Commit 3638c6c1 authored by David Zeuthen's avatar David Zeuthen

add module loading to PolicyKit

This paves the way for writing

 1. A module that tracks temporary (look in /var/run) and permanent (look
    in /var/lib) privilege grants
 2. A D-Bus service to authenticate a client to obtain to a privilege
    grant and then writing the grant in temporary or permanent storage

Also, this feature lets people very easily lock down the system; just
edit /etc/PolicyKit/PolicyKit.conf; add pam-module-deny-all / -allow-all
stanzas with various privilege=<regexp> and user=<username> options.
parent a1b5a12b
## Process this file with automake to produce Makefile.in
SUBDIRS = libpolkit doc tools privileges
SUBDIRS = libpolkit modules doc tools privileges
pkgconfigdir = $(libdir)/pkgconfig
pkgconfig_DATA = libpolkit.pc
......
......@@ -174,6 +174,10 @@ doc/spec/Makefile
doc/spec/polkit-spec.xml.in
doc/man/Makefile
privileges/Makefile
modules/Makefile
modules/default/Makefile
modules/allow-all/Makefile
modules/deny-all/Makefile
])
dnl ==========================================================================
......
......@@ -64,7 +64,6 @@
PolicyKit library.
</para>
</partintro>
<xi:include href="xml/libpolkit.xml"/>
<xi:include href="xml/libpolkit-error.xml"/>
<xi:include href="xml/libpolkit-result.xml"/>
<xi:include href="xml/libpolkit-context.xml"/>
......@@ -77,6 +76,7 @@
<xi:include href="xml/libpolkit-seat.xml"/>
<xi:include href="xml/libpolkit-session.xml"/>
<xi:include href="xml/libpolkit-caller.xml"/>
<xi:include href="xml/libpolkit-module.xml"/>
</reference>
<index>
......
if MAN_PAGES_ENABLED
MAN_IN_FILES = polkit-check-caller.1.in polkit-check-session.1.in polkit-privilege-file-validate.1.in
MAN_IN_FILES = polkit-check-caller.1.in polkit-check-session.1.in polkit-privilege-file-validate.1.in PolicyKit.8.in polkit-module-default.8.in polkit-module-allow-all.8.in polkit-module-deny-all.8.in
man_MANS = $(MAN_IN_FILES:.in=)
......@@ -10,7 +10,7 @@ endif # MAN_PAGES_ENABLED
EXTRA_DIST=$(man_MANS) $(MAN_IN_FILES)
clean-local:
rm -f *~ *.1
rm -f *~ *.1 *.8
%: %.in Makefile
$(edit) $< >$@
......
.\"
.\" PolicyKit manual page.
.\" Copyright (C) 2007 David Zeuthen <david@fubar.dk>
.\"
.TH POLICYKIT 8
.SH NAME
PolicyKit \- centralized policy management
.SH DESCRIPTION
.PP
For more information about the big picture refer to the \fIPolicyKit
spec\fP which can be found in
.I "@docdir@/spec/polkit-spec.html"
depending on the distribution.
.SH BUGS
.PP
Please send bug reports to either the distribution or the HAL
mailing list, see
.I "http://lists.freedesktop.org/mailman/listinfo/hal"
on how to subscribe.
.SH SEE ALSO
.PP
\&\fIpolkit-module-default\fR\|(8),
\&\fIpolkit-module-allow-all\fR\|(8),
\&\fIpolkit-module-deny-all\fR\|(8),
\&\fIpolkit-check-caller\fR\|(1),
\&\fIpolkit-check-session\fR\|(1),
\&\fIpolkit-privilege-file-validate\fR\|(1),
\&\fIdbus-daemon\fR\|(1),
\&\fIhald\fR\|(8)
.SH AUTHOR
Written by David Zeuthen <david@fubar.dk> with a lot of help from many
others.
......@@ -56,6 +56,7 @@ on how to subscribe.
.SH SEE ALSO
.PP
\&\fIPolicyKit\fR\|(8),
\&\fIdbus-daemon\fR\|(1),
\&\fIpolkit-check-session\fR\|(1)
......
......@@ -56,6 +56,7 @@ on how to subscribe.
.SH SEE ALSO
.PP
\&\fIPolicyKit\fR\|(8),
\&\fIdbus-daemon\fR\|(1),
\&\fIpolkit-check-caller\fR\|(1)
......
.\"
.\" polkit-module-allow-all manual page.
.\" Copyright (C) 2007 David Zeuthen <david@fubar.dk>
.\"
.TH POLKIT-MODULE-ALLOW-ALL 8
.SH NAME
polkit-module-allow-all \- grant access to all privileges
.SH SYNOPSIS
.PP
.B polkit-module-allow-all.so [privilege=<regexp>] [user=<username>]
.SH DESCRIPTION
.PP
This PolicyKit module will allow access to any privilege regardless of
the entity requesting it, what the requested privilege is and what
resource is involved.
For more information about the big picture refer to the \fIPolicyKit
spec\fP which can be found in
.I "@docdir@/spec/polkit-spec.html"
depending on the distribution.
.SH OPTIONS
.TP 3n
.B privilege=<regexp>
Only consider requests where the privilege name matches the given
regular expression. Example:
.B privilege=hal-storage-mount*
.TP 3n
.B user=<username>
Only consider requests matching the given username. May be both a
numerical
.B uid
value or a username. Example:
.B user=davidz
.SH NOTES
.PP
Never use this module unless you
.B COMPLETELY
trust anyone with either remote or local access to the system.
.SH BUGS
.PP
Please send bug reports to either the distribution or the HAL
mailing list, see
.I "http://lists.freedesktop.org/mailman/listinfo/hal"
on how to subscribe.
.SH SEE ALSO
.PP
\&\fIPolicyKit\fR\|(8),
\&\fIpolkit-module-default\fR\|(8),
\&\fIpolkit-module-deny-all\fR\|(8),
\&\fI@sysconfdir@/PolicyKit/privileges\fR\|,
\&\fI@sysconfdir@/PolicyKit/PolicyKit.conf\fR\|
.SH AUTHOR
Written by David Zeuthen <david@fubar.dk> with a lot of help from many
others.
.\"
.\" polkit-module-default manual page.
.\" Copyright (C) 2007 David Zeuthen <david@fubar.dk>
.\"
.TH POLKIT-MODULE-DEFAULT 8
.SH NAME
polkit-module-default \- use default policy for privileges
.SH SYNOPSIS
.PP
.B standard polkit-module-default.so
.SH DESCRIPTION
.PP
This PolicyKit module uses the default policy as specified (and
required) for by the privilege definition file for a given privilege.
For more information about the big picture refer to the \fIPolicyKit
spec\fP which can be found in
.I "@docdir@/spec/polkit-spec.html"
depending on the distribution.
.SH BUGS
.PP
Please send bug reports to either the distribution or the HAL
mailing list, see
.I "http://lists.freedesktop.org/mailman/listinfo/hal"
on how to subscribe.
.SH SEE ALSO
.PP
\&\fIPolicyKit\fR\|(8),
\&\fIpolkit-module-allow-all\fR\|(8),
\&\fIpolkit-module-deny-all\fR\|(8),
\&\fI@sysconfdir@/PolicyKit/privileges\fR\|,
\&\fI@sysconfdir@/PolicyKit/PolicyKit.conf\fR\|
.SH AUTHOR
Written by David Zeuthen <david@fubar.dk> with a lot of help from many
others.
.\"
.\" polkit-module-deny-all manual page.
.\" Copyright (C) 2007 David Zeuthen <david@fubar.dk>
.\"
.TH POLKIT-MODULE-DENY-ALL 8
.SH NAME
polkit-module-deny-all \- grant access to all privileges
.SH SYNOPSIS
.PP
.B polkit-module-deny-all.so [privilege=<regexp>] [user=<username>]
.SH DESCRIPTION
.PP
This PolicyKit module will deny access to any privilege regardless of
the entity requesting it, what the requested privilege is and what
resource is involved.
For more information about the big picture refer to the \fIPolicyKit
spec\fP which can be found in
.I "@docdir@/spec/polkit-spec.html"
depending on the distribution.
.SH OPTIONS
.TP 3n
.B privilege=<regexp>
Only consider requests where the privilege name matches the given
regular expression. Example:
.B privilege=hal-storage-mount*
.TP 3n
.B user=<username>
Only consider requests matching the given username. May be both a
numerical
.B uid
value or a username. Example:
.B user=davidz
.SH NOTES
.PP
This module is mostly useful in situations where it's desirable to
lock down the system so it's unusable by normal unprivileged users.
.SH BUGS
.PP
Please send bug reports to either the distribution or the HAL
mailing list, see
.I "http://lists.freedesktop.org/mailman/listinfo/hal"
on how to subscribe.
.SH SEE ALSO
.PP
\&\fIPolicyKit\fR\|(8),
\&\fIpolkit-module-default\fR\|(8),
\&\fIpolkit-module-allow-all\fR\|(8),
\&\fI@sysconfdir@/PolicyKit/privileges\fR\|,
\&\fI@sysconfdir@/PolicyKit/PolicyKit.conf\fR\|
.SH AUTHOR
Written by David Zeuthen <david@fubar.dk> with a lot of help from many
others.
......@@ -43,6 +43,7 @@ on how to subscribe.
.SH SEE ALSO
.PP
\&\fIPolicyKit\fR\|(8),
\&\fIpolkit-check-caller\fR\|(1),
\&\fIpolkit-check-session\fR\|(1)
......
......@@ -8,6 +8,7 @@ INCLUDES = \
-DPACKAGE_BIN_DIR=\""$(bindir)"\" \
-DPACKAGE_LOCALSTATEDIR=\""$(localstatedir)"\" \
-DPACKAGE_LOCALE_DIR=\""$(localedir)"\" \
-DPACKAGE_LIB_DIR=\""$(libdir)"\" \
-D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT \
@GLIB_CFLAGS@ @DBUS_CFLAGS@
......@@ -28,10 +29,11 @@ libpolkitinclude_HEADERS = \
libpolkit-privilege-file-entry.h \
libpolkit-privilege-file.h \
libpolkit-privilege-cache.h \
libpolkit-privilege-default.h
libpolkit-privilege-default.h \
libpolkit-module.h
libpolkit_la_SOURCES = \
libpolkit.h libpolkit.c \
libpolkit.h \
libpolkit-error.h libpolkit-error.c \
libpolkit-result.h libpolkit-result.c \
libpolkit-context.h libpolkit-context.c \
......@@ -44,9 +46,10 @@ libpolkit_la_SOURCES = \
libpolkit-privilege-file.h libpolkit-privilege-file.c \
libpolkit-privilege-cache.h libpolkit-privilege-cache.c \
libpolkit-privilege-default.h libpolkit-privilege-default.c \
libpolkit-debug.h libpolkit-debug.c
libpolkit-debug.h libpolkit-debug.c \
libpolkit-module.h libpolkit-module.c
libpolkit_la_LIBADD = @GLIB_LIBS@ @DBUS_LIBS@
libpolkit_la_LIBADD = @GLIB_LIBS@ @DBUS_LIBS@ -ldl
libpolkit_la_LDFLAGS = -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE)
......
This diff is collapsed.
......@@ -31,6 +31,14 @@
#include <sys/types.h>
#include <glib.h>
#include <libpolkit/libpolkit-error.h>
#include <libpolkit/libpolkit-result.h>
#include <libpolkit/libpolkit-context.h>
#include <libpolkit/libpolkit-privilege.h>
#include <libpolkit/libpolkit-resource.h>
#include <libpolkit/libpolkit-seat.h>
#include <libpolkit/libpolkit-session.h>
#include <libpolkit/libpolkit-caller.h>
#include <libpolkit/libpolkit-privilege-cache.h>
struct PolKitContext;
......@@ -126,19 +134,53 @@ typedef void (*PolKitContextFileMonitorRemoveWatch) (PolKitContext
PolKitContext *libpolkit_context_new (void);
gboolean libpolkit_context_init (PolKitContext *pk_context,
GError **error);
PolKitContext *libpolkit_context_ref (PolKitContext *pk_context);
void libpolkit_context_unref (PolKitContext *pk_context);
void libpolkit_context_set_config_changed (PolKitContext *pk_context,
PolKitContextConfigChangedCB cb,
gpointer user_data);
void libpolkit_context_set_file_monitor (PolKitContext *pk_context,
PolKitContextFileMonitorAddWatch add_watch_func,
PolKitContextFileMonitorRemoveWatch remove_watch_func);
gboolean libpolkit_context_init (PolKitContext *pk_context,
GError **error);
PolKitContext *libpolkit_context_ref (PolKitContext *pk_context);
void libpolkit_context_unref (PolKitContext *pk_context);
PolKitPrivilegeCache *libpolkit_context_get_privilege_cache (PolKitContext *pk_context);
/**
* PolKitSeatVisitorCB:
* @seat: the seat
* @resources_associated_with_seat: A NULL terminated array of resources associated with the seat
* @user_data: user data
*
* Visitor function for libpolkit_get_seat_resource_association(). The caller should _not_ unref the passed objects.
*/
typedef void (*PolKitSeatVisitorCB) (PolKitSeat *seat,
PolKitResource **resources_associated_with_seat,
gpointer user_data);
PolKitResult
libpolkit_context_get_seat_resource_association (PolKitContext *pk_context,
PolKitSeatVisitorCB visitor,
gpointer *user_data);
PolKitResult
libpolkit_context_is_resource_associated_with_seat (PolKitContext *pk_context,
PolKitResource *resource,
PolKitSeat *seat);
PolKitResult
libpolkit_context_can_session_access_resource (PolKitContext *pk_context,
PolKitPrivilege *privilege,
PolKitResource *resource,
PolKitSession *session);
PolKitResult
libpolkit_context_can_caller_access_resource (PolKitContext *pk_context,
PolKitPrivilege *privilege,
PolKitResource *resource,
PolKitCaller *caller);
#endif /* LIBPOLKIT_CONTEXT_H */
......@@ -37,6 +37,7 @@
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <sys/time.h>
#include "libpolkit-debug.h"
......@@ -61,6 +62,15 @@ _pk_debug (const char *format, ...)
}
if (show_debug) {
struct timeval tnow;
struct tm *tlocaltime;
struct timezone tzone;
char tbuf[256];
gettimeofday (&tnow, &tzone);
tlocaltime = localtime ((time_t *) &tnow.tv_sec);
strftime (tbuf, sizeof (tbuf), "%H:%M:%S", tlocaltime);
fprintf (stdout, "%s.%03d: ", tbuf, (int)(tnow.tv_usec/1000));
va_start (args, format);
vfprintf (stdout, format, args);
va_end (args);
......
This diff is collapsed.
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
/***************************************************************************
*
* libpolkit-module.h : PolicyKit loadable module interface
*
* Copyright (C) 2007 David Zeuthen, <david@fubar.dk>
*
* Licensed under the Academic Free License version 2.1
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
**************************************************************************/
#ifndef LIBPOLKIT_MODULE_H
#define LIBPOLKIT_MODULE_H
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <glib.h>
#include <libpolkit/libpolkit.h>
struct PolKitModuleInterface;
typedef struct PolKitModuleInterface PolKitModuleInterface;
/**
* PolKitModuleInitialize:
* @module_interface: the module interface
* @argc: number of arguments to pass to module
* @argv: arguments passed to module; the first argument is the filename/path to the module
*
* Type of PolicyKit module function to initialize the module.
*
* Returns: Whether the module was initialized.
**/
typedef gboolean (*PolKitModuleInitialize) (PolKitModuleInterface *module_interface,
int argc,
char *argv[]);
/**
* PolKitModuleShutdown:
* @module_interface: the module interface
*
* Type of PolicyKit module function to shutdown the module.
**/
typedef void (*PolKitModuleShutdown) (PolKitModuleInterface *module_interface);
/**
* PolKitModuleGetSeatResourceAssociation:
* @module_interface: the module interface
* @pk_context: the PolicyKit context
* @visitor: visitor function
* @user_data: user data
*
* Type of PolicyKit module function to implement libpolkit_get_seat_resource_association().
*
* Returns: the #PolKitResult
**/
typedef PolKitResult (*PolKitModuleGetSeatResourceAssociation) (PolKitModuleInterface *module_interface,
PolKitContext *pk_context,
PolKitSeatVisitorCB visitor,
gpointer *user_data);
/**
* PolKitModuleIsResourceAssociatedWithSeat:
* @module_interface: the module interface
* @pk_context: the PolicyKit context
* @resource: the resource in question
* @seat: the seat
*
* Type of PolicyKit module function to implement libpolkit_is_resource_associated_with_seat().
*
* Returns: the #PolKitResult
**/
typedef PolKitResult (*PolKitModuleIsResourceAssociatedWithSeat) (PolKitModuleInterface *module_interface,
PolKitContext *pk_context,
PolKitResource *resource,
PolKitSeat *seat);
/**
* PolKitModuleCanSessionAccessResource:
* @module_interface: the module interface
* @pk_context: the PolicyKit context
* @privilege: the type of access to check for
* @resource: the resource in question
* @session: the session in question
*
* Type of PolicyKit module function to implement libpolkit_can_session_access_resource().
*
* Returns: the #PolKitResult
**/
typedef PolKitResult (*PolKitModuleCanSessionAccessResource) (PolKitModuleInterface *module_interface,
PolKitContext *pk_context,
PolKitPrivilege *privilege,
PolKitResource *resource,
PolKitSession *session);
/**
* PolKitModuleCanCallerAccessResource:
* @module_interface: the module interface
* @pk_context: the PolicyKit context
* @privilege: the type of access to check for
* @resource: the resource in question
* @caller: the resource in question
*
* Type of PolicyKit module function to implement libpolkit_can_caller_access_resource().
*
* Returns: the #PolKitResult
**/
typedef PolKitResult (*PolKitModuleCanCallerAccessResource) (PolKitModuleInterface *module_interface,
PolKitContext *pk_context,
PolKitPrivilege *privilege,
PolKitResource *resource,
PolKitCaller *caller);
PolKitModuleInterface *libpolkit_module_interface_new (void);
PolKitModuleInterface *libpolkit_module_interface_ref (PolKitModuleInterface *module_interface);
void libpolkit_module_interface_unref (PolKitModuleInterface *module_interface);
const char *libpolkit_module_get_name (PolKitModuleInterface *module_interface);
void libpolkit_module_set_user_data (PolKitModuleInterface *module_interface, gpointer user_data);
gpointer libpolkit_module_get_user_data (PolKitModuleInterface *module_interface);
void libpolkit_module_set_func_initialize (PolKitModuleInterface *module_interface,
PolKitModuleInitialize func);
void libpolkit_module_set_func_shutdown (PolKitModuleInterface *module_interface,
PolKitModuleShutdown func);
void libpolkit_module_set_func_get_seat_resource_association (PolKitModuleInterface *module_interface,
PolKitModuleGetSeatResourceAssociation func);
void libpolkit_module_set_func_is_resource_associated_with_seat (PolKitModuleInterface *module_interface,
PolKitModuleIsResourceAssociatedWithSeat func);
void libpolkit_module_set_func_can_session_access_resource (PolKitModuleInterface *module_interface,
PolKitModuleCanSessionAccessResource func);
void libpolkit_module_set_func_can_caller_access_resource (PolKitModuleInterface *module_interface,
PolKitModuleCanCallerAccessResource func);
PolKitModuleInitialize libpolkit_module_get_func_initialize (PolKitModuleInterface *module_interface);
PolKitModuleShutdown libpolkit_module_get_func_shutdown (PolKitModuleInterface *module_interface);
PolKitModuleGetSeatResourceAssociation libpolkit_module_get_func_get_seat_resource_association (PolKitModuleInterface *module_interface);
PolKitModuleIsResourceAssociatedWithSeat libpolkit_module_get_func_is_resource_associated_with_seat (PolKitModuleInterface *module_interface);
PolKitModuleCanSessionAccessResource libpolkit_module_get_func_can_session_access_resource (PolKitModuleInterface *module_interface);
PolKitModuleCanCallerAccessResource libpolkit_module_get_func_can_caller_access_resource (PolKitModuleInterface *module_interface);
/**
* PolKitModuleControl:
* @LIBPOLKIT_MODULE_CONTROL_ADVISE: Allow modules, marked with #LIBPOLKIT_MODULE_CONTROL_MANDATORY, down the
* stack to override results from this module. Modules down the stack that are also marked with
* the #LIBPOLKIT_MODULE_CONTROL_ADVISE control will only take effect it they change the result to be "less strict".
* @LIBPOLKIT_MODULE_CONTROL_MANDATORY: Always use results (unless it returns
* #LIBPOLKIT_RESULT_UNKNOWN_PRIVILEGE for a given request) from this module, even if it changes whether the
* result to be "more strict". . If a later module also uses this control, results from that module will override it.
* @LIBPOLKIT_MODULE_CONTROL_N_CONTROLS: Number of control stanzas
*
* The control stanza for a PolicyKit module. This is read from the
* PolicyKit configuration file (/etc/PolicyKit/PolicyKit.conf) that
* defines the stacked order of the modules and is chosen by the
* system administrator. See the definition of #PolKitResult for
* the definition of "strict" with respect to result values.
**/
typedef enum
{
LIBPOLKIT_MODULE_CONTROL_ADVISE,
LIBPOLKIT_MODULE_CONTROL_MANDATORY,
LIBPOLKIT_MODULE_CONTROL_N_CONTROLS
} PolKitModuleControl;
const char *
libpolkit_module_control_to_string_representation (PolKitModuleControl module_control);
gboolean
libpolkit_module_control_from_string_representation (const char *string, PolKitModuleControl *out_module_control);
PolKitModuleInterface *libpolkit_module_interface_load_module (const char *name,
PolKitModuleControl module_control,
int argc, char *argv[]);
PolKitModuleControl libpolkit_module_interface_get_control (PolKitModuleInterface *module_interface);
#endif /* LIBPOLKIT_MODULE_H */
......@@ -54,7 +54,6 @@ static const struct {
{
{LIBPOLKIT_RESULT_UNKNOWN_PRIVILEGE, "unknown"},
{LIBPOLKIT_RESULT_NOT_AUTHORIZED_TO_KNOW, "not_authorized"},
{LIBPOLKIT_RESULT_YES, "yes"},
{LIBPOLKIT_RESULT_NO, "no"},
{LIBPOLKIT_RESULT_ONLY_VIA_ROOT_AUTH, "auth_root"},
{LIBPOLKIT_RESULT_ONLY_VIA_ROOT_AUTH_KEEP_SESSION, "auth_root_keep_session"},
......@@ -62,6 +61,7 @@ static const struct {
{LIBPOLKIT_RESULT_ONLY_VIA_SELF_AUTH, "auth_self"},
{LIBPOLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_SESSION, "auth_self_keep_session"},
{LIBPOLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_ALWAYS, "auth_self_keep_always"},
{LIBPOLKIT_RESULT_YES, "yes"},
{0, NULL}
};
......@@ -111,8 +111,6 @@ libpolkit_result_from_string_representation (const char *string, PolKitResult *o
}
return FALSE;
found:
return TRUE;
}
......@@ -32,7 +32,6 @@
* PolKitResult:
* @LIBPOLKIT_RESULT_UNKNOWN_PRIVILEGE: The passed privilege is unknown.
* @LIBPOLKIT_RESULT_NOT_AUTHORIZED_TO_KNOW: The caller of libpolkit is not sufficiently privilege to know the answer.
* @LIBPOLKIT_RESULT_YES: Access granted.
* @LIBPOLKIT_RESULT_NO: Access denied.
* @LIBPOLKIT_RESULT_ONLY_VIA_ROOT_AUTH: Access denied, but authentication of the caller as
* root will grant access to only that caller.
......@@ -46,15 +45,18 @@
* his user will grant access for the remainder of the session the caller stems from.
* @LIBPOLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_ALWAYS: Access denied, but authentication of the caller as
* his user will grant access to the user of the caller in the future.
* @LIBPOLKIT_RESULT_YES: Access granted.
* @LIBPOLKIT_RESULT_N_RESULTS: Number of result codes
*
* Result codes from queries to PolicyKit.
* Result codes from queries to PolicyKit. These are ordered and we
* say that a result A is "more strict" than a result B, if A has a
* lower numerical value. (e.g. #LIBPOLKIT_RESULT_NO is more strict
* than #LIBPOLKIT_RESULT_YES).
*/
typedef enum
{
LIBPOLKIT_RESULT_UNKNOWN_PRIVILEGE,
LIBPOLKIT_RESULT_NOT_AUTHORIZED_TO_KNOW,
LIBPOLKIT_RESULT_YES,
LIBPOLKIT_RESULT_NO,
LIBPOLKIT_RESULT_ONLY_VIA_ROOT_AUTH,
LIBPOLKIT_RESULT_ONLY_VIA_ROOT_AUTH_KEEP_SESSION,
......@@ -62,6 +64,7 @@ typedef enum
LIBPOLKIT_RESULT_ONLY_VIA_SELF_AUTH,
LIBPOLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_SESSION,
LIBPOLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_ALWAYS,
LIBPOLKIT_RESULT_YES,
LIBPOLKIT_RESULT_N_RESULTS
} PolKitResult;
......
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
/***************************************************************************
*
* libpolkit.c : library for querying system-wide policy
*
* Copyright (C) 2007 David Zeuthen, <david@fubar.dk>
*
* Licensed under the Academic Free License version 2.1
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
**************************************************************************/
/**
* SECTION:libpolkit
* @short_description: Policy functions.