polkit,time: protect GetNetworkTime() with a new 'Time' policy rule

author: Aleksander Morgado <aleksander@aleksander.es> 2019-09-25 12:37:08 +0200
committer: Aleksander Morgado <aleksander@aleksander.es> 2019-09-25 13:08:32 +0200
commit: 7a7b3aa5cba44759ebe3276d5a6e4e25f7d2e850 (patch)
tree: 6dcc6f5573ba2cb1ccf76233a61e26d4d77cf638
parent: be2500b02a837a368d178ef7d71124273ee22263 (diff)
4 files changed, 63 insertions, 28 deletions
diff --git a/data/org.freedesktop.ModemManager1.conf.polkit b/data/org.freedesktop.ModemManager1.conf.polkit
index e6ba8710..311883fe 100644
--- a/data/org.freedesktop.ModemManager1.conf.polkit
+++ b/data/org.freedesktop.ModemManager1.conf.polkit
@@ -299,6 +299,13 @@
            send_interface="org.freedesktop.ModemManager1.Modem.Signal"
            send_member="Setup"/>
 
+    <!-- org.freedesktop.ModemManager1.Modem.Time.xml -->
+
+    <!-- Protected by the Time policy rule -->
+    <allow send_destination="org.freedesktop.ModemManager1"
+           send_interface="org.freedesktop.ModemManager1.Modem.Time"
+           send_member="GetNetworkTime"/>
+
   </policy>
 
   <policy user="root">
diff --git a/data/org.freedesktop.ModemManager1.policy.in.in b/data/org.freedesktop.ModemManager1.policy.in.in
index 7edb20c7..235affd7 100644
--- a/data/org.freedesktop.ModemManager1.policy.in.in
+++ b/data/org.freedesktop.ModemManager1.policy.in.in
@@ -54,6 +54,15 @@
     </defaults>
   </action>
 
+  <action id="org.freedesktop.ModemManager1.Time">
+    <description>Query network time and timezone information</description>
+    <message>System policy prevents querying network time information.</message>
+    <defaults>
+      <allow_inactive>no</allow_inactive>
+      <allow_active>@MM_DEFAULT_USER_POLICY@</allow_active>
+    </defaults>
+  </action>
+
   <action id="org.freedesktop.ModemManager1.Location">
     <description>Enable and view geographic location and positioning information</description>
     <message>System policy prevents enabling or viewing geographic location information.</message>
diff --git a/src/mm-auth-provider.h b/src/mm-auth-provider.h
index e9c2cba4..0f1270ce 100644
--- a/src/mm-auth-provider.h
+++ b/src/mm-auth-provider.h
@@ -34,6 +34,7 @@
 #define MM_AUTHORIZATION_VOICE           "org.freedesktop.ModemManager1.Voice"
 #define MM_AUTHORIZATION_USSD            "org.freedesktop.ModemManager1.USSD"
 #define MM_AUTHORIZATION_LOCATION        "org.freedesktop.ModemManager1.Location"
+#define MM_AUTHORIZATION_TIME            "org.freedesktop.ModemManager1.Time"
 #define MM_AUTHORIZATION_FIRMWARE        "org.freedesktop.ModemManager1.Firmware"
 
 typedef struct _MMAuthProvider MMAuthProvider;
diff --git a/src/mm-iface-modem-time.c b/src/mm-iface-modem-time.c
index b8d35bf8..1ed4b903 100644
--- a/src/mm-iface-modem-time.c
+++ b/src/mm-iface-modem-time.c
@@ -55,42 +55,34 @@ handle_get_network_time_context_free (HandleGetNetworkTimeContext *ctx)
 }
 
 static void
-load_network_time_ready (MMIfaceModemTime *self,
-                         GAsyncResult *res,
+load_network_time_ready (MMIfaceModemTime            *self,
+                         GAsyncResult                *res,
                          HandleGetNetworkTimeContext *ctx)
 {
     gchar *time_str;
     GError *error = NULL;
 
-    time_str = MM_IFACE_MODEM_TIME_GET_INTERFACE (self)->load_network_time_finish (self,
-                                                                                   res,
-                                                                                   &error);
+    time_str = MM_IFACE_MODEM_TIME_GET_INTERFACE (self)->load_network_time_finish (self, res, &error);
     if (error)
         g_dbus_method_invocation_take_error (ctx->invocation, error);
     else
-        mm_gdbus_modem_time_complete_get_network_time (ctx->skeleton,
-                                                       ctx->invocation,
-                                                       time_str);
+        mm_gdbus_modem_time_complete_get_network_time (ctx->skeleton, ctx->invocation, time_str);
     g_free (time_str);
     handle_get_network_time_context_free (ctx);
 }
 
-static gboolean
-handle_get_network_time (MmGdbusModemTime *skeleton,
-                         GDBusMethodInvocation *invocation,
-                         MMIfaceModemTime *self)
+static void
+handle_get_network_time_auth_ready (MMBaseModem                 *self,
+                                    GAsyncResult                *res,
+                                    HandleGetNetworkTimeContext *ctx)
 {
-    HandleGetNetworkTimeContext *ctx;
-    MMModemState state;
+    MMModemState  state;
+    GError       *error = NULL;
 
-    if (!MM_IFACE_MODEM_TIME_GET_INTERFACE (self)->load_network_time ||
-        !MM_IFACE_MODEM_TIME_GET_INTERFACE (self)->load_network_time_finish) {
-        g_dbus_method_invocation_return_error (invocation,
-                                               MM_CORE_ERROR,
-                                               MM_CORE_ERROR_UNSUPPORTED,
-                                               "Cannot load network time: "
-                                               "operation not supported");
-        return TRUE;
+    if (!mm_base_modem_authorize_finish (self, res, &error)) {
+        g_dbus_method_invocation_take_error (ctx->invocation, error);
+        handle_get_network_time_context_free (ctx);
+        return;
     }
 
     state = MM_MODEM_STATE_UNKNOWN;
@@ -99,23 +91,49 @@ handle_get_network_time (MmGdbusModemTime *skeleton,
                   NULL);
     /* If we're not yet registered, we cannot get the network time */
     if (state < MM_MODEM_STATE_REGISTERED) {
-        g_dbus_method_invocation_return_error (invocation,
+        g_dbus_method_invocation_return_error (ctx->invocation,
                                                MM_CORE_ERROR,
                                                MM_CORE_ERROR_WRONG_STATE,
                                                "Cannot load network time: "
                                                "not registered yet");
-        return TRUE;
+        handle_get_network_time_context_free (ctx);
+        return;
     }
 
+    if (!MM_IFACE_MODEM_TIME_GET_INTERFACE (self)->load_network_time ||
+        !MM_IFACE_MODEM_TIME_GET_INTERFACE (self)->load_network_time_finish) {
+        g_dbus_method_invocation_return_error (ctx->invocation,
+                                               MM_CORE_ERROR,
+                                               MM_CORE_ERROR_UNSUPPORTED,
+                                               "Cannot load network time: "
+                                               "operation not supported");
+        handle_get_network_time_context_free (ctx);
+        return;
+    }
+
+    MM_IFACE_MODEM_TIME_GET_INTERFACE (self)->load_network_time (
+        ctx->self,
+        (GAsyncReadyCallback)load_network_time_ready,
+        ctx);
+}
+
+static gboolean
+handle_get_network_time (MmGdbusModemTime      *skeleton,
+                         GDBusMethodInvocation *invocation,
+                         MMIfaceModemTime      *self)
+{
+    HandleGetNetworkTimeContext *ctx;
+
     ctx = g_new (HandleGetNetworkTimeContext, 1);
     ctx->invocation = g_object_ref (invocation);
     ctx->skeleton = g_object_ref (skeleton);
     ctx->self = g_object_ref (self);
 
-    MM_IFACE_MODEM_TIME_GET_INTERFACE (self)->load_network_time (
-        self,
-        (GAsyncReadyCallback)load_network_time_ready,
-        ctx);
+    mm_base_modem_authorize (MM_BASE_MODEM (self),
+                             invocation,
+                             MM_AUTHORIZATION_TIME,
+                             (GAsyncReadyCallback)handle_get_network_time_auth_ready,
+                             ctx);
     return TRUE;
 }
author	Aleksander Morgado <aleksander@aleksander.es>	2019-09-25 12:37:08 +0200
committer	Aleksander Morgado <aleksander@aleksander.es>	2019-09-25 13:08:32 +0200
commit	7a7b3aa5cba44759ebe3276d5a6e4e25f7d2e850 (patch)
tree	6dcc6f5573ba2cb1ccf76233a61e26d4d77cf638
parent	be2500b02a837a368d178ef7d71124273ee22263 (diff)