libhal-policy -> PolicyKit
david at fubar.dk
Thu Mar 9 13:39:22 PST 2006
On Thu, 2006-03-09 at 13:28 -0800, Artem Kachitchkine wrote:
> > particular it puts the (policy, uid, pid) tupple in a list
> > called temporary_policy_overrides. Should the end-point suddenly
> > disconnect we catch this and delete the tupple from the list
> > temporary_policy_overrides.
> > 7. If successful, gnome-mount does Mount() again on HAL. This flows
> > through HAL and eventually hal-storage-mount is invoked. This binary
> > uses libpolkit in particular libpolkit_is_uid_allowed_for_policy()
> > to check whether the given $HAL_METHOD_INVOKED_BY_UID and
> > $HAL_METHOD_INVOKED_BY_PID (we will start exporting this soon in
> > HAL :-) is privileged.
> PolicyKit daemon will also have to protect against a race when process
> PID gets a temporary policy, suddenly disconnects, the PID gets reused
> by another process, which tries to gain access to the same policy before
> the policy backing store (local file or a distributed database) deletes
> the temporary_policy_override entry from the previous process.
I thought about this and I think we are safe:
1. The PolicyKit daemon will be single threaded and process requests
2. temporary_policy_override will just be an in-memory object - the
backing store will _not_ be modified for this; and
2. The Disconnected signal from the message bus for pid X
is guaranteed to arrive before a new call to the PolicyKit service
checking for the stuff in temporary_policy_override is done by
another pid X.
More information about the hal