systemd: Re-enable chvt as non-root user without polkit

systemd 245 introduced a regression in behavior where they removed support for non-root users to chvt from a service file. This prevents running compositors (e.g. weston) as any user other than root. The intention is for polkit to be used to allow this (and in fact the default polkit rules that ship with systemd allow this). However, polkit is a huge dependency to bring in for an embedded system, and isn't support by OE-core. The patch has been proposed upstream to restore the previous behavior of allowing a non-root user to chvt to unbreak the regression without requiring polkit. Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/17494] (From OE-Core rev: e42dd9cff98f2149904e104f08bc3f19ee7b6fc0) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ef8cf581b680f8b8ee35d50c75891b4fd8b91f2f) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joshua Watt <JPEWhacker@gmail.com> 2020-11-16 08:38:26 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-02-26 15:30:40 +0000
commit: 4119c8e2475afd4409016e15200492fb293ab559 (patch)
tree: 01ce6410d21cfc2a1a39a4329ca66df5785086d1
parent: cd0fb6c0e718af510aee057df9a1f49634fe226e (diff)
download: poky-4119c8e2475afd4409016e15200492fb293ab559.tar.gz
2 files changed, 228 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
new file mode 100644
index 0000000000..89ef39bc3e
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
@@ -0,0 +1,227 @@
+From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17 00:00:00 2001
+From: Joshua Watt <JPEWhacker@gmail.com>
+Date: Fri, 30 Oct 2020 08:15:43 -0500
+Subject: [PATCH] logind: Restore chvt as non-root user without polkit
+4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke
+the ability to write user sessions that run graphical sessions (e.g.
+weston/X11). This was partially amended in 19bb87fbfa ("login: allow
+non-console sessions to change vt") by changing the default PolicyKit
+policy so that non-root users are again allowed to switch the VT. This
+makes the policy when PolKit is not enabled (as on many embedded
+systems) match the default PolKit policy and allows launching graphical
+sessions as a non-root user.
+Closes #17473
+---
+ src/login/logind-dbus.c         | 11 ++-------
+ src/login/logind-polkit.c       | 26 +++++++++++++++++++++
+ src/login/logind-polkit.h       | 10 ++++++++
+ src/login/logind-seat-dbus.c    | 41 ++++-----------------------------
+ src/login/logind-session-dbus.c | 11 ++-------
+ src/login/meson.build           |  1 +
+ 6 files changed, 46 insertions(+), 54 deletions(-)
+ create mode 100644 src/login/logind-polkit.c
+ create mode 100644 src/login/logind-polkit.h
+diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
+index 0f83ed99bc..a3765d88ba 100644
+--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
+@@ -30,6 +30,7 @@
+ #include "format-util.h"
+ #include "fs-util.h"
+ #include "logind-dbus.h"
+#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-session-dbus.h"
+ #include "logind-user-dbus.h"
+@@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda
+                 return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT,
+                                          "Session %s not on seat %s", session_name, seat_name);
+ 
+-        r = bus_verify_polkit_async(
+-                        message,
+-                        CAP_SYS_ADMIN,
+-                        "org.freedesktop.login1.chvt",
+-                        NULL,
+-                        false,
+-                        UID_INVALID,
+-                        &m->polkit_registry,
+-                        error);
+        r = check_polkit_chvt(message, m, error);
+         if (r < 0)
+                 return r;
+         if (r == 0)
+diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c
+new file mode 100644
+index 0000000000..9072570cc6
+--- /dev/null
+++ b/src/login/logind-polkit.c
+@@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include "bus-polkit.h"
+#include "logind-polkit.h"
+#include "missing_capability.h"
+#include "user-util.h"
+
+int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) {
+#if ENABLE_POLKIT
+        return bus_verify_polkit_async(
+                        message,
+                        CAP_SYS_ADMIN,
+                        "org.freedesktop.login1.chvt",
+                        NULL,
+                        false,
+                        UID_INVALID,
+                        &manager->polkit_registry,
+                        error);
+#else
+        /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a
+         * non-root user when polkit is not compiled in, matching the default polkit policy */
+        return 1;
+#endif
+}
+
+
+diff --git a/src/login/logind-polkit.h b/src/login/logind-polkit.h
+new file mode 100644
+index 0000000000..476c077a8a
+--- /dev/null
+++ b/src/login/logind-polkit.h
+@@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+#pragma once
+
+#include "sd-bus.h"
+
+#include "bus-object.h"
+#include "logind.h"
+
+int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error);
+
+diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
+index a945132284..f22e9e2734 100644
+--- a/src/login/logind-seat-dbus.c
+++ b/src/login/logind-seat-dbus.c
+@@ -9,6 +9,7 @@
+ #include "bus-polkit.h"
+ #include "bus-util.h"
+ #include "logind-dbus.h"
+#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-seat.h"
+ #include "logind-session-dbus.h"
+@@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
+         if (session->seat != s)
+                 return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);
+ 
+-        r = bus_verify_polkit_async(
+-                        message,
+-                        CAP_SYS_ADMIN,
+-                        "org.freedesktop.login1.chvt",
+-                        NULL,
+-                        false,
+-                        UID_INVALID,
+-                        &s->manager->polkit_registry,
+-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
+         if (r < 0)
+                 return r;
+         if (r == 0)
+@@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro
+         if (to <= 0)
+                 return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
+ 
+-        r = bus_verify_polkit_async(
+-                        message,
+-                        CAP_SYS_ADMIN,
+-                        "org.freedesktop.login1.chvt",
+-                        NULL,
+-                        false,
+-                        UID_INVALID,
+-                        &s->manager->polkit_registry,
+-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
+         if (r < 0)
+                 return r;
+         if (r == 0)
+@@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus
+         assert(message);
+         assert(s);
+ 
+-        r = bus_verify_polkit_async(
+-                        message,
+-                        CAP_SYS_ADMIN,
+-                        "org.freedesktop.login1.chvt",
+-                        NULL,
+-                        false,
+-                        UID_INVALID,
+-                        &s->manager->polkit_registry,
+-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
+         if (r < 0)
+                 return r;
+         if (r == 0)
+@@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd
+         assert(message);
+         assert(s);
+ 
+-        r = bus_verify_polkit_async(
+-                        message,
+-                        CAP_SYS_ADMIN,
+-                        "org.freedesktop.login1.chvt",
+-                        NULL,
+-                        false,
+-                        UID_INVALID,
+-                        &s->manager->polkit_registry,
+-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
+         if (r < 0)
+                 return r;
+         if (r == 0)
+diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
+index ccc5ac8df2..57c8a4e900 100644
+--- a/src/login/logind-session-dbus.c
+++ b/src/login/logind-session-dbus.c
+@@ -11,6 +11,7 @@
+ #include "fd-util.h"
+ #include "logind-brightness.h"
+ #include "logind-dbus.h"
+#include "logind-polkit.h"
+ #include "logind-seat-dbus.h"
+ #include "logind-session-dbus.h"
+ #include "logind-session-device.h"
+@@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_
+         assert(message);
+         assert(s);
+ 
+-        r = bus_verify_polkit_async(
+-                        message,
+-                        CAP_SYS_ADMIN,
+-                        "org.freedesktop.login1.chvt",
+-                        NULL,
+-                        false,
+-                        UID_INVALID,
+-                        &s->manager->polkit_registry,
+-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
+         if (r < 0)
+                 return r;
+         if (r == 0)
+diff --git a/src/login/meson.build b/src/login/meson.build
+index 0a7d3d5440..7e46be2add 100644
+--- a/src/login/meson.build
+++ b/src/login/meson.build
+@@ -26,6 +26,7 @@ liblogind_core_sources = files('''
+         logind-device.h
+         logind-inhibit.c
+         logind-inhibit.h
+        logind-polkit.c
+         logind-seat-dbus.c
+         logind-seat-dbus.h
+         logind-seat.c
+-- 
+2.28.0
diff --git a/meta/recipes-core/systemd/systemd_246.9.bb b/meta/recipes-core/systemd/systemd_246.9.bb
index 2f460e9bee..daee795cc2 100644
--- a/meta/recipes-core/systemd/systemd_246.9.bb
+++ b/meta/recipes-core/systemd/systemd_246.9.bb
@@ -21,6 +21,7 @@ SRC_URI += "file://touchscreen.rules \
           file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
           file://0003-implment-systemd-sysv-install-for-OE.patch \
           file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch \
+           file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \
           "
 # patches needed by musl
author	Joshua Watt <JPEWhacker@gmail.com>	2020-11-16 08:38:26 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-02-26 15:30:40 +0000
commit	4119c8e2475afd4409016e15200492fb293ab559 (patch)
tree	01ce6410d21cfc2a1a39a4329ca66df5785086d1
parent	cd0fb6c0e718af510aee057df9a1f49634fe226e (diff)
download	poky-4119c8e2475afd4409016e15200492fb293ab559.tar.gz

diff --git a/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch new file mode 100644 index 0000000000..89ef39bc3e --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch
@@ -0,0 +1,227 @@
		1	From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17 00:00:00 2001
		2	From: Joshua Watt <JPEWhacker@gmail.com>
		3	Date: Fri, 30 Oct 2020 08:15:43 -0500
		4	Subject: [PATCH] logind: Restore chvt as non-root user without polkit
		5
		6	4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke
		7	the ability to write user sessions that run graphical sessions (e.g.
		8	weston/X11). This was partially amended in 19bb87fbfa ("login: allow
		9	non-console sessions to change vt") by changing the default PolicyKit
		10	policy so that non-root users are again allowed to switch the VT. This
		11	makes the policy when PolKit is not enabled (as on many embedded
		12	systems) match the default PolKit policy and allows launching graphical
		13	sessions as a non-root user.
		14
		15	Closes #17473
		16	---
		17	src/login/logind-dbus.c \| 11 ++-------
		18	src/login/logind-polkit.c \| 26 +++++++++++++++++++++
		19	src/login/logind-polkit.h \| 10 ++++++++
		20	src/login/logind-seat-dbus.c \| 41 ++++-----------------------------
		21	src/login/logind-session-dbus.c \| 11 ++-------
		22	src/login/meson.build \| 1 +
		23	6 files changed, 46 insertions(+), 54 deletions(-)
		24	create mode 100644 src/login/logind-polkit.c
		25	create mode 100644 src/login/logind-polkit.h
		26
		27	diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
		28	index 0f83ed99bc..a3765d88ba 100644
		29	--- a/src/login/logind-dbus.c
		30	+++ b/src/login/logind-dbus.c
		31	@@ -30,6 +30,7 @@
		32	#include "format-util.h"
		33	#include "fs-util.h"
		34	#include "logind-dbus.h"
		35	+#include "logind-polkit.h"
		36	#include "logind-seat-dbus.h"
		37	#include "logind-session-dbus.h"
		38	#include "logind-user-dbus.h"
		39	@@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message message, void userda
		40	return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT,
		41	"Session %s not on seat %s", session_name, seat_name);
		42
		43	- r = bus_verify_polkit_async(
		44	- message,
		45	- CAP_SYS_ADMIN,
		46	- "org.freedesktop.login1.chvt",
		47	- NULL,
		48	- false,
		49	- UID_INVALID,
		50	- &m->polkit_registry,
		51	- error);
		52	+ r = check_polkit_chvt(message, m, error);
		53	if (r < 0)
		54	return r;
		55	if (r == 0)
		56	diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c
		57	new file mode 100644
		58	index 0000000000..9072570cc6
		59	--- /dev/null
		60	+++ b/src/login/logind-polkit.c
		61	@@ -0,0 +1,26 @@
		62	+/* SPDX-License-Identifier: LGPL-2.1+ */
		63	+
		64	+#include "bus-polkit.h"
		65	+#include "logind-polkit.h"
		66	+#include "missing_capability.h"
		67	+#include "user-util.h"
		68	+
		69	+int check_polkit_chvt(sd_bus_message message, Manager manager, sd_bus_error *error) {
		70	+#if ENABLE_POLKIT
		71	+ return bus_verify_polkit_async(
		72	+ message,
		73	+ CAP_SYS_ADMIN,
		74	+ "org.freedesktop.login1.chvt",
		75	+ NULL,
		76	+ false,
		77	+ UID_INVALID,
		78	+ &manager->polkit_registry,
		79	+ error);
		80	+#else
		81	+ /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a
		82	+ * non-root user when polkit is not compiled in, matching the default polkit policy */
		83	+ return 1;
		84	+#endif
		85	+}
		86	+
		87	+
		88	diff --git a/src/login/logind-polkit.h b/src/login/logind-polkit.h
		89	new file mode 100644
		90	index 0000000000..476c077a8a
		91	--- /dev/null
		92	+++ b/src/login/logind-polkit.h
		93	@@ -0,0 +1,10 @@
		94	+/* SPDX-License-Identifier: LGPL-2.1+ */
		95	+#pragma once
		96	+
		97	+#include "sd-bus.h"
		98	+
		99	+#include "bus-object.h"
		100	+#include "logind.h"
		101	+
		102	+int check_polkit_chvt(sd_bus_message message, Manager manager, sd_bus_error *error);
		103	+
		104	diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
		105	index a945132284..f22e9e2734 100644
		106	--- a/src/login/logind-seat-dbus.c
		107	+++ b/src/login/logind-seat-dbus.c
		108	@@ -9,6 +9,7 @@
		109	#include "bus-polkit.h"
		110	#include "bus-util.h"
		111	#include "logind-dbus.h"
		112	+#include "logind-polkit.h"
		113	#include "logind-seat-dbus.h"
		114	#include "logind-seat.h"
		115	#include "logind-session-dbus.h"
		116	@@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message message, void userdata, sd_b
		117	if (session->seat != s)
		118	return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);
		119
		120	- r = bus_verify_polkit_async(
		121	- message,
		122	- CAP_SYS_ADMIN,
		123	- "org.freedesktop.login1.chvt",
		124	- NULL,
		125	- false,
		126	- UID_INVALID,
		127	- &s->manager->polkit_registry,
		128	- error);
		129	+ r = check_polkit_chvt(message, s->manager, error);
		130	if (r < 0)
		131	return r;
		132	if (r == 0)
		133	@@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message message, void userdata, sd_bus_erro
		134	if (to <= 0)
		135	return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
		136
		137	- r = bus_verify_polkit_async(
		138	- message,
		139	- CAP_SYS_ADMIN,
		140	- "org.freedesktop.login1.chvt",
		141	- NULL,
		142	- false,
		143	- UID_INVALID,
		144	- &s->manager->polkit_registry,
		145	- error);
		146	+ r = check_polkit_chvt(message, s->manager, error);
		147	if (r < 0)
		148	return r;
		149	if (r == 0)
		150	@@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message message, void userdata, sd_bus
		151	assert(message);
		152	assert(s);
		153
		154	- r = bus_verify_polkit_async(
		155	- message,
		156	- CAP_SYS_ADMIN,
		157	- "org.freedesktop.login1.chvt",
		158	- NULL,
		159	- false,
		160	- UID_INVALID,
		161	- &s->manager->polkit_registry,
		162	- error);
		163	+ r = check_polkit_chvt(message, s->manager, error);
		164	if (r < 0)
		165	return r;
		166	if (r == 0)
		167	@@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message message, void userdata, sd
		168	assert(message);
		169	assert(s);
		170
		171	- r = bus_verify_polkit_async(
		172	- message,
		173	- CAP_SYS_ADMIN,
		174	- "org.freedesktop.login1.chvt",
		175	- NULL,
		176	- false,
		177	- UID_INVALID,
		178	- &s->manager->polkit_registry,
		179	- error);
		180	+ r = check_polkit_chvt(message, s->manager, error);
		181	if (r < 0)
		182	return r;
		183	if (r == 0)
		184	diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
		185	index ccc5ac8df2..57c8a4e900 100644
		186	--- a/src/login/logind-session-dbus.c
		187	+++ b/src/login/logind-session-dbus.c
		188	@@ -11,6 +11,7 @@
		189	#include "fd-util.h"
		190	#include "logind-brightness.h"
		191	#include "logind-dbus.h"
		192	+#include "logind-polkit.h"
		193	#include "logind-seat-dbus.h"
		194	#include "logind-session-dbus.h"
		195	#include "logind-session-device.h"
		196	@@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message message, void userdata, sd_bus_
		197	assert(message);
		198	assert(s);
		199
		200	- r = bus_verify_polkit_async(
		201	- message,
		202	- CAP_SYS_ADMIN,
		203	- "org.freedesktop.login1.chvt",
		204	- NULL,
		205	- false,
		206	- UID_INVALID,
		207	- &s->manager->polkit_registry,
		208	- error);
		209	+ r = check_polkit_chvt(message, s->manager, error);
		210	if (r < 0)
		211	return r;
		212	if (r == 0)
		213	diff --git a/src/login/meson.build b/src/login/meson.build
		214	index 0a7d3d5440..7e46be2add 100644
		215	--- a/src/login/meson.build
		216	+++ b/src/login/meson.build
		217	@@ -26,6 +26,7 @@ liblogind_core_sources = files('''
		218	logind-device.h
		219	logind-inhibit.c
		220	logind-inhibit.h
		221	+ logind-polkit.c
		222	logind-seat-dbus.c
		223	logind-seat-dbus.h
		224	logind-seat.c
		225	--
		226	2.28.0
		227


diff --git a/meta/recipes-core/systemd/systemd_246.9.bb b/meta/recipes-core/systemd/systemd_246.9.bb index 2f460e9bee..daee795cc2 100644 --- a/meta/recipes-core/systemd/systemd_246.9.bb +++ b/meta/recipes-core/systemd/systemd_246.9.bb
@@ -21,6 +21,7 @@ SRC_URI += "file://touchscreen.rules \
21	file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \	21	file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
22	file://0003-implment-systemd-sysv-install-for-OE.patch \	22	file://0003-implment-systemd-sysv-install-for-OE.patch \
23	file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch \	23	file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch \
		24	file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \
24	"	25	"
25		26
26	# patches needed by musl	27	# patches needed by musl