PolicyKit: Branch 'master'
David Zeuthen
david at kemper.freedesktop.org
Tue Oct 23 12:30:41 PDT 2007
doc/polkit-docs.xml | 2
polkit-grant/Makefile.am | 2
polkit-grant/polkit-grant-helper.c | 177 +++++++++++-------
polkit/Makefile.am | 18 -
polkit/polkit-authorization-db.c | 346 +++++++++++++++++++++++++++++++++++++
polkit/polkit-authorization-db.h | 88 +++++++++
polkit/polkit-authorization.c | 303 ++++++++++++++++++++++++++++++++
polkit/polkit-authorization.h | 96 ++++++++++
polkit/polkit-context.c | 90 +++++++++
polkit/polkit-context.h | 25 ++
polkit/polkit-grant-database.c | 3
polkit/polkit-grant-database.h | 3
polkit/polkit.h | 2
tools/Makefile.am | 6
14 files changed, 1060 insertions(+), 101 deletions(-)
New commits:
commit 5863ec810097e452ece93c297a42b3643f1b8395
Author: David Zeuthen <davidz at redhat.com>
Date: Tue Oct 23 15:29:55 2007 -0400
create an API for interfacing with the Authorization Database
This is necessary to make UI like this
http://people.freedesktop.org/~david/Screenshot-Manage%20Authorizations.png
export some useful actions such as granting, revoking and displaying
authorizations.
Previously this API was internal, polkit/polkit-grant-database.[ch],
and linked into polkit-grant(1) and libpolkit-grant(3) through a
static library libpolkit-private.so.
Only polkit-grant have not been ported; libpolkit-grant(3) uses this
API natively now. Internally, right now, the new API just uses
polkit-grant-database.[ch] directly but that is about to change...
diff --git a/doc/polkit-docs.xml b/doc/polkit-docs.xml
index f2745db..b6ae205 100644
--- a/doc/polkit-docs.xml
+++ b/doc/polkit-docs.xml
@@ -89,6 +89,8 @@
<xi:include href="xml/polkit-policy-file-entry.xml"/>
<xi:include href="xml/polkit-policy-default.xml"/>
<xi:include href="xml/polkit-policy-cache.xml"/>
+ <xi:include href="xml/polkit-authorization.xml"/>
+ <xi:include href="xml/polkit-authorization-db.xml"/>
</reference>
<reference id="ref-convenience">
diff --git a/polkit-grant/Makefile.am b/polkit-grant/Makefile.am
index d189849..54692dc 100644
--- a/polkit-grant/Makefile.am
+++ b/polkit-grant/Makefile.am
@@ -29,7 +29,7 @@ libpolkit_grant_la_LDFLAGS = -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE
libexec_PROGRAMS = polkit-grant-helper polkit-grant-helper-pam
polkit_grant_helper_SOURCES = polkit-grant-helper.c
-polkit_grant_helper_LDADD = @GLIB_LIBS@ @DBUS_LIBS@ $(top_builddir)/polkit/libpolkit.la $(top_builddir)/polkit-dbus/libpolkit-dbus.la $(top_builddir)/polkit/libpolkit-grant-private.la
+polkit_grant_helper_LDADD = @GLIB_LIBS@ @DBUS_LIBS@ $(top_builddir)/polkit/libpolkit.la $(top_builddir)/polkit-dbus/libpolkit-dbus.la
polkit_grant_helper_pam_SOURCES = polkit-grant-helper-pam.c
polkit_grant_helper_pam_LDADD = @AUTH_LIBS@
diff --git a/polkit-grant/polkit-grant-helper.c b/polkit-grant/polkit-grant-helper.c
index 6482e5a..bce86d4 100644
--- a/polkit-grant/polkit-grant-helper.c
+++ b/polkit-grant/polkit-grant-helper.c
@@ -44,7 +44,7 @@
#include <glib.h>
#include <polkit-dbus/polkit-dbus.h>
-#include <polkit/polkit-grant-database.h>
+// #include <polkit/polkit-grant-database.h>
/* Development aid: define PGH_DEBUG to get debugging output. Do _NOT_
* enable this in production builds; it may leak passwords and other
@@ -243,10 +243,9 @@ out:
/**
* verify_with_polkit:
- * @caller_pid: the process id of the caller
- * @action_name: name of the action
- * @result: return location for result AKA how the user can auth
- * @out_session_objpath: return location for ConsoleKit session identifier
+ * @caller: the caller
+ * @action: the action
+ * @out_result: return location for result AKA how the user can auth
* @out_admin_users: return location for a NULL-terminated array of
* strings that can be user to auth as admin. Is set to NULL if the
* super user (e.g. uid 0) should be user to auth as admin.
@@ -258,70 +257,26 @@ out:
* configuration file; see the PolicyKit.conf(5) manual page for
* details.
*
- * Returns: TRUE if, and only if, the given caller can authenticate to
+ * Returns: #TRUE if, and only if, the given caller can authenticate to
* gain a privilege to do the given action.
*/
static polkit_bool_t
-verify_with_polkit (pid_t caller_pid,
- const char *action_name,
- PolKitResult *result,
- char **out_session_objpath,
+verify_with_polkit (PolKitContext *pol_ctx,
+ PolKitCaller *caller,
+ PolKitAction *action,
+ PolKitResult *out_result,
char ***out_admin_users)
{
- PolKitCaller *caller;
- PolKitSession *session;
- char *str;
- DBusConnection *bus;
- DBusError error;
- PolKitContext *pol_ctx;
- PolKitAction *action;
-
- dbus_error_init (&error);
- bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
- if (bus == NULL) {
- fprintf (stderr, "polkit-grant-helper: cannot connect to system bus: %s: %s\n",
- error.name, error.message);
- dbus_error_free (&error);
- goto error;
- }
-
- action = polkit_action_new ();
- polkit_action_set_action_id (action, action_name);
-
- caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
- if (caller == NULL) {
- fprintf (stderr, "polkit-grant-helper: cannot get caller from pid\n");
- goto error;
- }
-
- if (!polkit_caller_get_ck_session (caller, &session)) {
- fprintf (stderr, "polkit-grant-helper: caller is not in a session\n");
- goto error;
- }
- if (!polkit_session_get_ck_objref (session, &str)) {
- fprintf (stderr, "polkit-grant-helper: cannot get session ck objpath\n");
- goto error;
- }
- *out_session_objpath = g_strdup (str);
- if (*out_session_objpath == NULL)
- goto error;
-
- pol_ctx = polkit_context_new ();
- if (!polkit_context_init (pol_ctx, NULL)) {
- fprintf (stderr, "polkit-grant-helper: cannot initialize polkit\n");
- goto error;
- }
-
- *result = polkit_context_can_caller_do_action (pol_ctx, action, caller);
-
- if (*result != POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH &&
- *result != POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_SESSION &&
- *result != POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_ALWAYS &&
- *result != POLKIT_RESULT_ONLY_VIA_SELF_AUTH &&
- *result != POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_SESSION &&
- *result != POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_ALWAYS) {
+ *out_result = polkit_context_is_caller_authorized (pol_ctx, action, caller, FALSE);
+
+ if (*out_result != POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH &&
+ *out_result != POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_SESSION &&
+ *out_result != POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_ALWAYS &&
+ *out_result != POLKIT_RESULT_ONLY_VIA_SELF_AUTH &&
+ *out_result != POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_SESSION &&
+ *out_result != POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_ALWAYS) {
fprintf (stderr, "polkit-grant-helper: given auth type (%d -> %s) is bogus\n",
- *result, polkit_result_to_string_representation (*result));
+ *out_result, polkit_result_to_string_representation (*out_result));
goto error;
}
@@ -330,9 +285,9 @@ verify_with_polkit (pid_t caller_pid,
/* for admin auth, get a list of users that can be used - this is basically evaluating the
* <define_admin_auth/> directives in the config file...
*/
- if (*result == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH ||
- *result == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_SESSION ||
- *result == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_ALWAYS) {
+ if (*out_result == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH ||
+ *out_result == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_SESSION ||
+ *out_result == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_ALWAYS) {
PolKitConfig *pk_config;
PolKitConfigAdminAuthType admin_auth_type;
const char *admin_auth_data;
@@ -535,11 +490,20 @@ main (int argc, char *argv[])
const char *invoking_user_name;
const char *action_name;
PolKitResult result;
+ PolKitResult original_result;
const char *user_to_auth;
+ uid_t uid_of_user_to_auth;
char *session_objpath;
struct passwd *pw;
polkit_bool_t dbres;
char **admin_users;
+ DBusError error;
+ DBusConnection *bus;
+ PolKitContext *context;
+ PolKitAction *action;
+ PolKitCaller *caller;
+ uid_t caller_uid;
+ PolKitSession *session;
ret = 3;
@@ -610,12 +574,49 @@ main (int argc, char *argv[])
ret = 2;
+ context = polkit_context_new ();
+ if (!polkit_context_init (context, NULL)) {
+ fprintf (stderr, "polkit-grant-helper: cannot initialize polkit\n");
+ goto out;
+ }
+
+ action = polkit_action_new ();
+ polkit_action_set_action_id (action, action_name);
+
+ dbus_error_init (&error);
+ bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
+ if (bus == NULL) {
+ fprintf (stderr, "polkit-grant-helper: cannot connect to system bus: %s: %s\n",
+ error.name, error.message);
+ dbus_error_free (&error);
+ goto out;
+ }
+
+ caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
+ if (caller == NULL) {
+ fprintf (stderr, "polkit-grant-helper: cannot get caller from pid: %s: %s\n",
+ error.name, error.message);
+ goto out;
+ }
+ if (!polkit_caller_get_uid (caller, &caller_uid)) {
+ fprintf (stderr, "polkit-grant-helper: no uid for caller\n");
+ goto out;
+ }
+ if (!polkit_caller_get_ck_session (caller, &session)) {
+ fprintf (stderr, "polkit-grant-helper: caller is not in a session\n");
+ goto out;
+ }
+ if (!polkit_session_get_ck_objref (session, &session_objpath)) {
+ fprintf (stderr, "polkit-grant-helper: caller is not in a session\n");
+ goto out;
+ }
+
/* Use libpolkit to
*
* - figure out if the caller can really auth to do the action
* - learn what ConsoleKit session the caller belongs to
*/
- if (!verify_with_polkit (caller_pid, action_name, &result, &session_objpath, &admin_users))
+ if (!verify_with_polkit (context, caller, action, &result, &admin_users))
goto out;
#ifdef PGH_DEBUG
@@ -699,6 +700,19 @@ main (int argc, char *argv[])
}
}
+ if (strcmp (user_to_auth, "root") == 0) {
+ uid_of_user_to_auth = 0;
+ } else {
+ struct passwd *passwd;
+
+ passwd = getpwnam (user_to_auth);
+ if (passwd == NULL) {
+ fprintf (stderr, "polkit-grant-helper: can not look up uid for user '%s'\n", user_to_auth);
+ goto out;
+ }
+ uid_of_user_to_auth = passwd->pw_uid;
+ }
+
ret = 1;
/* Start authentication */
@@ -706,6 +720,8 @@ main (int argc, char *argv[])
goto out;
}
+ original_result = result;
+
/* Ask caller if he want to slim down grant type... e.g. he
* might want to go from auth_self_keep_always to
* auth_self_keep_session..
@@ -731,28 +747,41 @@ main (int argc, char *argv[])
switch (result) {
case POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH:
case POLKIT_RESULT_ONLY_VIA_SELF_AUTH:
- dbres = _polkit_grantdb_write_pid (action_name, caller_pid);
+ dbres = polkit_authorization_db_add_entry_process (polkit_context_get_authorization_db (context),
+ action,
+ caller,
+ original_result,
+ uid_of_user_to_auth);
if (dbres) {
- syslog (LOG_INFO, "granted use of action='%s' to pid '%d' [uid=%d] [auth='%s']",
+ syslog (LOG_INFO, "granted authorization for %s to pid %d [uid=%d] [auth=%s]",
action_name, caller_pid, invoking_user_id, user_to_auth);
}
break;
case POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_SESSION:
case POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_SESSION:
- dbres = _polkit_grantdb_write_keep_session (action_name, session_objpath);
+ dbres = polkit_authorization_db_add_entry_session (polkit_context_get_authorization_db (context),
+ action,
+ session,
+ original_result,
+ uid_of_user_to_auth);
+
if (dbres) {
- syslog (LOG_INFO, "granted use of action='%s' to session '%s' [uid=%d] [auth='%s']",
+ syslog (LOG_INFO, "granted authorization for %s to session %s [uid=%d] [auth=%s]",
action_name, session_objpath, invoking_user_id, user_to_auth);
}
break;
case POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_ALWAYS:
case POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_ALWAYS:
- dbres = _polkit_grantdb_write_keep_always (action_name, invoking_user_id);
+ dbres = polkit_authorization_db_add_entry_always (polkit_context_get_authorization_db (context),
+ action,
+ caller_uid,
+ original_result,
+ uid_of_user_to_auth);
if (dbres) {
- syslog (LOG_INFO, "granted use of action='%s' to uid %d [auth='%s']",
- action_name, invoking_user_id, user_to_auth);
+ syslog (LOG_INFO, "granted authorization for %s to uid %d [auth=%s]",
+ action_name, caller_uid, user_to_auth);
}
break;
diff --git a/polkit/Makefile.am b/polkit/Makefile.am
index 9927b53..e7ac1a1 100644
--- a/polkit/Makefile.am
+++ b/polkit/Makefile.am
@@ -13,12 +13,6 @@ INCLUDES = \
-DPOLKIT_COMPILATION \
@GLIB_CFLAGS@
-
-noinst_LTLIBRARIES=libpolkit-grant-private.la
-
-libpolkit_grant_private_la_SOURCES = \
- polkit-grant-database.h polkit-grant-database.c
-
lib_LTLIBRARIES=libpolkit.la
libpolkitincludedir=$(includedir)/PolicyKit/polkit
@@ -37,7 +31,9 @@ libpolkitinclude_HEADERS = \
polkit-policy-file.h \
polkit-policy-cache.h \
polkit-policy-default.h \
- polkit-config.h
+ polkit-config.h \
+ polkit-authorization.h \
+ polkit-authorization-db.h
libpolkit_la_SOURCES = \
polkit.h \
@@ -55,9 +51,13 @@ libpolkit_la_SOURCES = \
polkit-policy-default.h polkit-policy-default.c \
polkit-debug.h polkit-debug.c \
polkit-utils.h polkit-utils.c \
- polkit-config.h polkit-config.c
+ polkit-config.h polkit-config.c \
+ polkit-authorization.h polkit-authorization.c \
+ polkit-authorization-db.h polkit-authorization-db.c \
+ polkit-grant-database.h polkit-grant-database.c
+
-libpolkit_la_LIBADD = @GLIB_LIBS@ @EXPAT_LIBS@ libpolkit-grant-private.la
+libpolkit_la_LIBADD = @GLIB_LIBS@ @EXPAT_LIBS@
libpolkit_la_LDFLAGS = -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE)
diff --git a/polkit/polkit-authorization-db.c b/polkit/polkit-authorization-db.c
new file mode 100644
index 0000000..ed8726b
--- /dev/null
+++ b/polkit/polkit-authorization-db.c
@@ -0,0 +1,346 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
+/***************************************************************************
+ *
+ * polkit-authorization-db.c : Represents the authorization database
+ *
+ * Copyright (C) 2007 David Zeuthen, <david at fubar.dk>
+ *
+ * Licensed under the Academic Free License version 2.1
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ **************************************************************************/
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <grp.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <glib.h>
+#include "polkit-debug.h"
+#include "polkit-authorization-db.h"
+#include "polkit-utils.h"
+
+/* For now, redirect to the old stuff */
+#include "polkit-grant-database.h"
+
+/**
+ * SECTION:polkit-authorization-db
+ * @title: Authorization Database
+ * @short_description: An interface to the database storing authorizations
+ *
+ * This class is used to represent entries in the authorization
+ * database. TODO: needs to be pluggable
+ *
+ * Since: 0.7
+ **/
+
+/**
+ * PolKitAuthorizationDB:
+ *
+ * Objects of this class are used to represent entries in the
+ * authorization database.
+ *
+ * Since: 0.7
+ **/
+struct _PolKitAuthorizationDB
+{
+ int refcount;
+};
+
+/**
+ * polkit_authorization_db_new:
+ *
+ * Create a new #PolKitAuthorizationDB object.
+ *
+ * Returns: the new object
+ *
+ * Since: 0.7
+ **/
+PolKitAuthorizationDB *
+polkit_authorization_db_new (void)
+{
+ PolKitAuthorizationDB *authdb;
+ authdb = g_new0 (PolKitAuthorizationDB, 1);
+ authdb->refcount = 1;
+ return authdb;
+}
+
+/**
+ * polkit_authorization_db_ref:
+ * @authdb: the object
+ *
+ * Increase reference count.
+ *
+ * Returns: the object
+ *
+ * Since: 0.7
+ **/
+PolKitAuthorizationDB *
+polkit_authorization_db_ref (PolKitAuthorizationDB *authdb)
+{
+ g_return_val_if_fail (authdb != NULL, authdb);
+ authdb->refcount++;
+ return authdb;
+}
+
+/**
+ * polkit_authorization_db_unref:
+ * @authdb: the object
+ *
+ * Decreases the reference count of the object. If it becomes zero,
+ * the object is freed. Before freeing, reference counts on embedded
+ * objects are decresed by one.
+ *
+ * Since: 0.7
+ **/
+void
+polkit_authorization_db_unref (PolKitAuthorizationDB *authdb)
+{
+ g_return_if_fail (authdb != NULL);
+ authdb->refcount--;
+ if (authdb->refcount > 0)
+ return;
+ g_free (authdb);
+}
+
+/**
+ * polkit_authorization_db_debug:
+ * @authdb: the object
+ *
+ * Print debug details
+ *
+ * Since: 0.7
+ **/
+void
+polkit_authorization_db_debug (PolKitAuthorizationDB *authdb)
+{
+ g_return_if_fail (authdb != NULL);
+ _pk_debug ("PolKitAuthorizationDB: refcount=%d", authdb->refcount);
+}
+
+/**
+ * polkit_authorization_db_validate:
+ * @authdb: the object
+ *
+ * Validate the object
+ *
+ * Returns: #TRUE iff the object is valid.
+ *
+ * Since: 0.7
+ **/
+polkit_bool_t
+polkit_authorization_db_validate (PolKitAuthorizationDB *authdb)
+{
+ g_return_val_if_fail (authdb != NULL, FALSE);
+
+ return TRUE;
+}
+
+
+/**
+ * polkit_authorization_db_is_session_authorized:
+ * @authdb: the authorization database
+ * @action: the action to check for
+ * @session: the session to check for
+ * @out_is_authorized: return location
+ *
+ * Looks in the authorization database and determine if a processes
+ * from the given session are authorized to do the given specific
+ * action.
+ *
+ * Returns: #TRUE if the look up was performed; #FALSE if the caller
+ * of this function lacks privileges to ask this question (e.g. asking
+ * about a user that is not himself).
+ *
+ * Since: 0.7
+ */
+polkit_bool_t
+polkit_authorization_db_is_session_authorized (PolKitAuthorizationDB *authdb,
+ PolKitAction *action,
+ PolKitSession *session,
+ polkit_bool_t *out_is_authorized)
+{
+ return FALSE;
+}
+
+/**
+ * polkit_authorization_db_is_caller_authorized:
+ * @authdb: the authorization database
+ * @action: the action to check for
+ * @caller: the caller to check for
+ * @out_is_authorized: return location
+ *
+ * Looks in the authorization database if the given caller is
+ * authorized to do the given action.
+ *
+ * Returns: #TRUE if the look up was performed; #FALSE if the caller
+ * of this function lacks privileges to ask this question (e.g. asking
+ * about a user that is not himself).
+ *
+ * Since: 0.7
+ */
+polkit_bool_t
+polkit_authorization_db_is_caller_authorized (PolKitAuthorizationDB *authdb,
+ PolKitAction *action,
+ PolKitCaller *caller,
+ polkit_bool_t *out_is_authorized)
+{
+ g_return_val_if_fail (out_is_authorized != NULL, FALSE);
+ *out_is_authorized = _polkit_grantdb_check_can_caller_do_action (action, caller);
+ return TRUE;
+}
+
+
+/**
+ * polkit_authorization_db_add_entry_process:
+ * @authdb: the authorization database
+ * @action: the action
+ * @caller: the caller
+ * @how: the value from "defaults" section of the
+ * <literal>.policy</literal> file
+ * @user_authenticated_as: the user that was authenticated
+ *
+ * Write an entry to the authorization database to indicate that the
+ * given caller is authorized for the given action.
+ *
+ * Note that this function should only be used by
+ * <literal>libpolkit-grant</literal> or other sufficiently privileged
+ * processes that deals with managing authorizations. It should never
+ * be used by mechanisms or applications.
+ *
+ * Returns: #TRUE if an entry was written to the authorization
+ * database, #FALSE if the caller of this function is not sufficiently
+ * privileged.
+ *
+ * Since: 0.7
+ */
+polkit_bool_t
+polkit_authorization_db_add_entry_process (PolKitAuthorizationDB *authdb,
+ PolKitAction *action,
+ PolKitCaller *caller,
+ PolKitResult how,
+ uid_t user_authenticated_as)
+{
+ char *action_id;
+ pid_t caller_pid;
+
+ g_return_val_if_fail (authdb != NULL, FALSE);
+ g_return_val_if_fail (action != NULL, FALSE);
+ g_return_val_if_fail (caller != NULL, FALSE);
+
+ if (!polkit_action_get_action_id (action, &action_id))
+ return FALSE;
+
+ if (!polkit_caller_get_pid (caller, &caller_pid))
+ return FALSE;
+
+ return _polkit_grantdb_write_pid (action_id, caller_pid);;
+}
+
+/**
+ * polkit_authorization_db_add_entry_session:
+ * @authdb: the authorization database
+ * @action: the action
+ * @session: the session
+ * @how: the value from "defaults" section of the
+ * <literal>.policy</literal> file
+ * @user_authenticated_as: the user that was authenticated
+ *
+ * Write an entry to the authorization database to indicate that the
+ * given session is authorized for the given action.
+ *
+ * Note that this function should only be used by
+ * <literal>libpolkit-grant</literal> or other sufficiently privileged
+ * processes that deals with managing authorizations. It should never
+ * be used by mechanisms or applications.
+ *
+ * Returns: #TRUE if an entry was written to the authorization
+ * database, #FALSE if the caller of this function is not sufficiently
+ * privileged.
+ *
+ * Since: 0.7
+ */
+polkit_bool_t
+polkit_authorization_db_add_entry_session (PolKitAuthorizationDB *authdb,
+ PolKitAction *action,
+ PolKitSession *session,
+ PolKitResult how,
+ uid_t user_authenticated_as)
+{
+ char *action_id;
+ char *session_objpath;
+
+ g_return_val_if_fail (authdb != NULL, FALSE);
+ g_return_val_if_fail (action != NULL, FALSE);
+ g_return_val_if_fail (session != NULL, FALSE);
+
+ if (!polkit_action_get_action_id (action, &action_id))
+ return FALSE;
+
+ if (!polkit_session_get_ck_objref (session, &session_objpath))
+ return FALSE;
+
+ return _polkit_grantdb_write_keep_session (action_id, session_objpath);;
+}
+
+/**
+ * polkit_authorization_db_add_entry_always:
+ * @authdb: the authorization database
+ * @action: the action
+ * @uid: the user
+ * @how: the value from "defaults" section of the
+ * <literal>.policy</literal> file
+ * @user_authenticated_as: the user that was authenticated
+ *
+ * Write an entry to the authorization database to indicate that the
+ * given user is authorized for the given action.
+ *
+ * Note that this function should only be used by
+ * <literal>libpolkit-grant</literal> or other sufficiently privileged
+ * processes that deals with managing authorizations. It should never
+ * be used by mechanisms or applications.
+ *
+ * Returns: #TRUE if an entry was written to the authorization
+ * database, #FALSE if the caller of this function is not sufficiently
+ * privileged.
+ *
+ * Since: 0.7
+ */
+polkit_bool_t
+polkit_authorization_db_add_entry_always (PolKitAuthorizationDB *authdb,
+ PolKitAction *action,
+ uid_t uid,
+ PolKitResult how,
+ uid_t user_authenticated_as)
+{
+ char *action_id;
+
+ g_return_val_if_fail (authdb != NULL, FALSE);
+ g_return_val_if_fail (action != NULL, FALSE);
+
+ if (!polkit_action_get_action_id (action, &action_id))
+ return FALSE;
+
+ return _polkit_grantdb_write_keep_always (action_id, uid);
+}
diff --git a/polkit/polkit-authorization-db.h b/polkit/polkit-authorization-db.h
new file mode 100644
index 0000000..c7823e6
--- /dev/null
+++ b/polkit/polkit-authorization-db.h
@@ -0,0 +1,88 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
+/***************************************************************************
+ *
+ * polkit-authorization-db.h : Represents the authorization database
+ *
+ * Copyright (C) 2007 David Zeuthen, <david at fubar.dk>
+ *
+ * Licensed under the Academic Free License version 2.1
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ **************************************************************************/
+
+#if !defined (POLKIT_COMPILATION) && !defined(_POLKIT_INSIDE_POLKIT_H)
+#error "Only <polkit/polkit.h> can be included directly, this file may disappear or change contents."
+#endif
+
+#ifndef POLKIT_AUTHORIZATION_DB_H
+#define POLKIT_AUTHORIZATION_DB_H
+
+#include <polkit/polkit-types.h>
+#include <polkit/polkit-authorization.h>
+#include <polkit/polkit-action.h>
+#include <polkit/polkit-result.h>
+#include <polkit/polkit-caller.h>
+#include <polkit/polkit-session.h>
+
+POLKIT_BEGIN_DECLS
+
+struct _PolKitAuthorizationDB;
+typedef struct _PolKitAuthorizationDB PolKitAuthorizationDB;
+
+PolKitAuthorizationDB *polkit_authorization_db_new (void);
+PolKitAuthorizationDB *polkit_authorization_db_ref (PolKitAuthorizationDB *authdb);
+void polkit_authorization_db_unref (PolKitAuthorizationDB *authdb);
+
+void polkit_authorization_db_debug (PolKitAuthorizationDB *authdb);
+polkit_bool_t polkit_authorization_db_validate (PolKitAuthorizationDB *authdb);
+
+
+polkit_bool_t polkit_authorization_db_is_session_authorized (PolKitAuthorizationDB *authdb,
+ PolKitAction *action,
+ PolKitSession *session,
+ polkit_bool_t *out_is_authorized);
+
+polkit_bool_t polkit_authorization_db_is_caller_authorized (PolKitAuthorizationDB *authdb,
+ PolKitAction *action,
+ PolKitCaller *caller,
+ polkit_bool_t *out_is_authorized);
+
+
+
+polkit_bool_t polkit_authorization_db_add_entry_process (PolKitAuthorizationDB *authdb,
+ PolKitAction *action,
+ PolKitCaller *caller,
+ PolKitResult how,
+ uid_t user_authenticated_as);
+
+polkit_bool_t polkit_authorization_db_add_entry_session (PolKitAuthorizationDB *authdb,
+ PolKitAction *action,
+ PolKitSession *session,
+ PolKitResult how,
+ uid_t user_authenticated_as);
+
+polkit_bool_t polkit_authorization_db_add_entry_always (PolKitAuthorizationDB *authdb,
+ PolKitAction *action,
+ uid_t uid,
+ PolKitResult how,
+ uid_t user_authenticated_as);
+
+
+POLKIT_END_DECLS
+
+#endif /* POLKIT_AUTHORIZATION_DB_H */
+
+
diff --git a/polkit/polkit-authorization.c b/polkit/polkit-authorization.c
new file mode 100644
index 0000000..1de9ef8
--- /dev/null
+++ b/polkit/polkit-authorization.c
@@ -0,0 +1,303 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
+/***************************************************************************
+ *
+ * polkit-authorization.c : Represents an entry in the authorization
+ * database
+ *
+ * Copyright (C) 2007 David Zeuthen, <david at fubar.dk>
+ *
+ * Licensed under the Academic Free License version 2.1
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ **************************************************************************/
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <grp.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <glib.h>
+#include "polkit-debug.h"
+#include "polkit-authorization.h"
+#include "polkit-utils.h"
+
+/**
+ * SECTION:polkit-authorization
+ * @title: Authorization Entry
+ * @short_description: An entry in the autothorization database
+ *
+ * This class is used to represent entries in the authorization
+ * database.
+ *
+ * Since: 0.7
+ **/
+
+/**
+ * PolKitAuthorization:
+ *
+ * Objects of this class are used to represent entries in the
+ * authorization database.
+ *
+ * Since: 0.7
+ **/
+struct _PolKitAuthorization
+{
+ int refcount;
+};
+
+/**
+ * polkit_authorization_ref:
+ * @authorization: the authorization object
+ *
+ * Increase reference count.
+ *
+ * Returns: the object
+ *
+ * Since: 0.7
+ **/
+PolKitAuthorization *
+polkit_authorization_ref (PolKitAuthorization *authorization)
+{
+ g_return_val_if_fail (authorization != NULL, authorization);
+ authorization->refcount++;
+ return authorization;
+}
+
+/**
+ * polkit_authorization_unref:
+ * @authorization: the authorization object
+ *
+ * Decreases the reference count of the object. If it becomes zero,
+ * the object is freed. Before freeing, reference counts on embedded
+ * objects are decresed by one.
+ *
+ * Since: 0.7
+ **/
+void
+polkit_authorization_unref (PolKitAuthorization *authorization)
+{
+ g_return_if_fail (authorization != NULL);
+ authorization->refcount--;
+ if (authorization->refcount > 0)
+ return;
+ g_free (authorization);
+}
+
+/**
+ * polkit_authorization_debug:
+ * @authorization: the object
+ *
+ * Print debug details
+ *
+ * Since: 0.7
+ **/
+void
+polkit_authorization_debug (PolKitAuthorization *authorization)
+{
+ g_return_if_fail (authorization != NULL);
+ _pk_debug ("PolKitAuthorization: refcount=%d", authorization->refcount);
+}
+
+/**
+ * polkit_authorization_validate:
+ * @authorization: the object
+ *
+ * Validate the object
+ *
+ * Returns: #TRUE iff the object is valid.
+ *
+ * Since: 0.7
+ **/
+polkit_bool_t
+polkit_authorization_validate (PolKitAuthorization *authorization)
+{
+ g_return_val_if_fail (authorization != NULL, FALSE);
+
+ return TRUE;
+}
+
+/**
+ * polkit_authorization_get_action_id:
+ * @authorization: the object
+ *
+ * Get the action this authorization is for
+ *
+ * Returns: the #PolKitAction object. Caller should not unref the
+ * object; it is owned by the #PolKitAuthorization instance and will
+ * by unreffed when that object is unreffed.
+ *
+ * Since: 0.7
+ */
+PolKitAction *
+polkit_authorization_get_action_id (PolKitAuthorization *authorization)
+{
+ return NULL;
+}
+
+/**
+ * polkit_authorization_get_scope:
+ * @authorization: the object
+ *
+ * Get the scope of the authorization; e.g. whether it's confined to a
+ * single process, a single session or can be retained indefinitely.
+ *
+ * Returns: the scope
+ *
+ * Since: 0.7
+ */
+PolKitAuthorizationScope
+polkit_authorization_get_scope (PolKitAuthorization *authorization)
+{
+ return 0;
+}
+
+/**
+ * polkit_authorization_scope_process_get_pid:
+ * @authorization: the object
+ * @out_pid: return location
+ * @out_pid_start_time: return location
+ *
+ * If scope is #POLKIT_AUTHORIZATION_SCOPE_PROCESS_ONE_SHOT or
+ * #POLKIT_AUTHORIZATION_SCOPE_PROCESS, get information about what
+ * process the authorization is confined to.
+ *
+ * As process identifiers can be recycled, the start time of the
+ * process (the unit is not well-defined; on Linux it's the number of
+ * milliseconds since the system was started) is also returned.
+ *
+ * Returns: #TRUE if information was returned
+ *
+ * Since: 0.7
+ */
+polkit_bool_t
+polkit_authorization_scope_process_get_pid (PolKitAuthorization *authorization,
+ pid_t *out_pid,
+ polkit_uint64_t *out_pid_start_time)
+{
+ return FALSE;
+}
+
+/**
+ * polkit_authorization_scope_session_get_ck_objref:
+ * @authorization: the object
+ * @out_ck_session_objref: return location
+ *
+ * Gets the ConsoleKit object path for the session the authorization
+ * is confined to.
+ *
+ * Returns: #TRUE if information was returned
+ *
+ * Since: 0.7
+ */
+polkit_bool_t
+polkit_authorization_scope_session_get_ck_objref (PolKitAuthorization *authorization,
+ char **out_ck_session_objref)
+{
+ return FALSE;
+}
+
+/**
+ * polkit_authorization_get_uid:
+ * @authorization: the object
+ *
+ * Gets the UNIX user id for the user the authorization is confined
+ * to.
+ *
+ * Returns: The UNIX user id for whom the authorization is confied to
+ *
+ * Since: 0.7
+ */
+uid_t
+polkit_authorization_get_uid (PolKitAuthorization *authorization)
+{
+ return 0;
+}
+
+/**
+ * polkit_authorization_get_time_of_grant:
+ * @authorization: the object
+ *
+ * Returns the point in time the authorization was granted. The value
+ * is UNIX time, e.g. number of seconds since the Epoch Jan 1, 1970
+ * 0:00 UTC.
+ *
+ * Returns: #TRUE if information was returned
+ *
+ * Since: 0.7
+ */
+time_t
+polkit_authorization_get_time_of_grant (PolKitAuthorization *authorization)
+{
+ return 0;
+}
+
+/**
+ * polkit_authorization_was_granted_via_defaults:
+ * @authorization: the object
+ * @out_how: return location
+ * @out_user_authenticated_as: return location
+ *
+ * Determine if the authorization was obtained by the user by
+ * authenticating as himself or an administrator via the the
+ * "defaults" section in the <literal>.policy</literal> file for the
+ * action (e.g. "allow_any", "allow_inactive", "allow_active").
+ *
+ * Compare with polkit_authorization_was_granted_explicitly() - only
+ * one of these functions can return #TRUE.
+ *
+ * Returns: #TRUE if the authorization was obtained by the user
+ * himself authenticating.
+ *
+ * Since: 0.7
+ */
+polkit_bool_t
+polkit_authorization_was_granted_via_defaults (PolKitAuthorization *authorization,
+ PolKitResult *out_how,
+ uid_t *out_user_authenticated_as)
+{
+ return FALSE;
+}
+
+/**
+ * polkit_authorization_was_granted_explicitly:
+ * @authorization: the object
+ * @out_by_whom: return location
+ *
+ * Determine if the authorization was explicitly granted by a
+ * sufficiently privileged user.
+ *
+ * Compare with polkit_authorization_was_granted_via_defaults() - only
+ * one of these functions can return #TRUE.
+ *
+ * Returns: #TRUE if the authorization was explicitly granted by a
+ * sufficiently privileger user.
+ *
+ * Since: 0.7
+ */
+polkit_bool_t
+polkit_authorization_was_granted_explicitly (PolKitAuthorization *authorization,
+ uid_t *out_by_whom)
+{
+ return FALSE;
+}
diff --git a/polkit/polkit-authorization.h b/polkit/polkit-authorization.h
new file mode 100644
index 0000000..ab8518d
--- /dev/null
+++ b/polkit/polkit-authorization.h
@@ -0,0 +1,96 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
+/***************************************************************************
+ *
+ * polkit-authorization.h : Represents an entry in the authorization
+ * database
+ *
+ * Copyright (C) 2007 David Zeuthen, <david at fubar.dk>
+ *
+ * Licensed under the Academic Free License version 2.1
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ **************************************************************************/
+
+#if !defined (POLKIT_COMPILATION) && !defined(_POLKIT_INSIDE_POLKIT_H)
+#error "Only <polkit/polkit.h> can be included directly, this file may disappear or change contents."
+#endif
+
+#ifndef POLKIT_AUTHORIZATION_H
+#define POLKIT_AUTHORIZATION_H
+
+#include <polkit/polkit-types.h>
+#include <polkit/polkit-action.h>
+#include <polkit/polkit-result.h>
+
+POLKIT_BEGIN_DECLS
+
+struct _PolKitAuthorization;
+typedef struct _PolKitAuthorization PolKitAuthorization;
+
+PolKitAuthorization *polkit_authorization_ref (PolKitAuthorization *authorization);
+void polkit_authorization_unref (PolKitAuthorization *authorization);
+
+void polkit_authorization_debug (PolKitAuthorization *authorization);
+polkit_bool_t polkit_authorization_validate (PolKitAuthorization *authorization);
+
+
+/**
+ * PolKitAuthorizationScope:
+ * @POLKIT_AUTHORIZATION_SCOPE_PROCESS: The authorization is limited
+ * for a single process on the system
+ * @POLKIT_AUTHORIZATION_SCOPE_SESSION: The authorization is limited
+ * for processes originating from a given session
+ * @POLKIT_AUTHORIZATION_SCOPE_ALWAYS: The authorization is retained
+ * indefinitely. TODO: mention that it's only valid if the defaults
+ * for the #PolKitAction is the same.
+ *
+ * The scope of an authorization; e.g. how it is confined.
+ */
+typedef enum {
+ POLKIT_AUTHORIZATION_SCOPE_PROCESS,
+ POLKIT_AUTHORIZATION_SCOPE_SESSION,
+ POLKIT_AUTHORIZATION_SCOPE_ALWAYS,
+} PolKitAuthorizationScope;
+
+PolKitAction *polkit_authorization_get_action_id (PolKitAuthorization *authorization);
+
+uid_t polkit_authorization_get_uid (PolKitAuthorization *authorization);
+
+time_t polkit_authorization_get_time_of_grant (PolKitAuthorization *authorization);
+
+
+PolKitAuthorizationScope polkit_authorization_get_scope (PolKitAuthorization *authorization);
+
+polkit_bool_t polkit_authorization_scope_process_get_pid (PolKitAuthorization *authorization,
+ pid_t *out_pid,
+ polkit_uint64_t *out_pid_start_time);
+
+polkit_bool_t polkit_authorization_scope_session_get_ck_objref (PolKitAuthorization *authorization,
+ char **out_ck_session_objref);
+
+
+polkit_bool_t polkit_authorization_was_granted_via_defaults (PolKitAuthorization *authorization,
+ PolKitResult *out_how,
+ uid_t *out_user_authenticated_as);
+
+polkit_bool_t polkit_authorization_was_granted_explicitly (PolKitAuthorization *authorization,
+ uid_t *out_by_whom);
+
+POLKIT_END_DECLS
+
+#endif /* POLKIT_AUTHORIZATION_H */
+
+
diff --git a/polkit/polkit-context.c b/polkit/polkit-context.c
index d806692..96870d5 100644
--- a/polkit/polkit-context.c
+++ b/polkit/polkit-context.c
@@ -43,7 +43,6 @@
#include "polkit-debug.h"
#include "polkit-context.h"
#include "polkit-policy-cache.h"
-#include "polkit-grant-database.h"
/**
* SECTION:polkit
@@ -98,6 +97,8 @@ struct _PolKitContext
PolKitConfig *config;
+ PolKitAuthorizationDB *authdb;
+
polkit_bool_t load_descriptions;
int inotify_fd;
@@ -121,6 +122,8 @@ polkit_context_new (void)
PolKitContext *pk_context;
pk_context = g_new0 (PolKitContext, 1);
pk_context->refcount = 1;
+ /* TODO: May want to rethink instantiating this on demand.. */
+ pk_context->authdb = polkit_authorization_db_new ();
return pk_context;
}
@@ -435,6 +438,56 @@ polkit_context_get_policy_cache (PolKitContext *pk_context)
return pk_context->priv_cache;
}
+
+/**
+ * polkit_context_is_session_authorized:
+ * @pk_context: the PolicyKit context
+ * @action: the type of access to check for
+ * @session: the session in question
+ * @revoke_if_oneshot: TODO
+ *
+ * Determine if any caller from a giver session is authorized to do a
+ * given action.
+ *
+ * Returns: A #PolKitResult specifying if, and how, the caller can
+ * do a specific action.
+ *
+ * Since: 0.7
+ */
+PolKitResult
+polkit_context_is_session_authorized (PolKitContext *pk_context,
+ PolKitAction *action,
+ PolKitSession *session,
+ polkit_bool_t revoke_if_oneshot)
+{
+ /* TODO: properly implement */
+ return polkit_context_can_session_do_action (pk_context, action, session);
+}
+
+/**
+ * polkit_context_is_caller_authorized:
+ * @pk_context: the PolicyKit context
+ * @action: the type of access to check for
+ * @caller: the caller in question
+ * @revoke_if_oneshot: TODO
+ *
+ * Determine if a given caller is authorized to do a given action.
+ *
+ * Returns: A #PolKitResult specifying if, and how, the caller can
+ * do a specific action.
+ *
+ * Since: 0.7
+ */
+PolKitResult
+polkit_context_is_caller_authorized (PolKitContext *pk_context,
+ PolKitAction *action,
+ PolKitCaller *caller,
+ polkit_bool_t revoke_if_oneshot)
+{
+ /* TODO: properly implement */
+ return polkit_context_can_caller_do_action (pk_context, action, caller);
+}
+
/**
* polkit_context_can_session_do_action:
* @pk_context: the PolicyKit context
@@ -445,6 +498,8 @@ polkit_context_get_policy_cache (PolKitContext *pk_context)
*
* Returns: A #PolKitResult - can only be one of
* #POLKIT_RESULT_YES, #POLKIT_RESULT_NO.
+ *
+ * Deprecated: 0.7: use polkit_context_is_session_authorized() instead.
*/
PolKitResult
polkit_context_can_session_do_action (PolKitContext *pk_context,
@@ -529,6 +584,8 @@ out:
*
* Returns: A #PolKitResult specifying if, and how, the caller can
* do a specific action
+ *
+ * Deprecated: 0.7: use polkit_context_is_caller_authorized() instead.
*/
PolKitResult
polkit_context_can_caller_do_action (PolKitContext *pk_context,
@@ -542,6 +599,7 @@ polkit_context_can_caller_do_action (PolKitContext *pk_context,
PolKitResult result_from_grantdb;
PolKitPolicyDefault *policy_default;
PolKitConfig *config;
+ polkit_bool_t from_authdb;
result = POLKIT_RESULT_NO;
g_return_val_if_fail (pk_context != NULL, result);
@@ -583,7 +641,15 @@ polkit_context_can_caller_do_action (PolKitContext *pk_context,
polkit_policy_file_entry_debug (pfe);
result_from_config = polkit_config_can_caller_do_action (config, action, caller);
- result_from_grantdb = _polkit_grantdb_check_can_caller_do_action (pk_context, action, caller);
+
+ result_from_grantdb = POLKIT_RESULT_UNKNOWN;
+ if (polkit_authorization_db_is_caller_authorized (pk_context->authdb,
+ action,
+ caller,
+ &from_authdb)) {
+ if (from_authdb)
+ result_from_grantdb = POLKIT_RESULT_YES;
+ }
/* fist, check if the config file specifies a result */
if (result_from_config != POLKIT_RESULT_UNKNOWN) {
@@ -642,7 +708,7 @@ out:
* integration with other PolicyKit components.
*
* Returns: A #PolKitConfig object or NULL if the configuration file
- * is malformed.
+ * is malformed. Caller should not unref this object.
*/
PolKitConfig *
polkit_context_get_config (PolKitContext *pk_context, PolKitError **error)
@@ -672,4 +738,20 @@ polkit_context_get_config (PolKitContext *pk_context, PolKitError **error)
return pk_context->config;
}
-
+/**
+ * polkit_context_get_authorization_db:
+ * @pk_context: the PolicyKit context
+ *
+ * Returns an object that provides access to the authorization
+ * database. Applications using PolicyKit should never use this
+ * method; it's only here for integration with other PolicyKit
+ * components.
+ *
+ * Returns: A #PolKitAuthorizationDB object. Caller should not unref
+ * this object.
+ */
+PolKitAuthorizationDB *
+polkit_context_get_authorization_db (PolKitContext *pk_context)
+{
+ return pk_context->authdb;
+}
diff --git a/polkit/polkit-context.h b/polkit/polkit-context.h
index 5c66514..8163ab0 100644
--- a/polkit/polkit-context.h
+++ b/polkit/polkit-context.h
@@ -40,6 +40,7 @@
#include <polkit/polkit-caller.h>
#include <polkit/polkit-policy-cache.h>
#include <polkit/polkit-config.h>
+#include <polkit/polkit-authorization-db.h>
POLKIT_BEGIN_DECLS
@@ -157,16 +158,28 @@ void polkit_context_io_func (PolKitContext *pk_context,
PolKitPolicyCache *polkit_context_get_policy_cache (PolKitContext *pk_context);
-PolKitResult polkit_context_can_session_do_action (PolKitContext *pk_context,
- PolKitAction *action,
- PolKitSession *session);
+POLKIT_GNUC_DEPRECATED PolKitResult polkit_context_can_session_do_action (PolKitContext *pk_context,
+ PolKitAction *action,
+ PolKitSession *session);
-PolKitResult polkit_context_can_caller_do_action (PolKitContext *pk_context,
- PolKitAction *action,
- PolKitCaller *caller);
+POLKIT_GNUC_DEPRECATED PolKitResult polkit_context_can_caller_do_action (PolKitContext *pk_context,
+ PolKitAction *action,
+ PolKitCaller *caller);
PolKitConfig *polkit_context_get_config (PolKitContext *pk_context, PolKitError **error);
+PolKitResult polkit_context_is_caller_authorized (PolKitContext *pk_context,
+ PolKitAction *action,
+ PolKitCaller *caller,
+ polkit_bool_t revoke_if_oneshot);
+
+PolKitResult polkit_context_is_session_authorized (PolKitContext *pk_context,
+ PolKitAction *action,
+ PolKitSession *session,
+ polkit_bool_t revoke_if_oneshot);
+
+PolKitAuthorizationDB *polkit_context_get_authorization_db (PolKitContext *pk_context);
+
POLKIT_END_DECLS
#endif /* POLKIT_CONTEXT_H */
diff --git a/polkit/polkit-grant-database.c b/polkit/polkit-grant-database.c
index 8f7c751..75cacab 100644
--- a/polkit/polkit-grant-database.c
+++ b/polkit/polkit-grant-database.c
@@ -223,8 +223,7 @@ out:
}
PolKitResult
-_polkit_grantdb_check_can_caller_do_action (PolKitContext *pk_context,
- PolKitAction *action,
+_polkit_grantdb_check_can_caller_do_action (PolKitAction *action,
PolKitCaller *caller)
{
char *grant_file;
diff --git a/polkit/polkit-grant-database.h b/polkit/polkit-grant-database.h
index e04dac5..3053a64 100644
--- a/polkit/polkit-grant-database.h
+++ b/polkit/polkit-grant-database.h
@@ -30,8 +30,7 @@
POLKIT_BEGIN_DECLS
-PolKitResult _polkit_grantdb_check_can_caller_do_action (PolKitContext *pk_context,
- PolKitAction *action,
+PolKitResult _polkit_grantdb_check_can_caller_do_action (PolKitAction *action,
PolKitCaller *caller);
polkit_bool_t _polkit_grantdb_write_keep_always (const char *action_id, uid_t uid);
diff --git a/polkit/polkit.h b/polkit/polkit.h
index 096e72b..04c3e5b 100644
--- a/polkit/polkit.h
+++ b/polkit/polkit.h
@@ -40,6 +40,8 @@
#include <polkit/polkit-policy-cache.h>
#include <polkit/polkit-policy-default.h>
#include <polkit/polkit-config.h>
+#include <polkit/polkit-authorization.h>
+#include <polkit/polkit-authorization-db.h>
#undef _POLKIT_INSIDE_POLKIT_H
#endif /* POLKIT_H */
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 2290c29..ce555b0 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -11,7 +11,7 @@ INCLUDES = \
@GLIB_CFLAGS@ \
@DBUS_CFLAGS@
-bin_PROGRAMS = polkit-config-file-validate polkit-policy-file-validate polkit-grant polkit-list-actions
+bin_PROGRAMS = polkit-config-file-validate polkit-policy-file-validate polkit-list-actions #polkit-grant
polkit_config_file_validate_SOURCES = polkit-config-file-validate.c
polkit_config_file_validate_LDADD = $(top_builddir)/polkit/libpolkit.la
@@ -19,8 +19,8 @@ polkit_config_file_validate_LDADD = $(top_builddir)/polkit/libpolkit.la
polkit_policy_file_validate_SOURCES = polkit-policy-file-validate.c
polkit_policy_file_validate_LDADD = $(top_builddir)/polkit/libpolkit.la
-polkit_grant_SOURCES = polkit-grant.c
-polkit_grant_LDADD = @GLIB_LIBS@ @DBUS_LIBS@ $(top_builddir)/polkit/libpolkit.la $(top_builddir)/polkit-grant/libpolkit-grant.la $(top_builddir)/polkit-dbus/libpolkit-dbus.la $(top_builddir)/polkit/libpolkit-grant-private.la
+#polkit_grant_SOURCES = polkit-grant.c
+#polkit_grant_LDADD = @GLIB_LIBS@ @DBUS_LIBS@ $(top_builddir)/polkit/libpolkit.la $(top_builddir)/polkit-grant/libpolkit-grant.la $(top_builddir)/polkit-dbus/libpolkit-dbus.la $(top_builddir)/polkit/libpolkit-grant-private.la
polkit_list_actions_SOURCES = polkit-list-actions.c
polkit_list_actions_LDADD = $(GLIB) $(top_builddir)/polkit/libpolkit.la
More information about the hal-commit
mailing list