[libvirt] [PATCH 1/3] Remove Policy-Kit support
Ján Tomko
jtomko at redhat.com
Wed Mar 7 09:29:30 UTC 2018
Policy-Kit has been replaced by polkit (referred to as POLKIT0
and POLKIT1 in our Makefiles).
The last build fix with old Policy-Kit was in May 2013:
commit <442eb2ba> and build with -Wunused-label was broken
since April 2016: commit <8437130>
This includes a partial revert of commit <e1019e9>, which added
an extra step to generating the policy file.
Signed-off-by: Ján Tomko <jtomko at redhat.com>
---
.gitignore | 1 -
m4/virt-polkit.m4 | 44 +--------
src/libvirt.c | 27 -----
src/remote/Makefile.inc.am | 24 +----
src/remote/{libvirtd.policy.in => libvirtd.policy} | 6 +-
src/remote/remote_driver.c | 63 ------------
src/util/Makefile.inc.am | 2 -
src/util/virpolkit.c | 109 +--------------------
8 files changed, 8 insertions(+), 268 deletions(-)
rename src/remote/{libvirtd.policy.in => libvirtd.policy} (92%)
diff --git a/.gitignore b/.gitignore
index 2ca7d9776..dd00fc5cc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -135,7 +135,6 @@
/src/libvirt_lxc
/src/libvirtd
/src/libvirtd*.logrotate
-/src/libvirtd.policy
/src/locking/libxl-lockd.conf
/src/locking/libxl-sanlock.conf
/src/locking/lock_daemon_dispatch_stubs.h
diff --git a/m4/virt-polkit.m4 b/m4/virt-polkit.m4
index 7bdbf804d..9426c7d5d 100644
--- a/m4/virt-polkit.m4
+++ b/m4/virt-polkit.m4
@@ -25,12 +25,8 @@ AC_DEFUN([LIBVIRT_ARG_POLKIT], [
AC_DEFUN([LIBVIRT_CHECK_POLKIT], [
AC_REQUIRE([LIBVIRT_CHECK_DBUS])
- POLKIT_REQUIRED="0.6"
- POLKIT_CFLAGS=
- POLKIT_LIBS=
PKCHECK_PATH=
- with_polkit0=no
with_polkit1=no
if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then
@@ -56,52 +52,14 @@ AC_DEFUN([LIBVIRT_CHECK_POLKIT], [
[You must install dbus to compile libvirt with polkit-1])
fi
fi
- else
- dnl Check for old polkit second - library + binary
- PKG_CHECK_MODULES(POLKIT, polkit-dbus >= $POLKIT_REQUIRED,
- [with_polkit=yes], [
- if test "x$with_polkit" = "xcheck" ; then
- with_polkit=no
- else
- AC_MSG_ERROR(
- [You must install PolicyKit >= $POLKIT_REQUIRED to compile libvirt])
- fi
- ])
- if test "x$with_polkit" = "xyes" ; then
- AC_DEFINE_UNQUOTED([WITH_POLKIT], 1,
- [use PolicyKit for UNIX socket access checks])
- AC_DEFINE_UNQUOTED([WITH_POLKIT0], 1,
- [use PolicyKit for UNIX socket access checks])
-
- old_CFLAGS=$CFLAGS
- old_LIBS=$LIBS
- CFLAGS="$CFLAGS $POLKIT_CFLAGS"
- LIBS="$LIBS $POLKIT_LIBS"
- AC_CHECK_FUNCS([polkit_context_is_caller_authorized])
- CFLAGS="$old_CFLAGS"
- LIBS="$old_LIBS"
-
- AC_PATH_PROG([POLKIT_AUTH], [polkit-auth])
- if test "x$POLKIT_AUTH" != "x"; then
- AC_DEFINE_UNQUOTED([POLKIT_AUTH],["$POLKIT_AUTH"],[Location of polkit-auth program])
- fi
- with_polkit0="yes"
- fi
fi
fi
AM_CONDITIONAL([WITH_POLKIT], [test "x$with_polkit" = "xyes"])
- AM_CONDITIONAL([WITH_POLKIT0], [test "x$with_polkit0" = "xyes"])
AM_CONDITIONAL([WITH_POLKIT1], [test "x$with_polkit1" = "xyes"])
- AC_SUBST([POLKIT_CFLAGS])
- AC_SUBST([POLKIT_LIBS])
])
AC_DEFUN([LIBVIRT_RESULT_POLKIT], [
- if test "$with_polkit0" = "yes" ; then
- msg="$POLKIT_CFLAGS $POLKIT_LIBS (version 0)"
- else
- msg="$PKCHECK_PATH (version 1)"
- fi
+ msg="$PKCHECK_PATH (version 1)"
LIBVIRT_RESULT([polkit], [$with_polkit], [$msg])
])
diff --git a/src/libvirt.c b/src/libvirt.c
index 536d56f0a..b7bcf8022 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -121,28 +121,6 @@ static virSecretDriverPtr virSharedSecretDriver;
static virNWFilterDriverPtr virSharedNWFilterDriver;
-#if defined(POLKIT_AUTH)
-static int
-virConnectAuthGainPolkit(const char *privilege)
-{
- virCommandPtr cmd;
- int ret = -1;
-
- if (geteuid() == 0)
- return 0;
-
- cmd = virCommandNewArgList(POLKIT_AUTH, "--obtain", privilege, NULL);
- if (virCommandRun(cmd, NULL) < 0)
- goto cleanup;
-
- ret = 0;
- cleanup:
- virCommandFree(cmd);
- return ret;
-}
-#endif
-
-
static int
virConnectAuthCallbackDefault(virConnectCredentialPtr cred,
unsigned int ncred,
@@ -160,16 +138,11 @@ virConnectAuthCallbackDefault(virConnectCredentialPtr cred,
if (STRNEQ(cred[i].challenge, "PolicyKit"))
return -1;
-#if defined(POLKIT_AUTH)
- if (virConnectAuthGainPolkit(cred[i].prompt) < 0)
- return -1;
-#else
/*
* Ignore & carry on. Although we can't auth
* directly, the user may have authenticated
* themselves already outside context of libvirt
*/
-#endif
break;
}
diff --git a/src/remote/Makefile.inc.am b/src/remote/Makefile.inc.am
index a6e8ecabf..12600b8bb 100644
--- a/src/remote/Makefile.inc.am
+++ b/src/remote/Makefile.inc.am
@@ -75,7 +75,7 @@ EXTRA_DIST += \
remote/test_libvirtd.aug.in \
remote/libvirtd.aug \
remote/libvirtd.conf \
- remote/libvirtd.policy.in \
+ remote/libvirtd.policy \
remote/libvirtd.rules \
remote/libvirtd.sasl \
remote/libvirtd.sysctl \
@@ -120,18 +120,9 @@ conf_DATA += remote/libvirtd.conf
CLEANFILES += test_libvirtd.aug
if WITH_POLKIT
-if WITH_POLKIT0
-policydir = $(datadir)/PolicyKit/policy
-policyauth = auth_admin_keep_session
-else ! WITH_POLKIT0
policydir = $(datadir)/polkit-1/actions
-policyauth = auth_admin_keep
-endif ! WITH_POLKIT0
endif WITH_POLKIT
-BUILT_SOURCES += libvirtd.policy
-CLEANFILES += libvirtd.policy
-
man8_MANS += libvirtd.8
libvirtd_SOURCES = $(LIBVIRTD_SOURCES)
@@ -218,20 +209,17 @@ endif ! WITH_SYSCTL
if WITH_POLKIT
install-polkit::
$(MKDIR_P) $(DESTDIR)$(policydir)
- $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
-if ! WITH_POLKIT0
+ $(INSTALL_DATA) $(srcdir)/remote/libvirtd.policy \
+ $(DESTDIR)$(policydir)/org.libvirt.unix.policy
$(MKDIR_P) $(DESTDIR)$(datadir)/polkit-1/rules.d
$(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \
$(DESTDIR)$(datadir)/polkit-1/rules.d/50-libvirt.rules
-endif ! WITH_POLKIT0
uninstall-polkit::
rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
rmdir $(DESTDIR)$(policydir) || :
-if ! WITH_POLKIT0
rm -f $(DESTDIR)$(datadir)/polkit-1/rules.d/50-libvirt.rules
rmdir $(DESTDIR)$(datadir)/polkit-1/rules.d || :
-endif ! WITH_POLKIT0
else ! WITH_POLKIT
install-polkit::
@@ -267,12 +255,6 @@ install-sasl:
uninstall-sasl:
endif ! WITH_SASL
-libvirtd.policy: remote/libvirtd.policy.in $(top_builddir)/config.status
- $(AM_V_GEN) sed \
- -e 's|[@]authaction[@]|$(policyauth)|g' \
- < $< > $@-t && \
- mv $@-t $@
-
libvirtd.init: remote/libvirtd.init.in $(top_builddir)/config.status
$(AM_V_GEN)sed \
-e 's|[@]localstatedir[@]|$(localstatedir)|g' \
diff --git a/src/remote/libvirtd.policy.in b/src/remote/libvirtd.policy
similarity index 92%
rename from src/remote/libvirtd.policy.in
rename to src/remote/libvirtd.policy
index de1aba459..e834d2432 100644
--- a/src/remote/libvirtd.policy.in
+++ b/src/remote/libvirtd.policy
@@ -43,9 +43,9 @@ License along with this library. If not, see
<defaults>
<!-- Any program can use libvirt in read/write mode if they
provide the root password -->
- <allow_any>@authaction@</allow_any>
- <allow_inactive>@authaction@</allow_inactive>
- <allow_active>@authaction@</allow_active>
+ <allow_any>auth_admin_keep</allow_any>
+ <allow_inactive>auth_admin_keep</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
</policyconfig>
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 9ea726dc4..bf00e3210 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -4289,64 +4289,6 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv,
#endif /* WITH_SASL */
-#if WITH_POLKIT0
-/* Perform the PolicyKit0 authentication process */
-static int
-remoteAuthPolkit0(virConnectPtr conn, struct private_data *priv,
- virConnectAuthPtr auth)
-{
- remote_auth_polkit_ret ret;
- size_t i;
- int allowcb = 0;
- virConnectCredential cred = {
- VIR_CRED_EXTERNAL,
- conn->flags & VIR_CONNECT_RO ? "org.libvirt.unix.monitor" : "org.libvirt.unix.manage",
- "PolicyKit",
- NULL,
- NULL,
- 0,
- };
- VIR_DEBUG("Client initialize PolicyKit-0 authentication");
-
- /* We only make it here if auth already failed
- * Ask client to obtain it and check again. */
- if (auth && auth->cb) {
- /* Check if the necessary credential type for PolicyKit is supported */
- for (i = 0; i < auth->ncredtype; i++) {
- if (auth->credtype[i] == VIR_CRED_EXTERNAL)
- allowcb = 1;
- }
-
- if (allowcb) {
- VIR_DEBUG("Client run callback for PolicyKit authentication");
- /* Run the authentication callback */
- if ((*(auth->cb))(&cred, 1, auth->cbdata) < 0) {
- virReportError(VIR_ERR_AUTH_FAILED, "%s",
- _("Failed to collect auth credentials"));
- return -1;
- }
- } else {
- VIR_DEBUG("Client auth callback does not support PolicyKit");
- return -1;
- }
- } else {
- VIR_DEBUG("No auth callback provided");
- return -1;
- }
-
- memset(&ret, 0, sizeof(ret));
- if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT,
- (xdrproc_t) xdr_void, (char *)NULL,
- (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) {
- return -1; /* virError already set by call */
- }
-
- out:
- VIR_DEBUG("PolicyKit-0 authentication complete");
- return 0;
-}
-#endif /* WITH_POLKIT0 */
-
static int
remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
virConnectAuthPtr auth ATTRIBUTE_UNUSED)
@@ -4361,11 +4303,6 @@ remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
return -1; /* virError already set by call */
}
-#if WITH_POLKIT0
- if (remoteAuthPolkit0(conn, priv, auth) < 0)
- return -1;
-#endif /* WITH_POLKIT0 */
-
VIR_DEBUG("PolicyKit authentication complete");
return 0;
}
diff --git a/src/util/Makefile.inc.am b/src/util/Makefile.inc.am
index a91b30dca..3f9d1164b 100644
--- a/src/util/Makefile.inc.am
+++ b/src/util/Makefile.inc.am
@@ -251,7 +251,6 @@ libvirt_util_la_CFLAGS = \
$(DBUS_CFLAGS) \
$(LDEXP_LIBM) \
$(NUMACTL_CFLAGS) \
- $(POLKIT_CFLAGS) \
$(GNUTLS_CFLAGS) \
$(ACL_CFLAGS) \
$(NULL)
@@ -269,7 +268,6 @@ libvirt_util_la_LIBADD = \
$(SECDRIVER_LIBS) \
$(NUMACTL_LIBS) \
$(ACL_LIBS) \
- $(POLKIT_LIBS) \
$(GNUTLS_LIBS) \
$(NULL)
diff --git a/src/util/virpolkit.c b/src/util/virpolkit.c
index 4559431ba..2e8660188 100644
--- a/src/util/virpolkit.c
+++ b/src/util/virpolkit.c
@@ -22,11 +22,6 @@
#include <config.h>
#include <poll.h>
-#if WITH_POLKIT0
-# include <polkit/polkit.h>
-# include <polkit-dbus/polkit-dbus.h>
-#endif
-
#include "virpolkit.h"
#include "virerror.h"
#include "virlog.h"
@@ -211,109 +206,7 @@ virPolkitAgentCreate(void)
}
-#elif WITH_POLKIT0
-int virPolkitCheckAuth(const char *actionid,
- pid_t pid,
- unsigned long long startTime ATTRIBUTE_UNUSED,
- uid_t uid,
- const char **details,
- bool allowInteraction ATTRIBUTE_UNUSED)
-{
- PolKitCaller *pkcaller = NULL;
- PolKitAction *pkaction = NULL;
- PolKitContext *pkcontext = NULL;
- PolKitError *pkerr = NULL;
- PolKitResult pkresult;
- DBusError err;
- DBusConnection *sysbus;
- int ret = -1;
-
- if (details) {
- virReportError(VIR_ERR_AUTH_FAILED, "%s",
- _("Details not supported with polkit v0"));
- return -1;
- }
-
- if (!(sysbus = virDBusGetSystemBus()))
- goto cleanup;
-
- VIR_INFO("Checking PID %lld running as %d",
- (long long) pid, uid);
- dbus_error_init(&err);
- if (!(pkcaller = polkit_caller_new_from_pid(sysbus,
- pid, &err))) {
- VIR_DEBUG("Failed to lookup policy kit caller: %s", err.message);
- dbus_error_free(&err);
- goto cleanup;
- }
-
- if (!(pkaction = polkit_action_new())) {
- char ebuf[1024];
- VIR_DEBUG("Failed to create polkit action %s",
- virStrerror(errno, ebuf, sizeof(ebuf)));
- goto cleanup;
- }
- polkit_action_set_action_id(pkaction, actionid);
-
- if (!(pkcontext = polkit_context_new()) ||
- !polkit_context_init(pkcontext, &pkerr)) {
- char ebuf[1024];
- VIR_DEBUG("Failed to create polkit context %s",
- (pkerr ? polkit_error_get_error_message(pkerr)
- : virStrerror(errno, ebuf, sizeof(ebuf))));
- if (pkerr)
- polkit_error_free(pkerr);
- dbus_error_free(&err);
- goto cleanup;
- }
-
-# if HAVE_POLKIT_CONTEXT_IS_CALLER_AUTHORIZED
- pkresult = polkit_context_is_caller_authorized(pkcontext,
- pkaction,
- pkcaller,
- 0,
- &pkerr);
- if (pkerr && polkit_error_is_set(pkerr)) {
- VIR_DEBUG("Policy kit failed to check authorization %d %s",
- polkit_error_get_error_code(pkerr),
- polkit_error_get_error_message(pkerr));
- goto cleanup;
- }
-# else
- pkresult = polkit_context_can_caller_do_action(pkcontext,
- pkaction,
- pkcaller);
-# endif
- if (pkresult != POLKIT_RESULT_YES) {
- VIR_DEBUG("Policy kit denied action %s from pid %lld, uid %d, result: %s",
- actionid, (long long) pid, uid,
- polkit_result_to_string_representation(pkresult));
- ret = -2;
- goto cleanup;
- }
-
- VIR_DEBUG("Policy allowed action %s from pid %lld, uid %d",
- actionid, (long long)pid, (int)uid);
-
- ret = 0;
-
- cleanup:
- if (ret < 0) {
- virResetLastError();
- virReportError(VIR_ERR_AUTH_FAILED, "%s",
- _("authentication failed"));
- }
- if (pkcontext)
- polkit_context_unref(pkcontext);
- if (pkcaller)
- polkit_caller_unref(pkcaller);
- if (pkaction)
- polkit_action_unref(pkaction);
- return ret;
-}
-
-
-#else /* ! WITH_POLKIT1 && ! WITH_POLKIT0 */
+#else /* ! WITH_POLKIT1 */
int virPolkitCheckAuth(const char *actionid ATTRIBUTE_UNUSED,
pid_t pid ATTRIBUTE_UNUSED,
--
2.16.1
More information about the libvir-list
mailing list