fix: [247629/reboot] no auth aquired on reboot (#61)

as title. Log: fix security issue. Bug: https://pms.uniontech.com/bug-view-247629.html
linuxdeepin · Mar 20, 2024 · 055e74f · 055e74f
1 parent fcf4445
commit 055e74f
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 9 deletions.
diff --git a/src/service/bootmakerservice.cpp b/src/service/bootmakerservice.cpp
@@ -29,7 +29,8 @@
 #include <polkit-qt5-1/PolkitQt1/Subject>
 #endif
 
-const QString s_PolkitAction = "com.deepin.bootmaker";
+const QString s_PolkitActionCreate = "com.deepin.bootmaker.create";
+const QString s_PolkitActionReboot = "com.deepin.bootmaker.reboot";
 
 /**
    @brief Polkit action authorization check.
@@ -38,11 +39,14 @@ const QString s_PolkitAction = "com.deepin.bootmaker";
    @note Available on linux/unix/macos platform.
    @return check passed.
  */
-bool checkAuthorization(qint64 pid)
+bool checkAuthorization(qint64 pid, const QString &action)
 {
 #if defined (Q_OS_LINUX) || defined (Q_OS_UNIX) ||  defined (Q_OS_MAC)
     PolkitQt1::Authority::Result ret = PolkitQt1::Authority::instance()->checkAuthorizationSync(
-        s_PolkitAction, PolkitQt1::UnixProcessSubject(pid), PolkitQt1::Authority::AllowUserInteraction);
+        action,
+        PolkitQt1::UnixProcessSubject(pid),
+        PolkitQt1::Authority::AllowUserInteraction);
+
     if (PolkitQt1::Authority::Yes == ret) {
         return true;
     } else {
@@ -141,10 +145,8 @@ BootMakerService::~BootMakerService()
 void BootMakerService::Reboot()
 {
     Q_D(BootMakerService);
-    if (!d->checkCaller()) {
-        return;
-    }
-    d->bm->reboot();
+    if (checkAuthorization(d->dbusCallerPid(), s_PolkitActionReboot))
+        d->bm->reboot();
 }
 
 void BootMakerService::Start()
@@ -189,7 +191,7 @@ bool BootMakerService::Install(const QString &image, const QString &device, cons
         return false;
     }
 
-    if (!d->disableCheck && !checkAuthorization(d->dbusCallerPid())) {
+    if (!d->disableCheck && !checkAuthorization(d->dbusCallerPid(), s_PolkitActionCreate)) {
         return false;
     }
 

diff --git a/src/service/data/com.deepin.bootmaker.policy b/src/service/data/com.deepin.bootmaker.policy
@@ -5,7 +5,7 @@
 <policyconfig>
     <vendor>LinuxDeepin</vendor>
     <vendor_url>https://www.deepin.com/</vendor_url>
-    <action id="com.deepin.bootmaker">
+    <action id="com.deepin.bootmaker.create">
         <message>To create a bootable USB drive you need to authenticate.</message>
         <message xml:lang="zh_CN">创建启动盘需要您进行认证。</message>
         <message xml:lang="zh_HK">創建啓動盤需要您進行認證。</message>
@@ -18,4 +18,17 @@
         <annotate key="org.freedesktop.policykit.exec.path">/usr/lib/deepin-daemon/deepin-boot-maker-service</annotate>
         <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
     </action>
+    <action id="com.deepin.bootmaker.reboot">
+        <message>Authentication is required to reboot the operating system.</message>
+        <message xml:lang="zh_CN">重启操作系统需要认证。</message>
+        <message xml:lang="zh_HK">重啓作業系統需要認證。</message>
+        <message xml:lang="zh_TW">重啟作業系統需要認證。</message>
+            <defaults>
+                <allow_any>no</allow_any>
+                <allow_inactive>no</allow_inactive>
+                <allow_active>auth_admin_keep</allow_active>
+            </defaults>
+        <annotate key="org.freedesktop.policykit.exec.path">/usr/lib/deepin-daemon/deepin-boot-maker-service</annotate>
+        <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
+    </action>
 </policyconfig>