From e833c740cb2b124e451b028637148bc829c3c650 Mon Sep 17 00:00:00 2001 From: David Zeuthen Date: Wed, 25 Jul 2007 17:47:45 -0400 Subject: [PATCH] require that policy files also provide a element Declaring an action now requires two textual elements (that both are subject to translation): description: This is intended to be used in policy editors, for example "Mount internal volumes". message: This is to be used in auth dialogs, for example "System Policy prevents mounting this internal volume". This is actually needed for security reasons. The idea is that the desktop environment can provide infrastructure that Callers (e.g. applications) can use to ask the user to authenticate to gain a privilege. One such example is PolicyKit-gnome; it's a D-Bus session based service that applications can use to ask the user to auth. Before this change the caller provided the markup, e.g. gnome-mount would do action = "hal-storage-mount-fixed"; markup = _("System policy prevents mounting internal drives"); result = org.gnome.PolicyKit.ShowDialog (action, markup); and the problem here is that any application in the session can spoof the dialog by providing false information and getting to use to click through on that. With this change, where the org.gnome.PolicyKit auth service reads the message from a system-controlled file, this can't happen. What the user sees really reflects the action he's asking to consider allowing to happen. Especially with things like XACE (previously known as SEX) this is important as we can make the process providing the D-Bus service org.gnome.PolicyKit run in a dedicated security context, audit it to make sure it's secure. Then have the window manager paint trust window decorations or other things to make the user feel fuzzy, warm and safe. Btw, with this change the PolicyKit-gnome API will be simplified to action = "hal-storage-mount-fixed"; result = org.gnome.PolicyKit.ShowDialog (action); which is just about as simple as it can get. Credit goes to Ryan Lortie for pointing this out on #gnome-hackers earlier this morning. --- polkit/polkit-policy-file-entry.c | 36 +++++++++++++++++++++++++++++++++--- polkit/polkit-policy-file-entry.h | 1 + polkit/polkit-policy-file.c | 36 ++++++++++++++++++++++++++++++++---- 3 files changed, 66 insertions(+), 7 deletions(-) diff --git a/polkit/polkit-policy-file-entry.c b/polkit/polkit-policy-file-entry.c index 988b9c2..1e10f96 100644 --- a/polkit/polkit-policy-file-entry.c +++ b/polkit/polkit-policy-file-entry.c @@ -64,11 +64,13 @@ struct PolKitPolicyFileEntry char *group_description; char *policy_description; + char *policy_message; }; extern void _polkit_policy_file_entry_set_descriptions (PolKitPolicyFileEntry *pfe, const char *group_description, - const char *policy_description); + const char *policy_description, + const char *policy_message); extern PolKitPolicyDefault *_polkit_policy_default_new (PolKitResult defaults_allow_inactive, @@ -107,11 +109,13 @@ error: void _polkit_policy_file_entry_set_descriptions (PolKitPolicyFileEntry *policy_file_entry, const char *group_description, - const char *policy_description) + const char *policy_description, + const char *policy_message) { g_return_if_fail (policy_file_entry != NULL); policy_file_entry->group_description = g_strdup (group_description); policy_file_entry->policy_description = g_strdup (policy_description); + policy_file_entry->policy_message = g_strdup (policy_message); } /** @@ -137,7 +141,10 @@ polkit_policy_file_get_group_description (PolKitPolicyFileEntry *policy_file_ent * polkit_policy_file_get_action_description: * @policy_file_entry: the object * - * Get the description of the action that this policy entry describes. + * Get the description of the action that this policy entry describes. This + * is intended to be used in policy editors, for example "Mount internal + * volumes". Contrast with polkit_policy_file_get_action_message(). The + * textual string will be returned in the current locale. * * Note, if polkit_context_set_load_descriptions() on the * #PolKitContext object used to get this object wasn't called, this @@ -153,6 +160,29 @@ polkit_policy_file_get_action_description (PolKitPolicyFileEntry *policy_file_en } /** + * polkit_policy_file_get_action_message: + * @policy_file_entry: the object + * + * Get the message describing the action that this policy entry + * describes. This is to be used in dialogs, for example "System + * Policy prevents mounting this volume". Contrast with + * polkit_policy_file_get_action_description(). The textual string + * will be returned in the current locale. + * + * Note, if polkit_context_set_load_descriptions() on the + * #PolKitContext object used to get this object wasn't called, this + * method will return #NULL. + * + * Returns: string or #NULL if descriptions are not loaded - caller shall not free this string + **/ +const char * +polkit_policy_file_get_action_message (PolKitPolicyFileEntry *policy_file_entry) +{ + g_return_val_if_fail (policy_file_entry != NULL, NULL); + return policy_file_entry->policy_message; +} + +/** * polkit_policy_file_entry_ref: * @policy_file_entry: the policy file object * diff --git a/polkit/polkit-policy-file-entry.h b/polkit/polkit-policy-file-entry.h index 70be923..0956507 100644 --- a/polkit/polkit-policy-file-entry.h +++ b/polkit/polkit-policy-file-entry.h @@ -46,6 +46,7 @@ PolKitPolicyDefault *polkit_policy_file_entry_get_default (PolKitPolicyFileEn const char *polkit_policy_file_get_group_description (PolKitPolicyFileEntry *policy_file_entry); const char *polkit_policy_file_get_action_description (PolKitPolicyFileEntry *policy_file_entry); +const char *polkit_policy_file_get_action_message (PolKitPolicyFileEntry *policy_file_entry); #endif /* POLKIT_POLICY_FILE_ENTRY_H */ diff --git a/polkit/polkit-policy-file.c b/polkit/polkit-policy-file.c index 7e67a15..1efdbee 100644 --- a/polkit/polkit-policy-file.c +++ b/polkit/polkit-policy-file.c @@ -76,6 +76,7 @@ enum { STATE_IN_GROUP_DESCRIPTION, STATE_IN_POLICY, STATE_IN_POLICY_DESCRIPTION, + STATE_IN_POLICY_MESSAGE, STATE_IN_DEFAULTS, STATE_IN_DEFAULTS_ALLOW_INACTIVE, STATE_IN_DEFAULTS_ALLOW_ACTIVE @@ -96,6 +97,7 @@ typedef struct { char *group_description; char *policy_description; + char *policy_message; } ParserData; static void @@ -137,6 +139,7 @@ _start (void *data, const char *el, const char **attr) state = STATE_IN_POLICY; pd->policy_description = NULL; + pd->policy_message = NULL; /* initialize defaults */ pd->defaults_allow_inactive = POLKIT_RESULT_NO; @@ -152,9 +155,13 @@ _start (void *data, const char *el, const char **attr) state = STATE_IN_DEFAULTS; else if (strcmp (el, "description") == 0) state = STATE_IN_POLICY_DESCRIPTION; + else if (strcmp (el, "message") == 0) + state = STATE_IN_POLICY_MESSAGE; break; case STATE_IN_POLICY_DESCRIPTION: break; + case STATE_IN_POLICY_MESSAGE: + break; case STATE_IN_DEFAULTS: if (strcmp (el, "allow_inactive") == 0) state = STATE_IN_DEFAULTS_ALLOW_INACTIVE; @@ -189,13 +196,27 @@ _cdata (void *data, const char *s, int len) switch (pd->state) { case STATE_IN_GROUP_DESCRIPTION: - if (pd->load_descriptions) + if (pd->load_descriptions) { + if (pd->group_description != NULL) + g_free (pd->group_description); pd->group_description = g_strdup (str); + } break; case STATE_IN_POLICY_DESCRIPTION: - if (pd->load_descriptions) + if (pd->load_descriptions) { + if (pd->policy_description != NULL) + g_free (pd->policy_description); pd->policy_description = g_strdup (str); + } + break; + + case STATE_IN_POLICY_MESSAGE: + if (pd->load_descriptions) { + if (pd->policy_message != NULL) + g_free (pd->policy_message); + pd->policy_message = g_strdup (str); + } break; case STATE_IN_DEFAULTS_ALLOW_INACTIVE: @@ -219,7 +240,8 @@ error: extern void _polkit_policy_file_entry_set_descriptions (PolKitPolicyFileEntry *pfe, const char *group_description, - const char *policy_description); + const char *policy_description, + const char *policy_message); static void _end (void *data, const char *el) @@ -254,7 +276,8 @@ _end (void *data, const char *el) if (pd->load_descriptions) _polkit_policy_file_entry_set_descriptions (pfe, pd->group_description, - pd->policy_description); + pd->policy_description, + pd->policy_message); pd->pf->entries = g_slist_prepend (pd->pf->entries, pfe); @@ -264,6 +287,9 @@ _end (void *data, const char *el) case STATE_IN_POLICY_DESCRIPTION: state = STATE_IN_POLICY; break; + case STATE_IN_POLICY_MESSAGE: + state = STATE_IN_POLICY; + break; case STATE_IN_DEFAULTS: state = STATE_IN_POLICY; break; @@ -345,6 +371,7 @@ polkit_policy_file_new (const char *path, polkit_bool_t load_descriptions, PolKi pd.action_id = NULL; pd.group_description = NULL; pd.policy_description = NULL; + pd.policy_message = NULL; pd.pf = pf; pd.load_descriptions = load_descriptions; @@ -354,6 +381,7 @@ polkit_policy_file_new (const char *path, polkit_bool_t load_descriptions, PolKi g_free (pd.action_id); g_free (pd.group_description); g_free (pd.policy_description); + g_free (pd.policy_message); if (xml_res == 0) { polkit_error_set_error (error, POLKIT_ERROR_POLICY_FILE_INVALID, -- 2.7.4