import UBI polkit-125-4.el10

2025-11-11 21:47:35 +00:00 · 2025-11-11 21:47:35 +00:00 · 7ab669628c
commit 7ab669628c
parent 2f91e45edb
2 changed files with 79 additions and 1 deletions
--- a/loglevel_property_root_only.patch
+++ b/loglevel_property_root_only.patch
@ -0,0 +1,72 @@
+commit 5a4ba7dfdcc3f71e28b5921e71b1685886b46343
+Author: Luca Boccassi <luca.boccassi@gmail.com>
+Date:   Tue Oct 29 13:34:39 2024 +0000
+
+    polkit: explicitly restrict setting D-Bus property to root
+    
+    Unlike sd-bus in libsystemd, gdbus in glib does not automatically
+    restrict changing properties to the root user. Check the credential
+    of the caller manually so that changes are restricted as expected.
+    Also add more user-friendly error messages to other error conditions
+    for a better user experience.
+
+diff --git a/src/polkitbackend/polkitbackendauthority.c b/src/polkitbackend/polkitbackendauthority.c
+index 223dc4a..86ca632 100644
+--- a/src/polkitbackend/polkitbackendauthority.c
+++ b/src/polkitbackend/polkitbackendauthority.c
+@@ -1439,18 +1439,48 @@ server_handle_set_property (GDBusConnection  *connection,
+                             GError          **error,
+                             gpointer          user_data)
+ {
+  PolkitSubject *caller_subject;
+  PolkitUnixUser *caller_user;
+  const gchar *level;
+
+   if (g_strcmp0 (interface_name, "org.freedesktop.LogControl1") != 0)
+-    return FALSE;
+    {
+      g_set_error (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT, "Only properties of org.freedesktop.LogControl1 can be modified");
+      return FALSE;
+    }
+ 
+-  if (g_strcmp0 (property_name, "LogLevel") == 0)
+  if (g_strcmp0 (property_name, "LogLevel") != 0)
+     {
+-      const gchar *level;
+      g_set_error (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT, "Only LogLevel can be modified");
+      return FALSE;
+    }
+ 
+-      g_variant_get (value, "&s", &level);
+-      polkit_backend_authority_set_log_level (level);
+  caller_subject = polkit_system_bus_name_new (sender);
+  if (!caller_subject)
+    {
+      g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, "Could not obtain caller's credentials");
+      return FALSE;
+     }
+-  else
+-    return FALSE;
+  caller_user = polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (caller_subject), NULL, error);
+  if (!caller_user)
+    {
+      g_object_unref (caller_subject);
+      g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, "Could not obtain caller's credentials");
+      return FALSE;
+    }
+  if ((uid_t)polkit_unix_user_get_uid (caller_user) != 0)
+    {
+      g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, "Only root can change the log level");
+      g_object_unref (caller_user);
+      g_object_unref (caller_subject);
+      return FALSE;
+    }
+
+  g_variant_get (value, "&s", &level);
+  polkit_backend_authority_set_log_level (level);
+
+  g_object_unref (caller_user);
+  g_object_unref (caller_subject);
+ 
+   return TRUE;
+ }
--- a/polkit.spec
+++ b/polkit.spec
@ -4,13 +4,14 @@
 Summary: An authorization framework
 Name: polkit
 Version: 125
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: LGPL-2.0-or-later
 URL: https://github.com/polkit-org/polkit
 Source0: https://github.com/polkit-org/polkit/archive/refs/tags/%{version}.tar.gz
 Source1: polkit.sysusers

 Patch1: pthread_condattr_loglevel.patch
+Patch2: loglevel_property_root_only.patch

 BuildRequires: gcc-c++
 BuildRequires: glib2-devel >= 2.30.0
@ -163,6 +164,11 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_libdir}/girepository-1.0/*.typelib

 %changelog
+* Tue Aug 12 2025 Jan Rybar <jrybar@redhat.com> - 125-4
+- changing log level via dbus is now restricted to root
+- backport of https://github.com/polkit-org/polkit/commit/5a4ba7dfdcc3f
+- Resolves: RHEL-90807
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 125-3
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018