From: "Anuj Mittal" <anuj.mittal@intel.com>
To: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
"jpewhacker@gmail.com" <jpewhacker@gmail.com>
Subject: Re: [OE-core][PATCH v2] systemd: Re-enable chvt as non-root user without polkit
Date: Thu, 18 Feb 2021 02:48:51 +0000 [thread overview]
Message-ID: <7eeed678dff9dfda7aff7a6414636a5b90d2eb83.camel@intel.com> (raw)
In-Reply-To: <CAJdd5GZnxO68ir=moPXMUrQ9XmSg+wGimWYeOBMqJBzRiOB5Vg@mail.gmail.com>
On Wed, 2021-02-17 at 09:59 -0600, Joshua Watt wrote:
> On Wed, Nov 18, 2020 at 4:03 PM Joshua Watt <jpewhacker@gmail.com>
> wrote:
> >
> > On 11/16/20 8:38 AM, Joshua Watt wrote:
> > > systemd 245 introduced a regression in behavior where they
> > > removed
> > > support for non-root users to chvt from a service file. This
> > > prevents
> > > running compositors (e.g. weston) as any user other than root.
> > > The
> > > intention is for polkit to be used to allow this (and in fact the
> > > default polkit rules that ship with systemd allow this). However,
> > > polkit
> > > is a huge dependency to bring in for an embedded system, and
> > > isn't
> > > support by OE-core.
> > >
> > > The patch has been proposed upstream to restore the previous
> > > behavior of
> > > allowing a non-root user to chvt to unbreak the regression
> > > without
> > > requiring polkit.
> >
> > Can this be backported to 3.2, since it affects the systemd version
> > there also?
>
> Ping on backporting this to 3.2?
I have picked this now for next pull request.
Thanks,
Anuj
>
> >
> > Thanks
> >
> > >
> > > Upstream-Status: Submitted [
> > > https://github.com/systemd/systemd/pull/17494]
> > > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> > > ---
> > > ...chvt-as-non-root-user-without-polkit.patch | 227
> > > ++++++++++++++++++
> > > meta/recipes-core/systemd/systemd_246.6.bb | 1 +
> > > 2 files changed, 228 insertions(+)
> > > create mode 100644 meta/recipes-core/systemd/systemd/0001-
> > > logind-Restore-chvt-as-non-root-user-without-polkit.patch
> > >
> > > diff --git a/meta/recipes-core/systemd/systemd/0001-logind-
> > > Restore-chvt-as-non-root-user-without-polkit.patch
> > > b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-
> > > non-root-user-without-polkit.patch
> > > new file mode 100644
> > > index 0000000000..89ef39bc3e
> > > --- /dev/null
> > > +++ b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-
> > > as-non-root-user-without-polkit.patch
> > > @@ -0,0 +1,227 @@
> > > +From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17
> > > 00:00:00 2001
> > > +From: Joshua Watt <JPEWhacker@gmail.com>
> > > +Date: Fri, 30 Oct 2020 08:15:43 -0500
> > > +Subject: [PATCH] logind: Restore chvt as non-root user without
> > > polkit
> > > +
> > > +4acf0cfd2f ("logind: check PolicyKit before allowing VT switch")
> > > broke
> > > +the ability to write user sessions that run graphical sessions
> > > (e.g.
> > > +weston/X11). This was partially amended in 19bb87fbfa ("login:
> > > allow
> > > +non-console sessions to change vt") by changing the default
> > > PolicyKit
> > > +policy so that non-root users are again allowed to switch the
> > > VT. This
> > > +makes the policy when PolKit is not enabled (as on many embedded
> > > +systems) match the default PolKit policy and allows launching
> > > graphical
> > > +sessions as a non-root user.
> > > +
> > > +Closes #17473
> > > +---
> > > + src/login/logind-dbus.c | 11 ++-------
> > > + src/login/logind-polkit.c | 26 +++++++++++++++++++++
> > > + src/login/logind-polkit.h | 10 ++++++++
> > > + src/login/logind-seat-dbus.c | 41 ++++----------------------
> > > -------
> > > + src/login/logind-session-dbus.c | 11 ++-------
> > > + src/login/meson.build | 1 +
> > > + 6 files changed, 46 insertions(+), 54 deletions(-)
> > > + create mode 100644 src/login/logind-polkit.c
> > > + create mode 100644 src/login/logind-polkit.h
> > > +
> > > +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
> > > +index 0f83ed99bc..a3765d88ba 100644
> > > +--- a/src/login/logind-dbus.c
> > > ++++ b/src/login/logind-dbus.c
> > > +@@ -30,6 +30,7 @@
> > > + #include "format-util.h"
> > > + #include "fs-util.h"
> > > + #include "logind-dbus.h"
> > > ++#include "logind-polkit.h"
> > > + #include "logind-seat-dbus.h"
> > > + #include "logind-session-dbus.h"
> > > + #include "logind-user-dbus.h"
> > > +@@ -1047,15 +1048,7 @@ static int
> > > method_activate_session_on_seat(sd_bus_message *message, void
> > > *userda
> > > + return sd_bus_error_setf(error,
> > > BUS_ERROR_SESSION_NOT_ON_SEAT,
> > > + "Session %s not on
> > > seat %s", session_name, seat_name);
> > > +
> > > +- r = bus_verify_polkit_async(
> > > +- message,
> > > +- CAP_SYS_ADMIN,
> > > +- "org.freedesktop.login1.chvt",
> > > +- NULL,
> > > +- false,
> > > +- UID_INVALID,
> > > +- &m->polkit_registry,
> > > +- error);
> > > ++ r = check_polkit_chvt(message, m, error);
> > > + if (r < 0)
> > > + return r;
> > > + if (r == 0)
> > > +diff --git a/src/login/logind-polkit.c b/src/login/logind-
> > > polkit.c
> > > +new file mode 100644
> > > +index 0000000000..9072570cc6
> > > +--- /dev/null
> > > ++++ b/src/login/logind-polkit.c
> > > +@@ -0,0 +1,26 @@
> > > ++/* SPDX-License-Identifier: LGPL-2.1+ */
> > > ++
> > > ++#include "bus-polkit.h"
> > > ++#include "logind-polkit.h"
> > > ++#include "missing_capability.h"
> > > ++#include "user-util.h"
> > > ++
> > > ++int check_polkit_chvt(sd_bus_message *message, Manager
> > > *manager, sd_bus_error *error) {
> > > ++#if ENABLE_POLKIT
> > > ++ return bus_verify_polkit_async(
> > > ++ message,
> > > ++ CAP_SYS_ADMIN,
> > > ++ "org.freedesktop.login1.chvt",
> > > ++ NULL,
> > > ++ false,
> > > ++ UID_INVALID,
> > > ++ &manager->polkit_registry,
> > > ++ error);
> > > ++#else
> > > ++ /* Allow chvt when polkit is not present. This allows a
> > > service to start a graphical session as a
> > > ++ * non-root user when polkit is not compiled in,
> > > matching the default polkit policy */
> > > ++ return 1;
> > > ++#endif
> > > ++}
> > > ++
> > > ++
> > > +diff --git a/src/login/logind-polkit.h b/src/login/logind-
> > > polkit.h
> > > +new file mode 100644
> > > +index 0000000000..476c077a8a
> > > +--- /dev/null
> > > ++++ b/src/login/logind-polkit.h
> > > +@@ -0,0 +1,10 @@
> > > ++/* SPDX-License-Identifier: LGPL-2.1+ */
> > > ++#pragma once
> > > ++
> > > ++#include "sd-bus.h"
> > > ++
> > > ++#include "bus-object.h"
> > > ++#include "logind.h"
> > > ++
> > > ++int check_polkit_chvt(sd_bus_message *message, Manager
> > > *manager, sd_bus_error *error);
> > > ++
> > > +diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-
> > > seat-dbus.c
> > > +index a945132284..f22e9e2734 100644
> > > +--- a/src/login/logind-seat-dbus.c
> > > ++++ b/src/login/logind-seat-dbus.c
> > > +@@ -9,6 +9,7 @@
> > > + #include "bus-polkit.h"
> > > + #include "bus-util.h"
> > > + #include "logind-dbus.h"
> > > ++#include "logind-polkit.h"
> > > + #include "logind-seat-dbus.h"
> > > + #include "logind-seat.h"
> > > + #include "logind-session-dbus.h"
> > > +@@ -179,15 +180,7 @@ static int
> > > method_activate_session(sd_bus_message *message, void *userdata,
> > > sd_b
> > > + if (session->seat != s)
> > > + return sd_bus_error_setf(error,
> > > BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name,
> > > s->id);
> > > +
> > > +- r = bus_verify_polkit_async(
> > > +- message,
> > > +- CAP_SYS_ADMIN,
> > > +- "org.freedesktop.login1.chvt",
> > > +- NULL,
> > > +- false,
> > > +- UID_INVALID,
> > > +- &s->manager->polkit_registry,
> > > +- error);
> > > ++ r = check_polkit_chvt(message, s->manager, error);
> > > + if (r < 0)
> > > + return r;
> > > + if (r == 0)
> > > +@@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message
> > > *message, void *userdata, sd_bus_erro
> > > + if (to <= 0)
> > > + return sd_bus_error_setf(error,
> > > SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
> > > +
> > > +- r = bus_verify_polkit_async(
> > > +- message,
> > > +- CAP_SYS_ADMIN,
> > > +- "org.freedesktop.login1.chvt",
> > > +- NULL,
> > > +- false,
> > > +- UID_INVALID,
> > > +- &s->manager->polkit_registry,
> > > +- error);
> > > ++ r = check_polkit_chvt(message, s->manager, error);
> > > + if (r < 0)
> > > + return r;
> > > + if (r == 0)
> > > +@@ -243,15 +228,7 @@ static int
> > > method_switch_to_next(sd_bus_message *message, void *userdata,
> > > sd_bus
> > > + assert(message);
> > > + assert(s);
> > > +
> > > +- r = bus_verify_polkit_async(
> > > +- message,
> > > +- CAP_SYS_ADMIN,
> > > +- "org.freedesktop.login1.chvt",
> > > +- NULL,
> > > +- false,
> > > +- UID_INVALID,
> > > +- &s->manager->polkit_registry,
> > > +- error);
> > > ++ r = check_polkit_chvt(message, s->manager, error);
> > > + if (r < 0)
> > > + return r;
> > > + if (r == 0)
> > > +@@ -271,15 +248,7 @@ static int
> > > method_switch_to_previous(sd_bus_message *message, void
> > > *userdata, sd
> > > + assert(message);
> > > + assert(s);
> > > +
> > > +- r = bus_verify_polkit_async(
> > > +- message,
> > > +- CAP_SYS_ADMIN,
> > > +- "org.freedesktop.login1.chvt",
> > > +- NULL,
> > > +- false,
> > > +- UID_INVALID,
> > > +- &s->manager->polkit_registry,
> > > +- error);
> > > ++ r = check_polkit_chvt(message, s->manager, error);
> > > + if (r < 0)
> > > + return r;
> > > + if (r == 0)
> > > +diff --git a/src/login/logind-session-dbus.c b/src/login/logind-
> > > session-dbus.c
> > > +index ccc5ac8df2..57c8a4e900 100644
> > > +--- a/src/login/logind-session-dbus.c
> > > ++++ b/src/login/logind-session-dbus.c
> > > +@@ -11,6 +11,7 @@
> > > + #include "fd-util.h"
> > > + #include "logind-brightness.h"
> > > + #include "logind-dbus.h"
> > > ++#include "logind-polkit.h"
> > > + #include "logind-seat-dbus.h"
> > > + #include "logind-session-dbus.h"
> > > + #include "logind-session-device.h"
> > > +@@ -192,15 +193,7 @@ int
> > > bus_session_method_activate(sd_bus_message *message, void
> > > *userdata, sd_bus_
> > > + assert(message);
> > > + assert(s);
> > > +
> > > +- r = bus_verify_polkit_async(
> > > +- message,
> > > +- CAP_SYS_ADMIN,
> > > +- "org.freedesktop.login1.chvt",
> > > +- NULL,
> > > +- false,
> > > +- UID_INVALID,
> > > +- &s->manager->polkit_registry,
> > > +- error);
> > > ++ r = check_polkit_chvt(message, s->manager, error);
> > > + if (r < 0)
> > > + return r;
> > > + if (r == 0)
> > > +diff --git a/src/login/meson.build b/src/login/meson.build
> > > +index 0a7d3d5440..7e46be2add 100644
> > > +--- a/src/login/meson.build
> > > ++++ b/src/login/meson.build
> > > +@@ -26,6 +26,7 @@ liblogind_core_sources = files('''
> > > + logind-device.h
> > > + logind-inhibit.c
> > > + logind-inhibit.h
> > > ++ logind-polkit.c
> > > + logind-seat-dbus.c
> > > + logind-seat-dbus.h
> > > + logind-seat.c
> > > +--
> > > +2.28.0
> > > +
> > > diff --git a/meta/recipes-core/systemd/systemd_246.6.bb
> > > b/meta/recipes-core/systemd/systemd_246.6.bb
> > > index 1d1ff34d89..d9e7b1a00c 100644
> > > --- a/meta/recipes-core/systemd/systemd_246.6.bb
> > > +++ b/meta/recipes-core/systemd/systemd_246.6.bb
> > > @@ -23,6 +23,7 @@ SRC_URI += "file://touchscreen.rules \
> > >
> > > file://0003-implment-systemd-sysv-install-for-OE.patch \
> > >
> > > file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch
> > > \
> > >
> > > file://selinux-hook-handling-to-enumerate-nexthop.patch \
> > > +
> > > file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
> > > \
> > > "
> > >
> > > # patches needed by musl
prev parent reply other threads:[~2021-02-18 2:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-13 21:11 [OE-core][PATCH] systemd: Re-enable chvt as non-root user without polkit Joshua Watt
2020-11-16 14:38 ` [OE-core][PATCH v2] " Joshua Watt
2020-11-18 22:03 ` Joshua Watt
2021-02-17 15:59 ` Joshua Watt
2021-02-18 2:48 ` Anuj Mittal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7eeed678dff9dfda7aff7a6414636a5b90d2eb83.camel@intel.com \
--to=anuj.mittal@intel.com \
--cc=jpewhacker@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox