[OE-core] [PATCH] systemd: add hostname fallback when polkit is not available

Thu, 18 Feb 2021 10:36:49 -0800 

From: Luca Boccassi <luca.bocca...@microsoft.com>

When polkit is not available, networkd will not have permissions
to call hostnamed's dbus methods, as it runs without privileges.
To solve this, when building without polkit, make a new PACKAGECONFIG
'polkit_hostnamed_fallback' available which changes hostnamed so that
it runs as the 'systemd-network' user, the same as networkd, so that
the authorization works (and also with CAP_SYS_ADMIN since it loses
root).
Also run it with a separate 'systemd-hostname' group which also owns
the bus, to avoid giving the 'systemd-network' additional privileges.

Signed-off-by: Luca Boccassi <luca.bocca...@microsoft.com>
---
 .../systemd/00-hostnamed-network-user.conf    |  6 ++++++
 .../org.freedesktop.hostname1_no_polkit.conf  | 11 +++++++++++
 meta/recipes-core/systemd/systemd_247.3.bb    | 19 ++++++++++++++++++-
 3 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 
meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf
 create mode 100644 
meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf

diff --git a/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf 
b/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf
new file mode 100644
index 0000000000..6b224ba9b9
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf
@@ -0,0 +1,6 @@
+[Service]
+# By running with these options instead of root, networkd is allowed to request
+# a hostname change via DBUS when policykit is not present
+User=systemd-network
+Group=systemd-hostname
+AmbientCapabilities=CAP_SYS_ADMIN
diff --git 
a/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf 
b/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf
new file mode 100644
index 0000000000..f4d0271cdb
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf
@@ -0,0 +1,11 @@
+<?xml version="1.0"?> <!--*-nxml-*-->
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 
1.0//EN"
+        "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";>
+
+<busconfig>
+        <policy group="systemd-hostname">
+                <allow own="org.freedesktop.hostname1"/>
+                <allow send_destination="org.freedesktop.hostname1"/>
+                <allow receive_sender="org.freedesktop.hostname1"/>
+        </policy>
+</busconfig>
diff --git a/meta/recipes-core/systemd/systemd_247.3.bb 
b/meta/recipes-core/systemd/systemd_247.3.bb
index a99e543a77..59e000f1dd 100644
--- a/meta/recipes-core/systemd/systemd_247.3.bb
+++ b/meta/recipes-core/systemd/systemd_247.3.bb
@@ -16,6 +16,8 @@ REQUIRED_DISTRO_FEATURES = "systemd"
 
 SRC_URI += "file://touchscreen.rules \
            file://00-create-volatile.conf \
+           ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 
'file://org.freedesktop.hostname1_no_polkit.conf', '', d)} \
+           ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 
'file://00-hostnamed-network-user.conf', '', d)} \
            file://init \
            file://99-default.preset \
            file://systemd-pager.sh \
@@ -164,6 +166,10 @@ PACKAGECONFIG[openssl] = 
"-Dopenssl=true,-Dopenssl=false,openssl"
 PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam,${PAM_PLUGINS}"
 PACKAGECONFIG[pcre2] = "-Dpcre2=true,-Dpcre2=false,libpcre2"
 PACKAGECONFIG[polkit] = "-Dpolkit=true,-Dpolkit=false"
+# If polkit is disabled and networkd+hostnamed are in use, enabling this 
option and
+# using dbus-broker will allow networkd to be authorized to change the
+# hostname without acquiring additional privileges
+PACKAGECONFIG[polkit_hostnamed_fallback] = ",,,,dbus-broker,polkit"
 PACKAGECONFIG[portabled] = "-Dportabled=true,-Dportabled=false"
 PACKAGECONFIG[qrencode] = "-Dqrencode=true,-Dqrencode=false,qrencode,,qrencode"
 PACKAGECONFIG[quotacheck] = "-Dquotacheck=true,-Dquotacheck=false"
@@ -306,6 +312,15 @@ do_install() {
                fi
        fi
 
+       # If polkit is not available and a fallback was requested, install a 
drop-in that allows networkd to
+       # request hostname changes via DBUS without elevating its privileges
+       if ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 
'true', 'false', d)}; then
+               install -d 
${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/
+               install -m 0644 ${WORKDIR}/00-hostnamed-network-user.conf 
${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/
+               install -d ${D}${datadir}/dbus-1/system.d/
+               install -m 0644 
${WORKDIR}/org.freedesktop.hostname1_no_polkit.conf 
${D}${datadir}/dbus-1/system.d/
+       fi
+
        # create link for existing udev rules
        ln -s ${base_bindir}/udevadm ${D}${base_sbindir}/udevadm
 
@@ -370,7 +385,8 @@ USERADD_PACKAGES = "${PN} ${PN}-extra-utils \
                     ${@bb.utils.contains('PACKAGECONFIG', 'microhttpd', 
'${PN}-journal-remote', '', d)} \
                     ${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', 
'${PN}-journal-upload', '', d)} \
 "
-GROUPADD_PARAM_${PN} = "-r systemd-journal"
+GROUPADD_PARAM_${PN} = "-r systemd-journal;"
+GROUPADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 
'polkit_hostnamed_fallback', '-r systemd-hostname;', '', d)}"
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', 
'--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}"
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', 
'--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}"
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', 
'--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 
polkitd;', '', d)}"
@@ -589,6 +605,7 @@ FILES_${PN} = " ${base_bindir}/* \
                 ${datadir}/dbus-1/system.d/org.freedesktop.network1.conf \
                 ${datadir}/dbus-1/system.d/org.freedesktop.resolve1.conf \
                 ${datadir}/dbus-1/system.d/org.freedesktop.systemd1.conf \
+                ${@bb.utils.contains('PACKAGECONFIG', 
'polkit_hostnamed_fallback', 
'${datadir}/dbus-1/system.d/org.freedesktop.hostname1_no_polkit.conf', '', d)} \
                 ${datadir}/dbus-1/system.d/org.freedesktop.hostname1.conf \
                 ${datadir}/dbus-1/system.d/org.freedesktop.login1.conf \
                 ${datadir}/dbus-1/system.d/org.freedesktop.timesync1.conf \
-- 
2.29.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#148321): 
https://lists.openembedded.org/g/openembedded-core/message/148321
Mute This Topic: https://lists.openembedded.org/mt/80736983/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to