLAGS]) - AC_SUBST([POLKIT_LIBS]) ]) AC_DEFUN([LIBVIRT_RESULT_POLKIT], [ - if test "$with_polkit0" = "yes" ; then - msg="$POLKIT_CFLAGS $POLKIT_LIBS (version 0)" - else - msg="$PKCHECK_PATH (version 1)" - fi + msg="$PKCHECK_PATH (version 1)" LIBVIRT_RESULT([polkit], [$with_polkit], [$msg]) ]) diff --git a/src/libvirt.c b/src/libvirt.c index 536d56f0a..b7bcf8022 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -121,28 +121,6 @@ static virSecretDriverPtr virSharedSecretDriver; static virNWFilterDriverPtr virSharedNWFilterDriver; -#if defined(POLKIT_AUTH) -static int -virConnectAuthGainPolkit(const char *privilege) -{ - virCommandPtr cmd; - int ret = -1; - - if (geteuid() == 0) - return 0; - - cmd = virCommandNewArgList(POLKIT_AUTH, "--obtain", privilege, NULL); - if (virCommandRun(cmd, NULL) < 0) - goto cleanup; - - ret = 0; - cleanup: - virCommandFree(cmd); - return ret; -} -#endif - - static int virConnectAuthCallbackDefault(virConnectCredentialPtr cred, unsigned int ncred, @@ -160,16 +138,11 @@ virConnectAuthCallbackDefault(virConnectCredentialPtr cred, if (STRNEQ(cred[i].challenge, "PolicyKit")) return -1; -#if defined(POLKIT_AUTH) - if (virConnectAuthGainPolkit(cred[i].prompt) < 0) - return -1; -#else /* * Ignore & carry on. Although we can't auth * directly, the user may have authenticated * themselves already outside context of libvirt */ -#endif break; } diff --git a/src/remote/Makefile.inc.am b/src/remote/Makefile.inc.am index a6e8ecabf..12600b8bb 100644 --- a/src/remote/Makefile.inc.am +++ b/src/remote/Makefile.inc.am @@ -75,7 +75,7 @@ EXTRA_DIST += \ remote/test_libvirtd.aug.in \ remote/libvirtd.aug \ remote/libvirtd.conf \ - remote/libvirtd.policy.in \ + remote/libvirtd.policy \ remote/libvirtd.rules \ remote/libvirtd.sasl \ remote/libvirtd.sysctl \ @@ -120,18 +120,9 @@ conf_DATA += remote/libvirtd.conf CLEANFILES += test_libvirtd.aug if WITH_POLKIT -if WITH_POLKIT0 -policydir = $(datadir)/PolicyKit/policy -policyauth = auth_admin_keep_session -else ! WITH_POLKIT0 policydir = $(datadir)/polkit-1/actions -policyauth = auth_admin_keep -endif ! WITH_POLKIT0 endif WITH_POLKIT -BUILT_SOURCES += libvirtd.policy -CLEANFILES += libvirtd.policy - man8_MANS += libvirtd.8 libvirtd_SOURCES = $(LIBVIRTD_SOURCES) @@ -218,20 +209,17 @@ endif ! WITH_SYSCTL if WITH_POLKIT install-polkit:: $(MKDIR_P) $(DESTDIR)$(policydir) - $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy -if ! WITH_POLKIT0 + $(INSTALL_DATA) $(srcdir)/remote/libvirtd.policy \ + $(DESTDIR)$(policydir)/org.libvirt.unix.policy $(MKDIR_P) $(DESTDIR)$(datadir)/polkit-1/rules.d $(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \ $(DESTDIR)$(datadir)/polkit-1/rules.d/50-libvirt.rules -endif ! WITH_POLKIT0 uninstall-polkit:: rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy rmdir $(DESTDIR)$(policydir) || : -if ! WITH_POLKIT0 rm -f $(DESTDIR)$(datadir)/polkit-1/rules.d/50-libvirt.rules rmdir $(DESTDIR)$(datadir)/polkit-1/rules.d || : -endif ! WITH_POLKIT0 else ! WITH_POLKIT install-polkit:: @@ -267,12 +255,6 @@ install-sasl: uninstall-sasl: endif ! WITH_SASL -libvirtd.policy: remote/libvirtd.policy.in $(top_builddir)/config.status - $(AM_V_GEN) sed \ - -e 's|[@]authaction[@]|$(policyauth)|g' \ - < $< > $@-t && \ - mv $@-t $@ - libvirtd.init: remote/libvirtd.init.in $(top_builddir)/config.status $(AM_V_GEN)sed \ -e 's|[@]localstatedir[@]|$(localstatedir)|g' \ diff --git a/src/remote/libvirtd.policy.in b/src/remote/libvirtd.policy similarity index 92% rename from src/remote/libvirtd.policy.in rename to src/remote/libvirtd.policy index de1aba459..e834d2432 100644 --- a/src/remote/libvirtd.policy.in +++ b/src/remote/libvirtd.policy @@ -43,9 +43,9 @@ License along with this library. If not, see <defaults> <!-- Any program can use libvirt in read/write mode if they provide the root password --> - <allow_any>@authaction@</allow_any> - <allow_inactive>@authaction@</allow_inactive> - <allow_active>@authaction@</allow_active> + <allow_any>auth_admin_keep</allow_any> + <allow_inactive>auth_admin_keep</allow_inactive> + <allow_active>auth_admin_keep</allow_active> </defaults> </action> </policyconfig> diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 9ea726dc4..bf00e3210 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -4289,64 +4289,6 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv, #endif /* WITH_SASL */ -#if WITH_POLKIT0 -/* Perform the PolicyKit0 authentication process */ -static int -remoteAuthPolkit0(virConnectPtr conn, struct private_data *priv, - virConnectAuthPtr auth) -{ - remote_auth_polkit_ret ret; - size_t i; - int allowcb = 0; - virConnectCredential cred = { - VIR_CRED_EXTERNAL, - conn->flags & VIR_CONNECT_RO ? "org.libvirt.unix.monitor" : "org.libvirt.unix.manage", - "PolicyKit", - NULL, - NULL, - 0, - }; - VIR_DEBUG("Client initialize PolicyKit-0 authentication"); - - /* We only make it here if auth already failed - * Ask client to obtain it and check again. */ - if (auth && auth->cb) { - /* Check if the necessary credential type for PolicyKit is supported */ - for (i = 0; i < auth->ncredtype; i++) { - if (auth->credtype[i] == VIR_CRED_EXTERNAL) - allowcb = 1; - } - - if (allowcb) { - VIR_DEBUG("Client run callback for PolicyKit authentication"); - /* Run the authentication callback */ - if ((*(auth->cb))(&cred, 1, auth->cbdata) < 0) { - virReportError(VIR_ERR_AUTH_FAILED, "%s", - _("Failed to collect auth credentials")); - return -1; - } - } else { - VIR_DEBUG("Client auth callback does not support PolicyKit"); - return -1; - } - } else { - VIR_DEBUG("No auth callback provided"); - return -1; - } - - memset(&ret, 0, sizeof(ret)); - if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT, - (xdrproc_t) xdr_void, (char *)NULL, - (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) { - return -1; /* virError already set by call */ - } - - out: - VIR_DEBUG("PolicyKit-0 authentication complete"); - return 0; -} -#endif /* WITH_POLKIT0 */ - static int remoteAuthPolkit(virConnectPtr conn, struct private_data *priv, virConnectAuthPtr auth ATTRIBUTE_UNUSED) @@ -4361,11 +4303,6 @@ remoteAuthPolkit(virConnectPtr conn, struct private_data *priv, return -1; /* virError already set by call */ } -#if WITH_POLKIT0 - if (remoteAuthPolkit0(conn, priv, auth) < 0) - return -1; -#endif /* WITH_POLKIT0 */ - VIR_DEBUG("PolicyKit authentication complete"); return 0; } diff --git a/src/util/Makefile.inc.am b/src/util/Makefile.inc.am index a91b30dca..3f9d1164b 100644 --- a/src/util/Makefile.inc.am +++ b/src/util/Makefile.inc.am @@ -251,7 +251,6 @@ libvirt_util_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(LDEXP_LIBM) \ $(NUMACTL_CFLAGS) \ - $(POLKIT_CFLAGS) \ $(GNUTLS_CFLAGS) \ $(ACL_CFLAGS) \ $(NULL) @@ -269,7 +268,6 @@ libvirt_util_la_LIBADD = \ $(SECDRIVER_LIBS) \ $(NUMACTL_LIBS) \ $(ACL_LIBS) \ - $(POLKIT_LIBS) \ $(GNUTLS_LIBS) \ $(NULL) diff --git a/src/util/virpolkit.c b/src/util/virpolkit.c index 4559431ba..2e8660188 100644 --- a/src/util/virpolkit.c +++ b/src/util/virpolkit.c @@ -22,11 +22,6 @@ #include <config.h> #include <poll.h> -#if WITH_POLKIT0 -# include <polkit/polkit.h> -# include <polkit-dbus/polkit-dbus.h> -#endif - #include "virpolkit.h" #include "virerror.h" #include "virlog.h" @@ -211,109 +206,7 @@ virPolkitAgentCreate(void) } -#elif WITH_POLKIT0 -int virPolkitCheckAuth(const char *actionid, - pid_t pid, - unsigned long long startTime ATTRIBUTE_UNUSED, - uid_t uid, - const char **details, - bool allowInteraction ATTRIBUTE_UNUSED) -{ - PolKitCaller *pkcaller = NULL; - PolKitAction *pkaction = NULL; - PolKitContext *pkcontext = NULL; - PolKitError *pkerr = NULL; - PolKitResult pkresult; - DBusError err; - DBusConnection *sysbus; - int ret = -1; - - if (details) { - virReportError(VIR_ERR_AUTH_FAILED, "%s", - _("Details not supported with polkit v0")); - return -1; - } - - if (!(sysbus = virDBusGetSystemBus())) - goto cleanup; - - VIR_INFO("Checking PID %lld running as %d", - (long long) pid, uid); - dbus_error_init(&err); - if (!(pkcaller = polkit_caller_new_from_pid(sysbus, - pid, &err))) { - VIR_DEBUG("Failed to lookup policy kit caller: %s", err.message); - dbus_error_free(&err); - goto cleanup; - } - - if (!(pkaction = polkit_action_new())) { - char ebuf[1024]; - VIR_DEBUG("Failed to create polkit action %s", - virStrerror(errno, ebuf, sizeof(ebuf))); - goto cleanup; - } - polkit_action_set_action_id(pkaction, actionid); - - if (!(pkcontext = polkit_context_new()) || - !polkit_context_init(pkcontext, &pkerr)) { - char ebuf[1024]; - VIR_DEBUG("Failed to create polkit context %s", - (pkerr ? polkit_error_get_error_message(pkerr) - : virStrerror(errno, ebuf, sizeof(ebuf)))); - if (pkerr) - polkit_error_free(pkerr); - dbus_error_free(&err); - goto cleanup; - } - -# if HAVE_POLKIT_CONTEXT_IS_CALLER_AUTHORIZED - pkresult = polkit_context_is_caller_authorized(pkcontext, - pkaction, - pkcaller, - 0, - &pkerr); - if (pkerr && polkit_error_is_set(pkerr)) { - VIR_DEBUG("Policy kit failed to check authorization %d %s", - polkit_error_get_error_code(pkerr), - polkit_error_get_error_message(pkerr)); - goto cleanup; - } -# else - pkresult = polkit_context_can_caller_do_action(pkcontext, - pkaction, - pkcaller); -# endif - if (pkresult != POLKIT_RESULT_YES) { - VIR_DEBUG("Policy kit denied action %s from pid %lld, uid %d, result: %s", - actionid, (long long) pid, uid, - polkit_result_to_string_representation(pkresult)); - ret = -2; - goto cleanup; - } - - VIR_DEBUG("Policy allowed action %s from pid %lld, uid %d", - actionid, (long long)pid, (int)uid); - - ret = 0; - - cleanup: - if (ret < 0) { - virResetLastError(); - virReportError(VIR_ERR_AUTH_FAILED, "%s", - _("authentication failed")); - } - if (pkcontext) - polkit_context_unref(pkcontext); - if (pkcaller) - polkit_caller_unref(pkcaller); - if (pkaction) - polkit_action_unref(pkaction); - return ret; -} - - -#else /* ! WITH_POLKIT1 && ! WITH_POLKIT0 */ +#else /* ! WITH_POLKIT1 */ int virPolkitCheckAuth(const char *actionid ATTRIBUTE_UNUSED, pid_t pid ATTRIBUTE_UNUSED, -- 2.16.1