Skip to content
Snippets Groups Projects
Commit a23d9ce3 authored by Luca Boccassi's avatar Luca Boccassi
Browse files

jsauthority: add 'system_unit' and 'no_new_privileges' subject attributes

When building with libsystemd support, query the systemd unit name
that the process if part of (if any) and add it as a subject attribute.
Allows allow-listing actions based on the systemd unit:

 polkit.addRule(function(action, subject) {
     if (action.id.indexOf("org.foo.bar") == 0) {
         if (subject.system_unit == "test.service" && subject.no_new_privileges) {
             return polkit.Result.YES;
         }
     }
 });

We call it system_unit instead of just unit to make it extra clear that
this is about system units, rather than user units.
If we ran as root we could also query for the user unit, but we are
running as the polkitd user in most cases which means we cannot connect
to other D-Bus sessions to perform the query.

We only do this if we can pin the subject process by PIDFD, as that's
safer PIDs can be recycled. Skip if not possible because the D-Bus
daemon and/or systemd are too old and do not support the functionality.
Also we check for the NoNewPrivileges= being set, so that we can ensure
that the unit cannot alter its uid via a setuid binary. But let this last
part be decided by policy, as a system builder might simply ensure that
no setuid binaries are shipped at all, which is equivalent.

This requires dbus-broker v34 or dbus-daemon v15.7 and systemd v253 and
kernel v6.5.
parent 8cabb118
No related branches found
Tags debian/0.105-32
1 merge request!12Update to 124
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment