[sysprof] sysprofd: require polkit authorization by the peer

[Christian Hergert <chergert src gnome org>]

commit ab2fdffa6d8df714ab3f13fdf47de7bdf744f961
Author: Christian Hergert <chergert redhat com>
Date:   Wed May 8 19:13:09 2019 -0700

    sysprofd: require polkit authorization by the peer

 src/sysprofd/ipc-service-impl.c           | 44 +++++++++++++++++++++++++++++++
 src/sysprofd/meson.build                  |  4 +--
 src/sysprofd/org.gnome.sysprof2.policy.in | 34 ------------------------
 src/sysprofd/org.gnome.sysprof3.policy.in | 20 ++++++++++++++
 4 files changed, 66 insertions(+), 36 deletions(-)
---
diff --git a/src/sysprofd/ipc-service-impl.c b/src/sysprofd/ipc-service-impl.c
index d8ef8d7..1733bd1 100644
--- a/src/sysprofd/ipc-service-impl.c
+++ b/src/sysprofd/ipc-service-impl.c
@@ -22,6 +22,8 @@
 
 #include "config.h"
 
+#include <polkit/polkit.h>
+
 #include "ipc-service-impl.h"
 
 struct _IpcServiceImpl
@@ -108,6 +110,43 @@ ipc_service_impl_handle_get_proc_file (IpcService            *service,
   return TRUE;
 }
 
+static gboolean
+ipc_service_impl_g_authorize_method (GDBusInterfaceSkeleton *skeleton,
+                                     GDBusMethodInvocation  *invocation)
+{
+  PolkitAuthority *authority = NULL;
+  PolkitSubject *subject = NULL;
+  const gchar *peer_name;
+  gboolean ret = TRUE;
+
+  g_assert (IPC_IS_SERVICE_IMPL (skeleton));
+  g_assert (G_IS_DBUS_METHOD_INVOCATION (invocation));
+
+  peer_name = g_dbus_method_invocation_get_sender (invocation);
+
+  if (!(authority = polkit_authority_get_sync (NULL, NULL)) ||
+      !(subject = polkit_system_bus_name_new (peer_name)) ||
+      !polkit_authority_check_authorization_sync (authority,
+                                                  POLKIT_SUBJECT (subject),
+                                                  "org.gnome.sysprof3.profile",
+                                                  NULL,
+                                                  POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
+                                                  NULL,
+                                                  NULL))
+    {
+      g_dbus_method_invocation_return_error (g_steal_pointer (&invocation),
+                                             G_DBUS_ERROR,
+                                             G_DBUS_ERROR_ACCESS_DENIED,
+                                             "Not authorized to make request");
+      ret = FALSE;
+    }
+
+  g_clear_object (&authority);
+  g_clear_object (&subject);
+
+  return ret;
+}
+
 static void
 init_service_iface (IpcServiceIface *iface)
 {
@@ -121,11 +160,16 @@ G_DEFINE_TYPE_WITH_CODE (IpcServiceImpl, ipc_service_impl, IPC_TYPE_SERVICE_SKEL
 static void
 ipc_service_impl_class_init (IpcServiceImplClass *klass)
 {
+  GDBusInterfaceSkeletonClass *skeleton_class = G_DBUS_INTERFACE_SKELETON_CLASS (klass);
+
+  skeleton_class->g_authorize_method = ipc_service_impl_g_authorize_method;
 }
 
 static void
 ipc_service_impl_init (IpcServiceImpl *self)
 {
+  g_dbus_interface_skeleton_set_flags (G_DBUS_INTERFACE_SKELETON (self),
+                                       G_DBUS_INTERFACE_SKELETON_FLAGS_HANDLE_METHOD_INVOCATIONS_IN_THREAD);
 }
 
 IpcService *
diff --git a/src/sysprofd/meson.build b/src/sysprofd/meson.build
index 2586788..fc9b344 100644
--- a/src/sysprofd/meson.build
+++ b/src/sysprofd/meson.build
@@ -58,8 +58,8 @@ configure_file(
 )
 
 i18n.merge_file(
-        input: 'org.gnome.sysprof2.policy.in',
-       output: 'org.gnome.sysprof2.policy',
+        input: 'org.gnome.sysprof3.policy.in',
+       output: 'org.gnome.sysprof3.policy',
        po_dir: podir,
       install: true,
   install_dir: join_paths(datadir, 'polkit-1/actions'),
diff --git a/src/sysprofd/org.gnome.sysprof3.policy.in b/src/sysprofd/org.gnome.sysprof3.policy.in
new file mode 100644
index 0000000..e29ed2a
--- /dev/null
+++ b/src/sysprofd/org.gnome.sysprof3.policy.in
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd";>
+
+<policyconfig>
+  <vendor>The sysprof Project</vendor>
+  <vendor_url>https://wiki.gnome.org/Apps/Sysprof</vendor_url>
+  <icon_name>org.gnome.Sysprof-symbolic</icon_name>
+  <action id="org.gnome.sysprof3.profile">
+    <description>Profile the system</description>
+    <message>Authentication is required to profile the system.</message>
+    <defaults>
+      <allow_any>auth_admin_keep</allow_any>
+      <allow_inactive>auth_admin_keep</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+</policyconfig>