Commit c7b018d1 authored by Cosimo Cecchi's avatar Cosimo Cecchi Committed by Cosimo Cecchi

Introduce an admin gvfs backend

The new admin backend is activated through pkexec and allows
applications to promote their I/O operations to be privileged.
Privilege checking is achieved through polkit.
parent 535f1e6b
......@@ -145,6 +145,24 @@ fi
AC_SEARCH_LIBS([login_tty], [util], [AC_DEFINE([HAVE_LOGIN_TTY],[],[Whether login_tty is available])])
dnl ***************************************************
dnl *** Check if we should build with admin backend ***
dnl ***************************************************
AC_ARG_ENABLE([admin], [AS_HELP_STRING([--disable-admin],[build without admin backend])])
msg_admin=no
if test "x$enable_admin" != "xno"; then
PKG_CHECK_MODULES([ADMIN], [polkit-gobject-1], [msg_admin=yes])
if test "x$msg_admin" = "xyes"; then
AC_DEFINE([HAVE_ADMIN], 1, [Define to 1 if admin backend is going to be built])
fi
fi
AC_SUBST(ADMIN_CFLAGS)
AC_SUBST(ADMIN_LIBS)
AM_CONDITIONAL([HAVE_ADMIN], [test "$msg_admin" = "yes"])
dnl **************************************************
dnl *** Check if we should build with http backend ***
dnl **************************************************
......
......@@ -55,6 +55,12 @@ libexec_PROGRAMS=gvfsd gvfsd-sftp gvfsd-trash gvfsd-computer gvfsd-burn gvfsd-lo
mount_in_files = sftp.mount.in ftp.mount.in ftps.mount.in trash.mount.in computer.mount.in burn.mount.in localtest.mount.in network.mount.in
mount_DATA = sftp.mount ftp.mount ftps.mount trash.mount computer.mount burn.mount localtest.mount network.mount
mount_in_files += admin.mount.in
if HAVE_ADMIN
mount_DATA += admin.mount
libexec_PROGRAMS += gvfsd-admin
endif
mount_in_files +=google.mount.in
if USE_GOOGLE
mount_DATA += google.mount
......@@ -147,6 +153,7 @@ EXTRA_DIST = \
$(gvfs_gschemas_dist) \
$(gvfs_gschemas_convert_dist) \
$(gsettings_ENUM_FILES) \
org.gtk.vfs.file-operations.policy.in.in \
$(NULL)
DISTCLEANFILES = $(mount_DATA) $(noinst_DATA)
......@@ -155,6 +162,8 @@ CLEANFILES = \
$(gsettings__enum_file) \
$(service_DATA) \
$(systemd_user_DATA) \
$(gvfs_polkit_actions_DATA) \
$(gvfs_polkit_actions_in_files) \
*.gschema.valid
noinst_PROGRAMS = \
......@@ -449,6 +458,20 @@ gvfsd_cdda_LDADD = $(libraries) $(CDDA_LIBS) $(HAL_LIBS) \
$(top_builddir)/common/libgvfscommon-hal.la
endif
gvfsd_admin_SOURCES = \
gvfsbackendadmin.c gvfsbackendadmin.h \
daemon-main.c daemon-main.h \
daemon-main-generic.c
gvfsd_admin_CPPFLAGS = \
$(flags) \
-DBACKEND_HEADER=gvfsbackendadmin.h \
-DDEFAULT_BACKEND_TYPE=admin \
-DBACKEND_TYPES='"admin", G_VFS_TYPE_BACKEND_ADMIN,' \
$(ADMIN_CFLAGS)
gvfsd_admin_LDADD = $(libraries) $(ADMIN_LIBS)
gvfsd_google_SOURCES = \
gvfsbackendgoogle.c gvfsbackendgoogle.h \
daemon-main.c daemon-main.h \
......@@ -628,7 +651,6 @@ gvfsd_nfs_CPPFLAGS = \
gvfsd_nfs_LDADD = $(libraries) $(NFS_LIBS)
# GSettings stuff
gsettings_ENUM_NAMESPACE = org.gnome.system.gvfs
gsettings_ENUM_FILES = $(top_srcdir)/daemon/gvfs-enums.h
......@@ -639,3 +661,14 @@ gsettings_SCHEMAS = $(gvfs_gschemas)
gvfs_gschemas_convertdir = $(datadir)/GConf/gsettings
gvfs_gschemas_convert_DATA = $(gvfs_gschemas_convert)
org.gtk.vfs.file-operations.policy.in: org.gtk.vfs.file-operations.policy.in.in Makefile
$(AM_V_GEN) sed -e "s|\@libexecdir\@|$(libexecdir)|" $< > $@
@INTLTOOL_POLICY_RULE@
gvfs_polkit_actionsdir = $(datadir)/polkit-1/actions
gvfs_polkit_actions_in_files = org.gtk.vfs.file-operations.policy.in
gvfs_polkit_actions_DATA = org.gtk.vfs.file-operations.policy
gvfs_polkit_rulesdir = $(datadir)/polkit-1/rules.d
dist_gvfs_polkit_rules_DATA = org.gtk.vfs.file-operations.rules
[Mount]
Type=admin
Exec=/bin/sh -c 'pkexec @libexecdir@/gvfsd-admin --address "$@" $DBUS_SESSION_BUS_ADDRESS'
AutoMount=true
......@@ -32,6 +32,9 @@ main (int argc, char *argv[])
{
#ifndef BACKEND_USES_GVFS
g_setenv ("GIO_USE_VFS", "local", TRUE);
#endif
#ifdef BACKEND_PRE_SETUP_FUNC
BACKEND_PRE_SETUP_FUNC (&argc, &argv);
#endif
daemon_init ();
#ifdef BACKEND_SETUP_FUNC
......
This diff is collapsed.
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/* gvfs - extensions for gio
*
* Copyright (C) 2015 Cosimo Cecchi <cosimoc@gnome.org>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General
* Public License along with this library; if not, write to the
* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301, USA.
*/
#ifndef __G_VFS_BACKEND_ADMIN_H__
#define __G_VFS_BACKEND_ADMIN_H__
#include <gvfsbackend.h>
G_BEGIN_DECLS
#define BACKEND_PRE_SETUP_FUNC g_vfs_backend_admin_pre_setup
#define G_VFS_TYPE_BACKEND_ADMIN (g_vfs_backend_admin_get_type())
#define G_VFS_BACKEND_ADMIN(o) \
(G_TYPE_CHECK_INSTANCE_CAST((o), \
G_VFS_TYPE_BACKEND_ADMIN, GVfsBackendAdmin))
#define G_VFS_BACKEND_ADMIN_CLASS(k) \
(G_TYPE_CHECK_CLASS_CAST((k), \
G_VFS_TYPE_BACKEND_ADMIN, GVfsBackendAdminClass))
#define G_VFS_IS_BACKEND_ADMIN(o) \
(G_TYPE_CHECK_INSTANCE_TYPE((o), \
G_VFS_TYPE_BACKEND_ADMIN))
#define G_VFS_IS_BACKEND_ADMIN_CLASS(k) \
(G_TYPE_CHECK_CLASS_TYPE((k), \
G_VFS_TYPE_BACKEND_ADMIN))
#define G_VFS_BACKEND_ADMIN_GET_CLASS(o) \
(G_TYPE_INSTANCE_GET_CLASS((o), \
G_VFS_TYPE_BACKEND_ADMIN, GVfsBackendAdminClass))
typedef struct _GVfsBackendAdmin GVfsBackendAdmin;
typedef struct _GVfsBackendAdminClass GVfsBackendAdminClass;
GType g_vfs_backend_admin_get_type (void) G_GNUC_CONST;
void g_vfs_backend_admin_pre_setup (int *argc, char **argv[]);
G_END_DECLS
#endif /* __G_VFS_BACKEND_ADMIN_H__ */
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
<vendor>GVfs</vendor>
<vendor_url>http://git.gnome.org/browse/gvfs</vendor_url>
<action id="org.gtk.vfs.file-operations-helper">
<_description>Perform file operations</_description>
<_message>Authentication is required to perform file operations</_message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">@libexecdir@/gvfsd-admin</annotate>
</action>
<action id="org.gtk.vfs.file-operations">
<_description>Perform file operations</_description>
<_message>Authentication is required to perform file operations</_message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
</policyconfig>
polkit.addRule(function(action, subject) {
if ((action.id == "org.gtk.vfs.file-operations-helper") &&
subject.local &&
subject.active &&
subject.isInGroup ("wheel")) {
return polkit.Result.YES;
}
});
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment