* [OE-core][PATCH] systemd: Re-enable chvt as non-root user without polkit
@ 2020-11-13 21:11 Joshua Watt
2020-11-16 14:38 ` [OE-core][PATCH v2] " Joshua Watt
0 siblings, 1 reply; 5+ messages in thread
From: Joshua Watt @ 2020-11-13 21:11 UTC (permalink / raw)
To: openembedded-core; +Cc: Joshua Watt
systemd 245 introduced a regression in behavior where they removed
support for non-root users to chvt from a service file. This prevents
running compositors (e.g. weston) as any user other than root. The
intention is for polkit to be used to allow this (and in fact the
default polkit rules that ship with systemd allow this). However, polkit
is a huge dependency to bring in for an embedded system, and isn't
support by OE-core.
The patch has been proposed upstream to restore the previous behavior of
allowing a non-root user to chvt to unbreak the regression without
requiring polkit.
Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/17494]
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
...chvt-as-non-root-user-without-polkit.patch | 227 ++++++++++++++++++
meta/recipes-core/systemd/systemd_246.6.bb | 1 +
2 files changed, 228 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
diff --git a/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
new file mode 100644
index 0000000000..89ef39bc3e
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
@@ -0,0 +1,227 @@
+From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17 00:00:00 2001
+From: Joshua Watt <JPEWhacker@gmail.com>
+Date: Fri, 30 Oct 2020 08:15:43 -0500
+Subject: [PATCH] logind: Restore chvt as non-root user without polkit
+
+4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke
+the ability to write user sessions that run graphical sessions (e.g.
+weston/X11). This was partially amended in 19bb87fbfa ("login: allow
+non-console sessions to change vt") by changing the default PolicyKit
+policy so that non-root users are again allowed to switch the VT. This
+makes the policy when PolKit is not enabled (as on many embedded
+systems) match the default PolKit policy and allows launching graphical
+sessions as a non-root user.
+
+Closes #17473
+---
+ src/login/logind-dbus.c | 11 ++-------
+ src/login/logind-polkit.c | 26 +++++++++++++++++++++
+ src/login/logind-polkit.h | 10 ++++++++
+ src/login/logind-seat-dbus.c | 41 ++++-----------------------------
+ src/login/logind-session-dbus.c | 11 ++-------
+ src/login/meson.build | 1 +
+ 6 files changed, 46 insertions(+), 54 deletions(-)
+ create mode 100644 src/login/logind-polkit.c
+ create mode 100644 src/login/logind-polkit.h
+
+diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
+index 0f83ed99bc..a3765d88ba 100644
+--- a/src/login/logind-dbus.c
++++ b/src/login/logind-dbus.c
+@@ -30,6 +30,7 @@
+ #include "format-util.h"
+ #include "fs-util.h"
+ #include "logind-dbus.h"
++#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-session-dbus.h"
+ #include "logind-user-dbus.h"
+@@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda
+ return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT,
+ "Session %s not on seat %s", session_name, seat_name);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &m->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, m, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c
+new file mode 100644
+index 0000000000..9072570cc6
+--- /dev/null
++++ b/src/login/logind-polkit.c
+@@ -0,0 +1,26 @@
++/* SPDX-License-Identifier: LGPL-2.1+ */
++
++#include "bus-polkit.h"
++#include "logind-polkit.h"
++#include "missing_capability.h"
++#include "user-util.h"
++
++int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) {
++#if ENABLE_POLKIT
++ return bus_verify_polkit_async(
++ message,
++ CAP_SYS_ADMIN,
++ "org.freedesktop.login1.chvt",
++ NULL,
++ false,
++ UID_INVALID,
++ &manager->polkit_registry,
++ error);
++#else
++ /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a
++ * non-root user when polkit is not compiled in, matching the default polkit policy */
++ return 1;
++#endif
++}
++
++
+diff --git a/src/login/logind-polkit.h b/src/login/logind-polkit.h
+new file mode 100644
+index 0000000000..476c077a8a
+--- /dev/null
++++ b/src/login/logind-polkit.h
+@@ -0,0 +1,10 @@
++/* SPDX-License-Identifier: LGPL-2.1+ */
++#pragma once
++
++#include "sd-bus.h"
++
++#include "bus-object.h"
++#include "logind.h"
++
++int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error);
++
+diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
+index a945132284..f22e9e2734 100644
+--- a/src/login/logind-seat-dbus.c
++++ b/src/login/logind-seat-dbus.c
+@@ -9,6 +9,7 @@
+ #include "bus-polkit.h"
+ #include "bus-util.h"
+ #include "logind-dbus.h"
++#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-seat.h"
+ #include "logind-session-dbus.h"
+@@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
+ if (session->seat != s)
+ return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+@@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro
+ if (to <= 0)
+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+@@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus
+ assert(message);
+ assert(s);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+@@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd
+ assert(message);
+ assert(s);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
+index ccc5ac8df2..57c8a4e900 100644
+--- a/src/login/logind-session-dbus.c
++++ b/src/login/logind-session-dbus.c
+@@ -11,6 +11,7 @@
+ #include "fd-util.h"
+ #include "logind-brightness.h"
+ #include "logind-dbus.h"
++#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-session-dbus.h"
+ #include "logind-session-device.h"
+@@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_
+ assert(message);
+ assert(s);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+diff --git a/src/login/meson.build b/src/login/meson.build
+index 0a7d3d5440..7e46be2add 100644
+--- a/src/login/meson.build
++++ b/src/login/meson.build
+@@ -26,6 +26,7 @@ liblogind_core_sources = files('''
+ logind-device.h
+ logind-inhibit.c
+ logind-inhibit.h
++ logind-polkit.c
+ logind-seat-dbus.c
+ logind-seat-dbus.h
+ logind-seat.c
+--
+2.28.0
+
diff --git a/meta/recipes-core/systemd/systemd_246.6.bb b/meta/recipes-core/systemd/systemd_246.6.bb
index 9215adf8dc..a7004d67c0 100644
--- a/meta/recipes-core/systemd/systemd_246.6.bb
+++ b/meta/recipes-core/systemd/systemd_246.6.bb
@@ -21,6 +21,7 @@ SRC_URI += "file://touchscreen.rules \
file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
file://0003-implment-systemd-sysv-install-for-OE.patch \
file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch \
+ file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \
"
# patches needed by musl
--
2.29.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [OE-core][PATCH v2] systemd: Re-enable chvt as non-root user without polkit
2020-11-13 21:11 [OE-core][PATCH] systemd: Re-enable chvt as non-root user without polkit Joshua Watt
@ 2020-11-16 14:38 ` Joshua Watt
2020-11-18 22:03 ` Joshua Watt
0 siblings, 1 reply; 5+ messages in thread
From: Joshua Watt @ 2020-11-16 14:38 UTC (permalink / raw)
To: openembedded-core; +Cc: Joshua Watt
systemd 245 introduced a regression in behavior where they removed
support for non-root users to chvt from a service file. This prevents
running compositors (e.g. weston) as any user other than root. The
intention is for polkit to be used to allow this (and in fact the
default polkit rules that ship with systemd allow this). However, polkit
is a huge dependency to bring in for an embedded system, and isn't
support by OE-core.
The patch has been proposed upstream to restore the previous behavior of
allowing a non-root user to chvt to unbreak the regression without
requiring polkit.
Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/17494]
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
...chvt-as-non-root-user-without-polkit.patch | 227 ++++++++++++++++++
meta/recipes-core/systemd/systemd_246.6.bb | 1 +
2 files changed, 228 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
diff --git a/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
new file mode 100644
index 0000000000..89ef39bc3e
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
@@ -0,0 +1,227 @@
+From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17 00:00:00 2001
+From: Joshua Watt <JPEWhacker@gmail.com>
+Date: Fri, 30 Oct 2020 08:15:43 -0500
+Subject: [PATCH] logind: Restore chvt as non-root user without polkit
+
+4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke
+the ability to write user sessions that run graphical sessions (e.g.
+weston/X11). This was partially amended in 19bb87fbfa ("login: allow
+non-console sessions to change vt") by changing the default PolicyKit
+policy so that non-root users are again allowed to switch the VT. This
+makes the policy when PolKit is not enabled (as on many embedded
+systems) match the default PolKit policy and allows launching graphical
+sessions as a non-root user.
+
+Closes #17473
+---
+ src/login/logind-dbus.c | 11 ++-------
+ src/login/logind-polkit.c | 26 +++++++++++++++++++++
+ src/login/logind-polkit.h | 10 ++++++++
+ src/login/logind-seat-dbus.c | 41 ++++-----------------------------
+ src/login/logind-session-dbus.c | 11 ++-------
+ src/login/meson.build | 1 +
+ 6 files changed, 46 insertions(+), 54 deletions(-)
+ create mode 100644 src/login/logind-polkit.c
+ create mode 100644 src/login/logind-polkit.h
+
+diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
+index 0f83ed99bc..a3765d88ba 100644
+--- a/src/login/logind-dbus.c
++++ b/src/login/logind-dbus.c
+@@ -30,6 +30,7 @@
+ #include "format-util.h"
+ #include "fs-util.h"
+ #include "logind-dbus.h"
++#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-session-dbus.h"
+ #include "logind-user-dbus.h"
+@@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda
+ return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT,
+ "Session %s not on seat %s", session_name, seat_name);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &m->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, m, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c
+new file mode 100644
+index 0000000000..9072570cc6
+--- /dev/null
++++ b/src/login/logind-polkit.c
+@@ -0,0 +1,26 @@
++/* SPDX-License-Identifier: LGPL-2.1+ */
++
++#include "bus-polkit.h"
++#include "logind-polkit.h"
++#include "missing_capability.h"
++#include "user-util.h"
++
++int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) {
++#if ENABLE_POLKIT
++ return bus_verify_polkit_async(
++ message,
++ CAP_SYS_ADMIN,
++ "org.freedesktop.login1.chvt",
++ NULL,
++ false,
++ UID_INVALID,
++ &manager->polkit_registry,
++ error);
++#else
++ /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a
++ * non-root user when polkit is not compiled in, matching the default polkit policy */
++ return 1;
++#endif
++}
++
++
+diff --git a/src/login/logind-polkit.h b/src/login/logind-polkit.h
+new file mode 100644
+index 0000000000..476c077a8a
+--- /dev/null
++++ b/src/login/logind-polkit.h
+@@ -0,0 +1,10 @@
++/* SPDX-License-Identifier: LGPL-2.1+ */
++#pragma once
++
++#include "sd-bus.h"
++
++#include "bus-object.h"
++#include "logind.h"
++
++int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error);
++
+diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
+index a945132284..f22e9e2734 100644
+--- a/src/login/logind-seat-dbus.c
++++ b/src/login/logind-seat-dbus.c
+@@ -9,6 +9,7 @@
+ #include "bus-polkit.h"
+ #include "bus-util.h"
+ #include "logind-dbus.h"
++#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-seat.h"
+ #include "logind-session-dbus.h"
+@@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
+ if (session->seat != s)
+ return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+@@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro
+ if (to <= 0)
+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+@@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus
+ assert(message);
+ assert(s);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+@@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd
+ assert(message);
+ assert(s);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
+index ccc5ac8df2..57c8a4e900 100644
+--- a/src/login/logind-session-dbus.c
++++ b/src/login/logind-session-dbus.c
+@@ -11,6 +11,7 @@
+ #include "fd-util.h"
+ #include "logind-brightness.h"
+ #include "logind-dbus.h"
++#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-session-dbus.h"
+ #include "logind-session-device.h"
+@@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_
+ assert(message);
+ assert(s);
+
+- r = bus_verify_polkit_async(
+- message,
+- CAP_SYS_ADMIN,
+- "org.freedesktop.login1.chvt",
+- NULL,
+- false,
+- UID_INVALID,
+- &s->manager->polkit_registry,
+- error);
++ r = check_polkit_chvt(message, s->manager, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+diff --git a/src/login/meson.build b/src/login/meson.build
+index 0a7d3d5440..7e46be2add 100644
+--- a/src/login/meson.build
++++ b/src/login/meson.build
+@@ -26,6 +26,7 @@ liblogind_core_sources = files('''
+ logind-device.h
+ logind-inhibit.c
+ logind-inhibit.h
++ logind-polkit.c
+ logind-seat-dbus.c
+ logind-seat-dbus.h
+ logind-seat.c
+--
+2.28.0
+
diff --git a/meta/recipes-core/systemd/systemd_246.6.bb b/meta/recipes-core/systemd/systemd_246.6.bb
index 1d1ff34d89..d9e7b1a00c 100644
--- a/meta/recipes-core/systemd/systemd_246.6.bb
+++ b/meta/recipes-core/systemd/systemd_246.6.bb
@@ -23,6 +23,7 @@ SRC_URI += "file://touchscreen.rules \
file://0003-implment-systemd-sysv-install-for-OE.patch \
file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch \
file://selinux-hook-handling-to-enumerate-nexthop.patch \
+ file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \
"
# patches needed by musl
--
2.29.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [OE-core][PATCH v2] systemd: Re-enable chvt as non-root user without polkit
2020-11-16 14:38 ` [OE-core][PATCH v2] " Joshua Watt
@ 2020-11-18 22:03 ` Joshua Watt
2021-02-17 15:59 ` Joshua Watt
0 siblings, 1 reply; 5+ messages in thread
From: Joshua Watt @ 2020-11-18 22:03 UTC (permalink / raw)
To: openembedded-core; +Cc: anuj.mittal
On 11/16/20 8:38 AM, Joshua Watt wrote:
> systemd 245 introduced a regression in behavior where they removed
> support for non-root users to chvt from a service file. This prevents
> running compositors (e.g. weston) as any user other than root. The
> intention is for polkit to be used to allow this (and in fact the
> default polkit rules that ship with systemd allow this). However, polkit
> is a huge dependency to bring in for an embedded system, and isn't
> support by OE-core.
>
> The patch has been proposed upstream to restore the previous behavior of
> allowing a non-root user to chvt to unbreak the regression without
> requiring polkit.
Can this be backported to 3.2, since it affects the systemd version
there also?
Thanks
>
> Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/17494]
> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> ---
> ...chvt-as-non-root-user-without-polkit.patch | 227 ++++++++++++++++++
> meta/recipes-core/systemd/systemd_246.6.bb | 1 +
> 2 files changed, 228 insertions(+)
> create mode 100644 meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
>
> diff --git a/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
> new file mode 100644
> index 0000000000..89ef39bc3e
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
> @@ -0,0 +1,227 @@
> +From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17 00:00:00 2001
> +From: Joshua Watt <JPEWhacker@gmail.com>
> +Date: Fri, 30 Oct 2020 08:15:43 -0500
> +Subject: [PATCH] logind: Restore chvt as non-root user without polkit
> +
> +4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke
> +the ability to write user sessions that run graphical sessions (e.g.
> +weston/X11). This was partially amended in 19bb87fbfa ("login: allow
> +non-console sessions to change vt") by changing the default PolicyKit
> +policy so that non-root users are again allowed to switch the VT. This
> +makes the policy when PolKit is not enabled (as on many embedded
> +systems) match the default PolKit policy and allows launching graphical
> +sessions as a non-root user.
> +
> +Closes #17473
> +---
> + src/login/logind-dbus.c | 11 ++-------
> + src/login/logind-polkit.c | 26 +++++++++++++++++++++
> + src/login/logind-polkit.h | 10 ++++++++
> + src/login/logind-seat-dbus.c | 41 ++++-----------------------------
> + src/login/logind-session-dbus.c | 11 ++-------
> + src/login/meson.build | 1 +
> + 6 files changed, 46 insertions(+), 54 deletions(-)
> + create mode 100644 src/login/logind-polkit.c
> + create mode 100644 src/login/logind-polkit.h
> +
> +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
> +index 0f83ed99bc..a3765d88ba 100644
> +--- a/src/login/logind-dbus.c
> ++++ b/src/login/logind-dbus.c
> +@@ -30,6 +30,7 @@
> + #include "format-util.h"
> + #include "fs-util.h"
> + #include "logind-dbus.h"
> ++#include "logind-polkit.h"
> + #include "logind-seat-dbus.h"
> + #include "logind-session-dbus.h"
> + #include "logind-user-dbus.h"
> +@@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda
> + return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT,
> + "Session %s not on seat %s", session_name, seat_name);
> +
> +- r = bus_verify_polkit_async(
> +- message,
> +- CAP_SYS_ADMIN,
> +- "org.freedesktop.login1.chvt",
> +- NULL,
> +- false,
> +- UID_INVALID,
> +- &m->polkit_registry,
> +- error);
> ++ r = check_polkit_chvt(message, m, error);
> + if (r < 0)
> + return r;
> + if (r == 0)
> +diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c
> +new file mode 100644
> +index 0000000000..9072570cc6
> +--- /dev/null
> ++++ b/src/login/logind-polkit.c
> +@@ -0,0 +1,26 @@
> ++/* SPDX-License-Identifier: LGPL-2.1+ */
> ++
> ++#include "bus-polkit.h"
> ++#include "logind-polkit.h"
> ++#include "missing_capability.h"
> ++#include "user-util.h"
> ++
> ++int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) {
> ++#if ENABLE_POLKIT
> ++ return bus_verify_polkit_async(
> ++ message,
> ++ CAP_SYS_ADMIN,
> ++ "org.freedesktop.login1.chvt",
> ++ NULL,
> ++ false,
> ++ UID_INVALID,
> ++ &manager->polkit_registry,
> ++ error);
> ++#else
> ++ /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a
> ++ * non-root user when polkit is not compiled in, matching the default polkit policy */
> ++ return 1;
> ++#endif
> ++}
> ++
> ++
> +diff --git a/src/login/logind-polkit.h b/src/login/logind-polkit.h
> +new file mode 100644
> +index 0000000000..476c077a8a
> +--- /dev/null
> ++++ b/src/login/logind-polkit.h
> +@@ -0,0 +1,10 @@
> ++/* SPDX-License-Identifier: LGPL-2.1+ */
> ++#pragma once
> ++
> ++#include "sd-bus.h"
> ++
> ++#include "bus-object.h"
> ++#include "logind.h"
> ++
> ++int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error);
> ++
> +diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
> +index a945132284..f22e9e2734 100644
> +--- a/src/login/logind-seat-dbus.c
> ++++ b/src/login/logind-seat-dbus.c
> +@@ -9,6 +9,7 @@
> + #include "bus-polkit.h"
> + #include "bus-util.h"
> + #include "logind-dbus.h"
> ++#include "logind-polkit.h"
> + #include "logind-seat-dbus.h"
> + #include "logind-seat.h"
> + #include "logind-session-dbus.h"
> +@@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
> + if (session->seat != s)
> + return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);
> +
> +- r = bus_verify_polkit_async(
> +- message,
> +- CAP_SYS_ADMIN,
> +- "org.freedesktop.login1.chvt",
> +- NULL,
> +- false,
> +- UID_INVALID,
> +- &s->manager->polkit_registry,
> +- error);
> ++ r = check_polkit_chvt(message, s->manager, error);
> + if (r < 0)
> + return r;
> + if (r == 0)
> +@@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro
> + if (to <= 0)
> + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
> +
> +- r = bus_verify_polkit_async(
> +- message,
> +- CAP_SYS_ADMIN,
> +- "org.freedesktop.login1.chvt",
> +- NULL,
> +- false,
> +- UID_INVALID,
> +- &s->manager->polkit_registry,
> +- error);
> ++ r = check_polkit_chvt(message, s->manager, error);
> + if (r < 0)
> + return r;
> + if (r == 0)
> +@@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus
> + assert(message);
> + assert(s);
> +
> +- r = bus_verify_polkit_async(
> +- message,
> +- CAP_SYS_ADMIN,
> +- "org.freedesktop.login1.chvt",
> +- NULL,
> +- false,
> +- UID_INVALID,
> +- &s->manager->polkit_registry,
> +- error);
> ++ r = check_polkit_chvt(message, s->manager, error);
> + if (r < 0)
> + return r;
> + if (r == 0)
> +@@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd
> + assert(message);
> + assert(s);
> +
> +- r = bus_verify_polkit_async(
> +- message,
> +- CAP_SYS_ADMIN,
> +- "org.freedesktop.login1.chvt",
> +- NULL,
> +- false,
> +- UID_INVALID,
> +- &s->manager->polkit_registry,
> +- error);
> ++ r = check_polkit_chvt(message, s->manager, error);
> + if (r < 0)
> + return r;
> + if (r == 0)
> +diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
> +index ccc5ac8df2..57c8a4e900 100644
> +--- a/src/login/logind-session-dbus.c
> ++++ b/src/login/logind-session-dbus.c
> +@@ -11,6 +11,7 @@
> + #include "fd-util.h"
> + #include "logind-brightness.h"
> + #include "logind-dbus.h"
> ++#include "logind-polkit.h"
> + #include "logind-seat-dbus.h"
> + #include "logind-session-dbus.h"
> + #include "logind-session-device.h"
> +@@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_
> + assert(message);
> + assert(s);
> +
> +- r = bus_verify_polkit_async(
> +- message,
> +- CAP_SYS_ADMIN,
> +- "org.freedesktop.login1.chvt",
> +- NULL,
> +- false,
> +- UID_INVALID,
> +- &s->manager->polkit_registry,
> +- error);
> ++ r = check_polkit_chvt(message, s->manager, error);
> + if (r < 0)
> + return r;
> + if (r == 0)
> +diff --git a/src/login/meson.build b/src/login/meson.build
> +index 0a7d3d5440..7e46be2add 100644
> +--- a/src/login/meson.build
> ++++ b/src/login/meson.build
> +@@ -26,6 +26,7 @@ liblogind_core_sources = files('''
> + logind-device.h
> + logind-inhibit.c
> + logind-inhibit.h
> ++ logind-polkit.c
> + logind-seat-dbus.c
> + logind-seat-dbus.h
> + logind-seat.c
> +--
> +2.28.0
> +
> diff --git a/meta/recipes-core/systemd/systemd_246.6.bb b/meta/recipes-core/systemd/systemd_246.6.bb
> index 1d1ff34d89..d9e7b1a00c 100644
> --- a/meta/recipes-core/systemd/systemd_246.6.bb
> +++ b/meta/recipes-core/systemd/systemd_246.6.bb
> @@ -23,6 +23,7 @@ SRC_URI += "file://touchscreen.rules \
> file://0003-implment-systemd-sysv-install-for-OE.patch \
> file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch \
> file://selinux-hook-handling-to-enumerate-nexthop.patch \
> + file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \
> "
>
> # patches needed by musl
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core][PATCH v2] systemd: Re-enable chvt as non-root user without polkit
2020-11-18 22:03 ` Joshua Watt
@ 2021-02-17 15:59 ` Joshua Watt
2021-02-18 2:48 ` Anuj Mittal
0 siblings, 1 reply; 5+ messages in thread
From: Joshua Watt @ 2021-02-17 15:59 UTC (permalink / raw)
To: OE-core; +Cc: Anuj Mittal
On Wed, Nov 18, 2020 at 4:03 PM Joshua Watt <jpewhacker@gmail.com> wrote:
>
> On 11/16/20 8:38 AM, Joshua Watt wrote:
> > systemd 245 introduced a regression in behavior where they removed
> > support for non-root users to chvt from a service file. This prevents
> > running compositors (e.g. weston) as any user other than root. The
> > intention is for polkit to be used to allow this (and in fact the
> > default polkit rules that ship with systemd allow this). However, polkit
> > is a huge dependency to bring in for an embedded system, and isn't
> > support by OE-core.
> >
> > The patch has been proposed upstream to restore the previous behavior of
> > allowing a non-root user to chvt to unbreak the regression without
> > requiring polkit.
>
> Can this be backported to 3.2, since it affects the systemd version
> there also?
Ping on backporting this to 3.2?
>
> Thanks
>
> >
> > Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/17494]
> > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> > ---
> > ...chvt-as-non-root-user-without-polkit.patch | 227 ++++++++++++++++++
> > meta/recipes-core/systemd/systemd_246.6.bb | 1 +
> > 2 files changed, 228 insertions(+)
> > create mode 100644 meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
> >
> > diff --git a/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
> > new file mode 100644
> > index 0000000000..89ef39bc3e
> > --- /dev/null
> > +++ b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
> > @@ -0,0 +1,227 @@
> > +From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17 00:00:00 2001
> > +From: Joshua Watt <JPEWhacker@gmail.com>
> > +Date: Fri, 30 Oct 2020 08:15:43 -0500
> > +Subject: [PATCH] logind: Restore chvt as non-root user without polkit
> > +
> > +4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke
> > +the ability to write user sessions that run graphical sessions (e.g.
> > +weston/X11). This was partially amended in 19bb87fbfa ("login: allow
> > +non-console sessions to change vt") by changing the default PolicyKit
> > +policy so that non-root users are again allowed to switch the VT. This
> > +makes the policy when PolKit is not enabled (as on many embedded
> > +systems) match the default PolKit policy and allows launching graphical
> > +sessions as a non-root user.
> > +
> > +Closes #17473
> > +---
> > + src/login/logind-dbus.c | 11 ++-------
> > + src/login/logind-polkit.c | 26 +++++++++++++++++++++
> > + src/login/logind-polkit.h | 10 ++++++++
> > + src/login/logind-seat-dbus.c | 41 ++++-----------------------------
> > + src/login/logind-session-dbus.c | 11 ++-------
> > + src/login/meson.build | 1 +
> > + 6 files changed, 46 insertions(+), 54 deletions(-)
> > + create mode 100644 src/login/logind-polkit.c
> > + create mode 100644 src/login/logind-polkit.h
> > +
> > +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
> > +index 0f83ed99bc..a3765d88ba 100644
> > +--- a/src/login/logind-dbus.c
> > ++++ b/src/login/logind-dbus.c
> > +@@ -30,6 +30,7 @@
> > + #include "format-util.h"
> > + #include "fs-util.h"
> > + #include "logind-dbus.h"
> > ++#include "logind-polkit.h"
> > + #include "logind-seat-dbus.h"
> > + #include "logind-session-dbus.h"
> > + #include "logind-user-dbus.h"
> > +@@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda
> > + return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT,
> > + "Session %s not on seat %s", session_name, seat_name);
> > +
> > +- r = bus_verify_polkit_async(
> > +- message,
> > +- CAP_SYS_ADMIN,
> > +- "org.freedesktop.login1.chvt",
> > +- NULL,
> > +- false,
> > +- UID_INVALID,
> > +- &m->polkit_registry,
> > +- error);
> > ++ r = check_polkit_chvt(message, m, error);
> > + if (r < 0)
> > + return r;
> > + if (r == 0)
> > +diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c
> > +new file mode 100644
> > +index 0000000000..9072570cc6
> > +--- /dev/null
> > ++++ b/src/login/logind-polkit.c
> > +@@ -0,0 +1,26 @@
> > ++/* SPDX-License-Identifier: LGPL-2.1+ */
> > ++
> > ++#include "bus-polkit.h"
> > ++#include "logind-polkit.h"
> > ++#include "missing_capability.h"
> > ++#include "user-util.h"
> > ++
> > ++int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) {
> > ++#if ENABLE_POLKIT
> > ++ return bus_verify_polkit_async(
> > ++ message,
> > ++ CAP_SYS_ADMIN,
> > ++ "org.freedesktop.login1.chvt",
> > ++ NULL,
> > ++ false,
> > ++ UID_INVALID,
> > ++ &manager->polkit_registry,
> > ++ error);
> > ++#else
> > ++ /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a
> > ++ * non-root user when polkit is not compiled in, matching the default polkit policy */
> > ++ return 1;
> > ++#endif
> > ++}
> > ++
> > ++
> > +diff --git a/src/login/logind-polkit.h b/src/login/logind-polkit.h
> > +new file mode 100644
> > +index 0000000000..476c077a8a
> > +--- /dev/null
> > ++++ b/src/login/logind-polkit.h
> > +@@ -0,0 +1,10 @@
> > ++/* SPDX-License-Identifier: LGPL-2.1+ */
> > ++#pragma once
> > ++
> > ++#include "sd-bus.h"
> > ++
> > ++#include "bus-object.h"
> > ++#include "logind.h"
> > ++
> > ++int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error);
> > ++
> > +diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
> > +index a945132284..f22e9e2734 100644
> > +--- a/src/login/logind-seat-dbus.c
> > ++++ b/src/login/logind-seat-dbus.c
> > +@@ -9,6 +9,7 @@
> > + #include "bus-polkit.h"
> > + #include "bus-util.h"
> > + #include "logind-dbus.h"
> > ++#include "logind-polkit.h"
> > + #include "logind-seat-dbus.h"
> > + #include "logind-seat.h"
> > + #include "logind-session-dbus.h"
> > +@@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
> > + if (session->seat != s)
> > + return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);
> > +
> > +- r = bus_verify_polkit_async(
> > +- message,
> > +- CAP_SYS_ADMIN,
> > +- "org.freedesktop.login1.chvt",
> > +- NULL,
> > +- false,
> > +- UID_INVALID,
> > +- &s->manager->polkit_registry,
> > +- error);
> > ++ r = check_polkit_chvt(message, s->manager, error);
> > + if (r < 0)
> > + return r;
> > + if (r == 0)
> > +@@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro
> > + if (to <= 0)
> > + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
> > +
> > +- r = bus_verify_polkit_async(
> > +- message,
> > +- CAP_SYS_ADMIN,
> > +- "org.freedesktop.login1.chvt",
> > +- NULL,
> > +- false,
> > +- UID_INVALID,
> > +- &s->manager->polkit_registry,
> > +- error);
> > ++ r = check_polkit_chvt(message, s->manager, error);
> > + if (r < 0)
> > + return r;
> > + if (r == 0)
> > +@@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus
> > + assert(message);
> > + assert(s);
> > +
> > +- r = bus_verify_polkit_async(
> > +- message,
> > +- CAP_SYS_ADMIN,
> > +- "org.freedesktop.login1.chvt",
> > +- NULL,
> > +- false,
> > +- UID_INVALID,
> > +- &s->manager->polkit_registry,
> > +- error);
> > ++ r = check_polkit_chvt(message, s->manager, error);
> > + if (r < 0)
> > + return r;
> > + if (r == 0)
> > +@@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd
> > + assert(message);
> > + assert(s);
> > +
> > +- r = bus_verify_polkit_async(
> > +- message,
> > +- CAP_SYS_ADMIN,
> > +- "org.freedesktop.login1.chvt",
> > +- NULL,
> > +- false,
> > +- UID_INVALID,
> > +- &s->manager->polkit_registry,
> > +- error);
> > ++ r = check_polkit_chvt(message, s->manager, error);
> > + if (r < 0)
> > + return r;
> > + if (r == 0)
> > +diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
> > +index ccc5ac8df2..57c8a4e900 100644
> > +--- a/src/login/logind-session-dbus.c
> > ++++ b/src/login/logind-session-dbus.c
> > +@@ -11,6 +11,7 @@
> > + #include "fd-util.h"
> > + #include "logind-brightness.h"
> > + #include "logind-dbus.h"
> > ++#include "logind-polkit.h"
> > + #include "logind-seat-dbus.h"
> > + #include "logind-session-dbus.h"
> > + #include "logind-session-device.h"
> > +@@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_
> > + assert(message);
> > + assert(s);
> > +
> > +- r = bus_verify_polkit_async(
> > +- message,
> > +- CAP_SYS_ADMIN,
> > +- "org.freedesktop.login1.chvt",
> > +- NULL,
> > +- false,
> > +- UID_INVALID,
> > +- &s->manager->polkit_registry,
> > +- error);
> > ++ r = check_polkit_chvt(message, s->manager, error);
> > + if (r < 0)
> > + return r;
> > + if (r == 0)
> > +diff --git a/src/login/meson.build b/src/login/meson.build
> > +index 0a7d3d5440..7e46be2add 100644
> > +--- a/src/login/meson.build
> > ++++ b/src/login/meson.build
> > +@@ -26,6 +26,7 @@ liblogind_core_sources = files('''
> > + logind-device.h
> > + logind-inhibit.c
> > + logind-inhibit.h
> > ++ logind-polkit.c
> > + logind-seat-dbus.c
> > + logind-seat-dbus.h
> > + logind-seat.c
> > +--
> > +2.28.0
> > +
> > diff --git a/meta/recipes-core/systemd/systemd_246.6.bb b/meta/recipes-core/systemd/systemd_246.6.bb
> > index 1d1ff34d89..d9e7b1a00c 100644
> > --- a/meta/recipes-core/systemd/systemd_246.6.bb
> > +++ b/meta/recipes-core/systemd/systemd_246.6.bb
> > @@ -23,6 +23,7 @@ SRC_URI += "file://touchscreen.rules \
> > file://0003-implment-systemd-sysv-install-for-OE.patch \
> > file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch \
> > file://selinux-hook-handling-to-enumerate-nexthop.patch \
> > + file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \
> > "
> >
> > # patches needed by musl
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core][PATCH v2] systemd: Re-enable chvt as non-root user without polkit
2021-02-17 15:59 ` Joshua Watt
@ 2021-02-18 2:48 ` Anuj Mittal
0 siblings, 0 replies; 5+ messages in thread
From: Anuj Mittal @ 2021-02-18 2:48 UTC (permalink / raw)
To: openembedded-core, jpewhacker
On Wed, 2021-02-17 at 09:59 -0600, Joshua Watt wrote:
> On Wed, Nov 18, 2020 at 4:03 PM Joshua Watt <jpewhacker@gmail.com>
> wrote:
> >
> > On 11/16/20 8:38 AM, Joshua Watt wrote:
> > > systemd 245 introduced a regression in behavior where they
> > > removed
> > > support for non-root users to chvt from a service file. This
> > > prevents
> > > running compositors (e.g. weston) as any user other than root.
> > > The
> > > intention is for polkit to be used to allow this (and in fact the
> > > default polkit rules that ship with systemd allow this). However,
> > > polkit
> > > is a huge dependency to bring in for an embedded system, and
> > > isn't
> > > support by OE-core.
> > >
> > > The patch has been proposed upstream to restore the previous
> > > behavior of
> > > allowing a non-root user to chvt to unbreak the regression
> > > without
> > > requiring polkit.
> >
> > Can this be backported to 3.2, since it affects the systemd version
> > there also?
>
> Ping on backporting this to 3.2?
I have picked this now for next pull request.
Thanks,
Anuj
>
> >
> > Thanks
> >
> > >
> > > Upstream-Status: Submitted [
> > > https://github.com/systemd/systemd/pull/17494]
> > > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> > > ---
> > > ...chvt-as-non-root-user-without-polkit.patch | 227
> > > ++++++++++++++++++
> > > meta/recipes-core/systemd/systemd_246.6.bb | 1 +
> > > 2 files changed, 228 insertions(+)
> > > create mode 100644 meta/recipes-core/systemd/systemd/0001-
> > > logind-Restore-chvt-as-non-root-user-without-polkit.patch
> > >
> > > diff --git a/meta/recipes-core/systemd/systemd/0001-logind-
> > > Restore-chvt-as-non-root-user-without-polkit.patch
> > > b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-
> > > non-root-user-without-polkit.patch
> > > new file mode 100644
> > > index 0000000000..89ef39bc3e
> > > --- /dev/null
> > > +++ b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-
> > > as-non-root-user-without-polkit.patch
> > > @@ -0,0 +1,227 @@
> > > +From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17
> > > 00:00:00 2001
> > > +From: Joshua Watt <JPEWhacker@gmail.com>
> > > +Date: Fri, 30 Oct 2020 08:15:43 -0500
> > > +Subject: [PATCH] logind: Restore chvt as non-root user without
> > > polkit
> > > +
> > > +4acf0cfd2f ("logind: check PolicyKit before allowing VT switch")
> > > broke
> > > +the ability to write user sessions that run graphical sessions
> > > (e.g.
> > > +weston/X11). This was partially amended in 19bb87fbfa ("login:
> > > allow
> > > +non-console sessions to change vt") by changing the default
> > > PolicyKit
> > > +policy so that non-root users are again allowed to switch the
> > > VT. This
> > > +makes the policy when PolKit is not enabled (as on many embedded
> > > +systems) match the default PolKit policy and allows launching
> > > graphical
> > > +sessions as a non-root user.
> > > +
> > > +Closes #17473
> > > +---
> > > + src/login/logind-dbus.c | 11 ++-------
> > > + src/login/logind-polkit.c | 26 +++++++++++++++++++++
> > > + src/login/logind-polkit.h | 10 ++++++++
> > > + src/login/logind-seat-dbus.c | 41 ++++----------------------
> > > -------
> > > + src/login/logind-session-dbus.c | 11 ++-------
> > > + src/login/meson.build | 1 +
> > > + 6 files changed, 46 insertions(+), 54 deletions(-)
> > > + create mode 100644 src/login/logind-polkit.c
> > > + create mode 100644 src/login/logind-polkit.h
> > > +
> > > +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
> > > +index 0f83ed99bc..a3765d88ba 100644
> > > +--- a/src/login/logind-dbus.c
> > > ++++ b/src/login/logind-dbus.c
> > > +@@ -30,6 +30,7 @@
> > > + #include "format-util.h"
> > > + #include "fs-util.h"
> > > + #include "logind-dbus.h"
> > > ++#include "logind-polkit.h"
> > > + #include "logind-seat-dbus.h"
> > > + #include "logind-session-dbus.h"
> > > + #include "logind-user-dbus.h"
> > > +@@ -1047,15 +1048,7 @@ static int
> > > method_activate_session_on_seat(sd_bus_message *message, void
> > > *userda
> > > + return sd_bus_error_setf(error,
> > > BUS_ERROR_SESSION_NOT_ON_SEAT,
> > > + "Session %s not on
> > > seat %s", session_name, seat_name);
> > > +
> > > +- r = bus_verify_polkit_async(
> > > +- message,
> > > +- CAP_SYS_ADMIN,
> > > +- "org.freedesktop.login1.chvt",
> > > +- NULL,
> > > +- false,
> > > +- UID_INVALID,
> > > +- &m->polkit_registry,
> > > +- error);
> > > ++ r = check_polkit_chvt(message, m, error);
> > > + if (r < 0)
> > > + return r;
> > > + if (r == 0)
> > > +diff --git a/src/login/logind-polkit.c b/src/login/logind-
> > > polkit.c
> > > +new file mode 100644
> > > +index 0000000000..9072570cc6
> > > +--- /dev/null
> > > ++++ b/src/login/logind-polkit.c
> > > +@@ -0,0 +1,26 @@
> > > ++/* SPDX-License-Identifier: LGPL-2.1+ */
> > > ++
> > > ++#include "bus-polkit.h"
> > > ++#include "logind-polkit.h"
> > > ++#include "missing_capability.h"
> > > ++#include "user-util.h"
> > > ++
> > > ++int check_polkit_chvt(sd_bus_message *message, Manager
> > > *manager, sd_bus_error *error) {
> > > ++#if ENABLE_POLKIT
> > > ++ return bus_verify_polkit_async(
> > > ++ message,
> > > ++ CAP_SYS_ADMIN,
> > > ++ "org.freedesktop.login1.chvt",
> > > ++ NULL,
> > > ++ false,
> > > ++ UID_INVALID,
> > > ++ &manager->polkit_registry,
> > > ++ error);
> > > ++#else
> > > ++ /* Allow chvt when polkit is not present. This allows a
> > > service to start a graphical session as a
> > > ++ * non-root user when polkit is not compiled in,
> > > matching the default polkit policy */
> > > ++ return 1;
> > > ++#endif
> > > ++}
> > > ++
> > > ++
> > > +diff --git a/src/login/logind-polkit.h b/src/login/logind-
> > > polkit.h
> > > +new file mode 100644
> > > +index 0000000000..476c077a8a
> > > +--- /dev/null
> > > ++++ b/src/login/logind-polkit.h
> > > +@@ -0,0 +1,10 @@
> > > ++/* SPDX-License-Identifier: LGPL-2.1+ */
> > > ++#pragma once
> > > ++
> > > ++#include "sd-bus.h"
> > > ++
> > > ++#include "bus-object.h"
> > > ++#include "logind.h"
> > > ++
> > > ++int check_polkit_chvt(sd_bus_message *message, Manager
> > > *manager, sd_bus_error *error);
> > > ++
> > > +diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-
> > > seat-dbus.c
> > > +index a945132284..f22e9e2734 100644
> > > +--- a/src/login/logind-seat-dbus.c
> > > ++++ b/src/login/logind-seat-dbus.c
> > > +@@ -9,6 +9,7 @@
> > > + #include "bus-polkit.h"
> > > + #include "bus-util.h"
> > > + #include "logind-dbus.h"
> > > ++#include "logind-polkit.h"
> > > + #include "logind-seat-dbus.h"
> > > + #include "logind-seat.h"
> > > + #include "logind-session-dbus.h"
> > > +@@ -179,15 +180,7 @@ static int
> > > method_activate_session(sd_bus_message *message, void *userdata,
> > > sd_b
> > > + if (session->seat != s)
> > > + return sd_bus_error_setf(error,
> > > BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name,
> > > s->id);
> > > +
> > > +- r = bus_verify_polkit_async(
> > > +- message,
> > > +- CAP_SYS_ADMIN,
> > > +- "org.freedesktop.login1.chvt",
> > > +- NULL,
> > > +- false,
> > > +- UID_INVALID,
> > > +- &s->manager->polkit_registry,
> > > +- error);
> > > ++ r = check_polkit_chvt(message, s->manager, error);
> > > + if (r < 0)
> > > + return r;
> > > + if (r == 0)
> > > +@@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message
> > > *message, void *userdata, sd_bus_erro
> > > + if (to <= 0)
> > > + return sd_bus_error_setf(error,
> > > SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
> > > +
> > > +- r = bus_verify_polkit_async(
> > > +- message,
> > > +- CAP_SYS_ADMIN,
> > > +- "org.freedesktop.login1.chvt",
> > > +- NULL,
> > > +- false,
> > > +- UID_INVALID,
> > > +- &s->manager->polkit_registry,
> > > +- error);
> > > ++ r = check_polkit_chvt(message, s->manager, error);
> > > + if (r < 0)
> > > + return r;
> > > + if (r == 0)
> > > +@@ -243,15 +228,7 @@ static int
> > > method_switch_to_next(sd_bus_message *message, void *userdata,
> > > sd_bus
> > > + assert(message);
> > > + assert(s);
> > > +
> > > +- r = bus_verify_polkit_async(
> > > +- message,
> > > +- CAP_SYS_ADMIN,
> > > +- "org.freedesktop.login1.chvt",
> > > +- NULL,
> > > +- false,
> > > +- UID_INVALID,
> > > +- &s->manager->polkit_registry,
> > > +- error);
> > > ++ r = check_polkit_chvt(message, s->manager, error);
> > > + if (r < 0)
> > > + return r;
> > > + if (r == 0)
> > > +@@ -271,15 +248,7 @@ static int
> > > method_switch_to_previous(sd_bus_message *message, void
> > > *userdata, sd
> > > + assert(message);
> > > + assert(s);
> > > +
> > > +- r = bus_verify_polkit_async(
> > > +- message,
> > > +- CAP_SYS_ADMIN,
> > > +- "org.freedesktop.login1.chvt",
> > > +- NULL,
> > > +- false,
> > > +- UID_INVALID,
> > > +- &s->manager->polkit_registry,
> > > +- error);
> > > ++ r = check_polkit_chvt(message, s->manager, error);
> > > + if (r < 0)
> > > + return r;
> > > + if (r == 0)
> > > +diff --git a/src/login/logind-session-dbus.c b/src/login/logind-
> > > session-dbus.c
> > > +index ccc5ac8df2..57c8a4e900 100644
> > > +--- a/src/login/logind-session-dbus.c
> > > ++++ b/src/login/logind-session-dbus.c
> > > +@@ -11,6 +11,7 @@
> > > + #include "fd-util.h"
> > > + #include "logind-brightness.h"
> > > + #include "logind-dbus.h"
> > > ++#include "logind-polkit.h"
> > > + #include "logind-seat-dbus.h"
> > > + #include "logind-session-dbus.h"
> > > + #include "logind-session-device.h"
> > > +@@ -192,15 +193,7 @@ int
> > > bus_session_method_activate(sd_bus_message *message, void
> > > *userdata, sd_bus_
> > > + assert(message);
> > > + assert(s);
> > > +
> > > +- r = bus_verify_polkit_async(
> > > +- message,
> > > +- CAP_SYS_ADMIN,
> > > +- "org.freedesktop.login1.chvt",
> > > +- NULL,
> > > +- false,
> > > +- UID_INVALID,
> > > +- &s->manager->polkit_registry,
> > > +- error);
> > > ++ r = check_polkit_chvt(message, s->manager, error);
> > > + if (r < 0)
> > > + return r;
> > > + if (r == 0)
> > > +diff --git a/src/login/meson.build b/src/login/meson.build
> > > +index 0a7d3d5440..7e46be2add 100644
> > > +--- a/src/login/meson.build
> > > ++++ b/src/login/meson.build
> > > +@@ -26,6 +26,7 @@ liblogind_core_sources = files('''
> > > + logind-device.h
> > > + logind-inhibit.c
> > > + logind-inhibit.h
> > > ++ logind-polkit.c
> > > + logind-seat-dbus.c
> > > + logind-seat-dbus.h
> > > + logind-seat.c
> > > +--
> > > +2.28.0
> > > +
> > > diff --git a/meta/recipes-core/systemd/systemd_246.6.bb
> > > b/meta/recipes-core/systemd/systemd_246.6.bb
> > > index 1d1ff34d89..d9e7b1a00c 100644
> > > --- a/meta/recipes-core/systemd/systemd_246.6.bb
> > > +++ b/meta/recipes-core/systemd/systemd_246.6.bb
> > > @@ -23,6 +23,7 @@ SRC_URI += "file://touchscreen.rules \
> > >
> > > file://0003-implment-systemd-sysv-install-for-OE.patch \
> > >
> > > file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch
> > > \
> > >
> > > file://selinux-hook-handling-to-enumerate-nexthop.patch \
> > > +
> > > file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
> > > \
> > > "
> > >
> > > # patches needed by musl
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-02-18 2:48 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-13 21:11 [OE-core][PATCH] systemd: Re-enable chvt as non-root user without polkit Joshua Watt
2020-11-16 14:38 ` [OE-core][PATCH v2] " Joshua Watt
2020-11-18 22:03 ` Joshua Watt
2021-02-17 15:59 ` Joshua Watt
2021-02-18 2:48 ` Anuj Mittal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.