core: enforce permissions for SetLogging

This was always protected by D-Bus policy permissions, but just to be paranoid, ensure it's also protected by explicit checks on the UID.
2026-04-18 05:00:38 +02:00 · 2014-01-22 13:07:24 -06:00 · 2014-01-22 13:07:24 -06:00 · f0149b6372
commit f0149b6372
parent 474b76134c
2 changed files with 31 additions and 9 deletions
--- a/introspection/nm-manager.xml
+++ b/introspection/nm-manager.xml
@ -209,6 +209,7 @@

    <method name="SetLogging">
      <annotation name="org.freedesktop.DBus.GLib.CSymbol" value="impl_manager_set_logging"/>
+      <annotation name="org.freedesktop.DBus.GLib.Async" value=""/>
      <tp:docstring>
        Set logging verbosity and which operations are logged.
      </tp:docstring>
--- a/src/nm-manager.c
+++ b/src/nm-manager.c
@ -123,10 +123,10 @@ static gboolean impl_manager_get_state (NMManager *manager,
                                        guint32 *state,
                                        GError **error);

-static gboolean impl_manager_set_logging (NMManager *manager,
-                                          const char *level,
-                                          const char *domains,
-                                          GError **error);
+static void impl_manager_set_logging (NMManager *manager,
+                                      const char *level,
+                                      const char *domains,
+                                      DBusGMethodInvocation *context);

 static void impl_manager_get_logging (NMManager *manager,
                                      char **level,
@ -4002,13 +4002,31 @@ impl_manager_get_state (NMManager *manager, guint32 *state, GError **error)
 	return TRUE;
 }

-static gboolean
+static void
 impl_manager_set_logging (NMManager *manager,
                          const char *level,
                          const char *domains,
-                          GError **error)
+                          DBusGMethodInvocation *context)
 {
-	if (nm_logging_setup (level, domains, NULL, error)) {
+	NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (manager);
+	GError *error = NULL;
+	gulong caller_uid = G_MAXULONG;
+
+	if (!nm_dbus_manager_get_caller_info (priv->dbus_mgr, context, NULL, &caller_uid, NULL)) {
+		error = g_error_new_literal (NM_MANAGER_ERROR,
+		                             NM_MANAGER_ERROR_PERMISSION_DENIED,
+		                             "Failed to get request UID.");
+		goto done;
+	}
+
+	if (0 != caller_uid) {
+		error = g_error_new_literal (NM_MANAGER_ERROR,
+		                             NM_MANAGER_ERROR_PERMISSION_DENIED,
+		                             "Permission denied");
+		goto done;
+	}
+
+	if (nm_logging_setup (level, domains, NULL, &error)) {
 		char *new_level = nm_logging_level_to_string ();
 		char *new_domains = nm_logging_domains_to_string ();

@ -4016,9 +4034,12 @@ impl_manager_set_logging (NMManager *manager,
 		             new_level, new_domains);
 		g_free (new_level);
 		g_free (new_domains);
-		return TRUE;
 	}
-	return FALSE;
+
+done:
+	if (error)
+		dbus_g_method_return_error (context, error);
+	g_clear_error (&error);
 }

 static void