mirror of
https://git.proxmox.com/git/fwupd
synced 2025-06-06 00:37:53 +00:00
Add support for a new TrustedUids key
This key is used to specify that a dedicated user runs the fwupd client process and sensitive strings such as the serial number should be shared with the calling process. (Fixes: #4524)
This commit is contained in:
Mario Limonciello
Mario Limonciello
parent
f8f5cd1f25
commit
b3de9ffd21
@ -52,6 +52,9 @@ OnlyTrusted=true
|
|||||||
# Show private data like device serial numbers and instance IDs to clients
|
# Show private data like device serial numbers and instance IDs to clients
|
||||||
ShowDevicePrivate=true
|
ShowDevicePrivate=true
|
||||||
|
|
||||||
|
# UIDs that should marked as trusted
|
||||||
|
TrustedUids=
|
||||||
|
|
||||||
# A host best known configuration is used when using `fwupdmgr sync` which can
|
# A host best known configuration is used when using `fwupdmgr sync` which can
|
||||||
# downgrade firmware to factory versions or upgrade firmware to a supported
|
# downgrade firmware to factory versions or upgrade firmware to a supported
|
||||||
# config level. e.g. `vendor-factory-2021q1`
|
# config level. e.g. `vendor-factory-2021q1`
|
||||||
|
|||||||
@ -30,6 +30,7 @@ struct _FuConfig {
|
|||||||
GPtrArray *blocked_firmware; /* (element-type utf-8) */
|
GPtrArray *blocked_firmware; /* (element-type utf-8) */
|
||||||
GPtrArray *uri_schemes; /* (element-type utf-8) */
|
GPtrArray *uri_schemes; /* (element-type utf-8) */
|
||||||
GPtrArray *filenames; /* (element-type utf-8) */
|
GPtrArray *filenames; /* (element-type utf-8) */
|
||||||
|
GArray *trusted_uids; /* (elementy type guint64) */
|
||||||
guint64 archive_size_max;
|
guint64 archive_size_max;
|
||||||
guint idle_timeout;
|
guint idle_timeout;
|
||||||
gchar *host_bkc;
|
gchar *host_bkc;
|
||||||
@ -58,6 +59,7 @@ fu_config_reload(FuConfig *self, GError **error)
|
|||||||
g_auto(GStrv) blocked_firmware = NULL;
|
g_auto(GStrv) blocked_firmware = NULL;
|
||||||
g_auto(GStrv) uri_schemes = NULL;
|
g_auto(GStrv) uri_schemes = NULL;
|
||||||
g_auto(GStrv) devices = NULL;
|
g_auto(GStrv) devices = NULL;
|
||||||
|
g_auto(GStrv) uids = NULL;
|
||||||
g_auto(GStrv) plugins = NULL;
|
g_auto(GStrv) plugins = NULL;
|
||||||
g_autofree gchar *domains = NULL;
|
g_autofree gchar *domains = NULL;
|
||||||
g_autofree gchar *host_bkc = NULL;
|
g_autofree gchar *host_bkc = NULL;
|
||||||
@ -241,6 +243,20 @@ fu_config_reload(FuConfig *self, GError **error)
|
|||||||
if (host_bkc != NULL && host_bkc[0] != '\0')
|
if (host_bkc != NULL && host_bkc[0] != '\0')
|
||||||
self->host_bkc = g_steal_pointer(&host_bkc);
|
self->host_bkc = g_steal_pointer(&host_bkc);
|
||||||
|
|
||||||
|
/* get trusted uids */
|
||||||
|
g_array_set_size(self->trusted_uids, 0);
|
||||||
|
uids = g_key_file_get_string_list(keyfile,
|
||||||
|
"fwupd",
|
||||||
|
"TrustedUids",
|
||||||
|
NULL, /* length */
|
||||||
|
NULL);
|
||||||
|
if (uids != NULL) {
|
||||||
|
for (guint i = 0; uids[i] != NULL; i++) {
|
||||||
|
guint64 val = fu_common_strtoull(uids[i]);
|
||||||
|
g_array_append_val(self->trusted_uids, val);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -332,6 +348,13 @@ fu_config_get_disabled_devices(FuConfig *self)
|
|||||||
return self->disabled_devices;
|
return self->disabled_devices;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
GArray *
|
||||||
|
fu_config_get_trusted_uids(FuConfig *self)
|
||||||
|
{
|
||||||
|
g_return_val_if_fail(FU_IS_CONFIG(self), NULL);
|
||||||
|
return self->trusted_uids;
|
||||||
|
}
|
||||||
|
|
||||||
GPtrArray *
|
GPtrArray *
|
||||||
fu_config_get_blocked_firmware(FuConfig *self)
|
fu_config_get_blocked_firmware(FuConfig *self)
|
||||||
{
|
{
|
||||||
@ -451,6 +474,7 @@ fu_config_init(FuConfig *self)
|
|||||||
self->disabled_plugins = g_ptr_array_new_with_free_func(g_free);
|
self->disabled_plugins = g_ptr_array_new_with_free_func(g_free);
|
||||||
self->approved_firmware = g_ptr_array_new_with_free_func(g_free);
|
self->approved_firmware = g_ptr_array_new_with_free_func(g_free);
|
||||||
self->blocked_firmware = g_ptr_array_new_with_free_func(g_free);
|
self->blocked_firmware = g_ptr_array_new_with_free_func(g_free);
|
||||||
|
self->trusted_uids = g_array_new(FALSE, FALSE, sizeof(guint64));
|
||||||
self->uri_schemes = g_ptr_array_new_with_free_func(g_free);
|
self->uri_schemes = g_ptr_array_new_with_free_func(g_free);
|
||||||
self->monitors = g_ptr_array_new_with_free_func((GDestroyNotify)g_object_unref);
|
self->monitors = g_ptr_array_new_with_free_func((GDestroyNotify)g_object_unref);
|
||||||
}
|
}
|
||||||
@ -471,6 +495,7 @@ fu_config_finalize(GObject *obj)
|
|||||||
g_ptr_array_unref(self->approved_firmware);
|
g_ptr_array_unref(self->approved_firmware);
|
||||||
g_ptr_array_unref(self->blocked_firmware);
|
g_ptr_array_unref(self->blocked_firmware);
|
||||||
g_ptr_array_unref(self->uri_schemes);
|
g_ptr_array_unref(self->uri_schemes);
|
||||||
|
g_array_unref(self->trusted_uids);
|
||||||
g_free(self->host_bkc);
|
g_free(self->host_bkc);
|
||||||
|
|
||||||
G_OBJECT_CLASS(fu_config_parent_class)->finalize(obj);
|
G_OBJECT_CLASS(fu_config_parent_class)->finalize(obj);
|
||||||
|
|||||||
@ -28,6 +28,8 @@ GPtrArray *
|
|||||||
fu_config_get_disabled_devices(FuConfig *self);
|
fu_config_get_disabled_devices(FuConfig *self);
|
||||||
GPtrArray *
|
GPtrArray *
|
||||||
fu_config_get_disabled_plugins(FuConfig *self);
|
fu_config_get_disabled_plugins(FuConfig *self);
|
||||||
|
GArray *
|
||||||
|
fu_config_get_trusted_uids(FuConfig *self);
|
||||||
GPtrArray *
|
GPtrArray *
|
||||||
fu_config_get_approved_firmware(FuConfig *self);
|
fu_config_get_approved_firmware(FuConfig *self);
|
||||||
GPtrArray *
|
GPtrArray *
|
||||||
|
|||||||
@ -5770,6 +5770,23 @@ fu_engine_add_plugin(FuEngine *self, FuPlugin *plugin)
|
|||||||
fu_plugin_list_add(self->plugin_list, plugin);
|
fu_plugin_list_add(self->plugin_list, plugin);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
gboolean
|
||||||
|
fu_engine_is_uid_trusted(FuEngine *self, guint64 calling_uid)
|
||||||
|
{
|
||||||
|
GArray *trusted;
|
||||||
|
|
||||||
|
/* root is always trusted */
|
||||||
|
if (calling_uid == 0)
|
||||||
|
return TRUE;
|
||||||
|
|
||||||
|
trusted = fu_config_get_trusted_uids(self->config);
|
||||||
|
for (guint i = 0; i < trusted->len; i++) {
|
||||||
|
if (calling_uid == g_array_index(trusted, guint64, i))
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
static gboolean
|
static gboolean
|
||||||
fu_engine_is_plugin_name_disabled(FuEngine *self, const gchar *name)
|
fu_engine_is_plugin_name_disabled(FuEngine *self, const gchar *name)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -68,6 +68,8 @@ const gchar *
|
|||||||
fu_engine_get_host_machine_id(FuEngine *self);
|
fu_engine_get_host_machine_id(FuEngine *self);
|
||||||
const gchar *
|
const gchar *
|
||||||
fu_engine_get_host_bkc(FuEngine *self);
|
fu_engine_get_host_bkc(FuEngine *self);
|
||||||
|
gboolean
|
||||||
|
fu_engine_is_uid_trusted(FuEngine *self, guint64 calling_uid);
|
||||||
const gchar *
|
const gchar *
|
||||||
fu_engine_get_host_security_id(FuEngine *self);
|
fu_engine_get_host_security_id(FuEngine *self);
|
||||||
FwupdStatus
|
FwupdStatus
|
||||||
|
|||||||
@ -284,7 +284,7 @@ fu_main_create_request(FuMainPrivate *priv, const gchar *sender, GError **error)
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
g_variant_get(value, "(u)", &calling_uid);
|
g_variant_get(value, "(u)", &calling_uid);
|
||||||
if (calling_uid == 0)
|
if (fu_engine_is_uid_trusted(priv->engine, calling_uid))
|
||||||
device_flags |= FWUPD_DEVICE_FLAG_TRUSTED;
|
device_flags |= FWUPD_DEVICE_FLAG_TRUSTED;
|
||||||
fu_engine_request_set_device_flags(request, device_flags);
|
fu_engine_request_set_device_flags(request, device_flags);
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user