feat: add polkit support

As title.

Log: enhance security
Task: https://pms.uniontech.com/task-view-355353.html

.reuse/dep5

@@ -33,8 +33,8 @@ Files: .gitignore
 Copyright: None
 License: CC0-1.0
 
-# xml toml json conf yaml
-Files: *.xml *.toml *.json *conf *.yaml
+# xml toml json conf yaml policy
+Files: *.xml *.toml *.json *conf *.yaml *.policy
 Copyright: None
 License: CC0-1.0
 

debian/control

@@ -6,7 +6,8 @@ Build-Depends:
  cmake,
  debhelper (>= 9), dh-dkms | dkms, qtbase5-dev,
  pkg-config, libudisks2-qt5-dev, libmount-dev,
- libglib2.0-dev, libpcre3-dev, libnl-genl-3-dev
+ libglib2.0-dev, libpcre3-dev, libnl-genl-3-dev,
+ libpolkit-qt5-1-dev
 Standards-Version: 3.9.8
 Homepage: http://github.com/linuxdeepin/deepin-anything
 

debian/deepin-anything-server.install

@@ -2,3 +2,4 @@ usr/bin/deepin-anything-server
 usr/lib/*/libdeepin-anything-server-lib.*
 usr/share/dbus-1/interfaces
 etc/dbus-1/system.d
+usr/share/polkit-1/actions

rpm/deepin-anything.spec

@@ -21,6 +21,7 @@ BuildRequires: udisks2-qt5-devel
 BuildRequires: libmount
 BuildRequires: libmount-devel
 BuildRequires: pcre-devel libnl3-devel
+BuildRequires: libpolkit-qt5-1-devel
 
 
 %description
@@ -68,6 +69,7 @@ mkdir -p %{?buildroot}/usr/lib/modules-load.d/
 %{_libdir}/libdeepin-anything-server-lib.so.*
 %{_datadir}/dbus-1/interfaces/com.deepin.anything.xml
 %{_sysconfdir}/dbus-1/system.d/com.deepin.anything.conf
+%{_datadir}/polkit-1/actions/com.deepin.anything.policy
 
 %files devel
 %{_libdir}/libanything.so

src/server/backend/CMakeLists.txt

@@ -27,6 +27,7 @@ find_package(Qt5 COMPONENTS Core REQUIRED)
 find_package(Qt5 COMPONENTS Concurrent REQUIRED)
 find_package(Qt5 COMPONENTS DBus REQUIRED)
 find_package(PkgConfig REQUIRED)
+find_package(PolkitQt5-1)
 
 pkg_check_modules(GLIB REQUIRED glib-2.0)
 pkg_check_modules(MOUNT REQUIRED mount IMPORTED_TARGET)
@@ -84,6 +85,7 @@ target_link_libraries(${PROJECT_NAME} PUBLIC
     ${MOUNT_LIBRARIES}
     ${GLIB_LIBRARIES}
     ${GNL_LIBRARIES}
+    PolkitQt5-1::Agent
 )
 
 target_include_directories(${PROJECT_NAME} PUBLIC
@@ -103,6 +105,9 @@ FILE (GLOB DBUS_INSTALL
 FILE (GLOB DBUS_CONFIG_INSTALL
     "dbusservice/com.deepin.anything.conf"
 )
+FILE (GLOB DBUS_POLICY_INSTALL
+    "dbusservice/com.deepin.anything.policy"
+)
 
 include(GNUInstallDirs)
 
@@ -115,6 +120,9 @@ install (FILES ${DBUS_INSTALL}
 install (FILES ${DBUS_CONFIG_INSTALL}
     DESTINATION /etc/dbus-1/system.d
 )
+install (FILES ${DBUS_POLICY_INSTALL}
+    DESTINATION share/polkit-1/actions
+)
 
 install_targets ("/${CMAKE_INSTALL_LIBDIR}" ${PROJECT_NAME})
 

src/server/backend/dbusservice/com.deepin.anything.policy

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
+<policyconfig>
+	<action id="com.deepin.anything">
+		<description>Access The File Index</description>
+		<message>Authentication is required to access the file index</message>
+		<defaults>
+			<allow_any>no</allow_any>
+			<allow_inactive>no</allow_inactive>
+			<allow_active>auth_admin_keep</allow_active>
+		</defaults>
+		<description xml:lang="zh_HK">Access The File Index</description>
+		<message xml:lang="zh_HK">存取檔案索引需要認證</message>
+		<description xml:lang="zh_CN">Access The File Index</description>
+		<message xml:lang="zh_CN">访问文件索引需要认证</message>
+		<description xml:lang="zh_TW">Access The File Index</description>
+		<message xml:lang="zh_TW">存取檔案索引需要認證</message>
+		<description xml:lang="bo">Access The File Index</description>
+		<message xml:lang="bo">ཡིག་ཆའི་དཀར་ཆག་ལ་འཛུལ་ཞུགས་བྱེད་པར་བདེན་དཔང་བྱེད་དགོས།</message>
+		<description xml:lang="ug">Access The File Index</description>
+		<message xml:lang="ug">ھۆججەت كۆرسەتكۈچىنى زىيارەت قىلىش ئۈچۈن دەلىللەش تەلەپ قىلىنىدۇ</message>
+	</action>
+</policyconfig>

src/server/backend/lib/lftmanager.cpp

@@ -1,5 +1,5 @@
 // Copyright (C) 2021 UOS Technology Co., Ltd.
-// SPDX-FileCopyrightText: 2022 - 2023 UnionTech Software Technology Co., Ltd.
+// SPDX-FileCopyrightText: 2022 - 2024 UnionTech Software Technology Co., Ltd.
 //
 // SPDX-License-Identifier: GPL-3.0-or-later
 
@@ -24,6 +24,8 @@ extern "C" {
 #include <QStandardPaths>
 #include <QRegularExpression>
 #include <QTimer>
+#include <polkit-qt5-1/PolkitQt1/Authority>
+#include <QDBusMessage>
 
 #include <unistd.h>
 #include <sys/time.h>
@@ -154,6 +156,9 @@ QString LFTManager::cacheDir()
 
 QByteArray LFTManager::setCodecNameForLocale(const QByteArray &codecName)
 {
+    if (!checkAuthorization())
+        return QByteArray();
+
     const QTextCodec *old_codec = QTextCodec::codecForLocale();
 
     if (codecName.isEmpty())
@@ -315,6 +320,9 @@ static void removeBuf(fs_buf *buf, bool &removeLFTFile)
 
 bool LFTManager::addPath(QString path, bool autoIndex)
 {
+    if (!checkAuthorization())
+        return false;
+
     nDebug() << path << autoIndex;
 
     if (!path.startsWith("/")) {
@@ -411,6 +419,9 @@ bool LFTManager::addPath(QString path, bool autoIndex)
 
 bool LFTManager::removePath(const QString &path)
 {
+    if (!checkAuthorization())
+        return false;
+
     nDebug() << path;
 
     if (fs_buf *buf = _global_fsBufMap->take(path)) {
@@ -493,6 +504,9 @@ bool LFTManager::lftBuinding(const QString &path) const
 
 bool LFTManager::cancelBuild(const QString &path)
 {
+    if (!checkAuthorization())
+        return false;
+
     nDebug() << path;
 
     if (QFutureWatcher<fs_buf*> *watcher = _global_fsWatcherMap->take(path)) {
@@ -545,6 +559,9 @@ QStringList LFTManager::hasLFTSubdirectories(QString path) const
 // 重新从磁盘加载lft文件
 QStringList LFTManager::refresh(const QByteArray &serialUriFilter)
 {
+    if (!checkAuthorization())
+        return QStringList();
+
     nDebug() << serialUriFilter;
 
     const QString &cache_path = cacheDir();
@@ -615,6 +632,9 @@ QStringList LFTManager::refresh(const QByteArray &serialUriFilter)
 
 QStringList LFTManager::sync(const QString &mountPoint)
 {
+    if (!checkAuthorization())
+        return QStringList();
+
     nDebug() << mountPoint;
 
     QStringList path_list;
@@ -709,6 +729,9 @@ enum SearchError
 
 QStringList LFTManager::insertFileToLFTBuf(const QByteArray &file)
 {
+    if (!checkAuthorization())
+        return QStringList();
+
     cDebug() << file;
 
     auto buff_pair = getFsBufByPath(QString::fromLocal8Bit(file));
@@ -763,6 +786,9 @@ QStringList LFTManager::insertFileToLFTBuf(const QByteArray &file)
 
 QStringList LFTManager::removeFileFromLFTBuf(const QByteArray &file)
 {
+    if (!checkAuthorization())
+        return QStringList();
+
     cDebug() << file;
 
     auto buff_pair = getFsBufByPath(QString::fromLocal8Bit(file));
@@ -812,6 +838,9 @@ QStringList LFTManager::removeFileFromLFTBuf(const QByteArray &file)
 
 QStringList LFTManager::renameFileOfLFTBuf(const QByteArray &oldFile, const QByteArray &newFile)
 {
+    if (!checkAuthorization())
+        return QStringList();
+
     cDebug() << oldFile << newFile;
 
     auto buff_pair = getFsBufByPath(QString::fromLocal8Bit(newFile));
@@ -869,6 +898,9 @@ QStringList LFTManager::renameFileOfLFTBuf(const QByteArray &oldFile, const QByt
 
 void LFTManager::quit()
 {
+    if (!checkAuthorization())
+        return;
+
     qApp->quit();
 }
 
@@ -912,6 +944,9 @@ QStringList LFTManager::parallelsearch(const QString &path, quint32 startOffset,
 
 void LFTManager::setAutoIndexExternal(bool autoIndexExternal)
 {
+    if (!checkAuthorization())
+        return;
+
     if (this->autoIndexExternal() == autoIndexExternal)
         return;
 
@@ -929,6 +964,9 @@ void LFTManager::setAutoIndexExternal(bool autoIndexExternal)
 
 void LFTManager::setAutoIndexInternal(bool autoIndexInternal)
 {
+    if (!checkAuthorization())
+        return;
+
     if (this->autoIndexInternal() == autoIndexInternal)
         return;
 
@@ -946,6 +984,9 @@ void LFTManager::setAutoIndexInternal(bool autoIndexInternal)
 
 void LFTManager::setLogLevel(int logLevel)
 {
+    if (!checkAuthorization())
+        return;
+
     nDebug() << "setLogLevel:" << logLevel;
 
     QString rules;
@@ -1639,3 +1680,23 @@ int LFTManager::_doSearch(void *vbuf, quint32 maxCount, const QString &path, con
 
     return total;
 }
+
+bool LFTManager::checkAuthorization(void)
+{
+    if (!calledFromDBus())
+        return true;
+
+    QString actionId("com.deepin.anything");
+    QString appBusName = message().service();
+    PolkitQt1::Authority::Result result;
+
+    result = PolkitQt1::Authority::instance()->checkAuthorizationSync(actionId,
+                                                                      PolkitQt1::SystemBusNameSubject(appBusName),
+                                                                      PolkitQt1::Authority::AllowUserInteraction);
+    if (result == PolkitQt1::Authority::Yes) {
+        return true;
+    }else {
+        sendErrorReply(QDBusError::AccessDenied);
+        return false;
+    }
+}

src/server/backend/lib/lftmanager.h

@@ -25,7 +25,7 @@ class LFTManager : public QObject, protected QDBusContext
 
     static LFTManager *instance();
     static QString cacheDir();
-    static QByteArray setCodecNameForLocale(const QByteArray &codecName);
+    QByteArray setCodecNameForLocale(const QByteArray &codecName);
     static void onFileChanged(QList<QPair<QByteArray, QByteArray>> &actionList);
 
     bool addPath(QString path, bool autoIndex = false);
@@ -107,6 +107,8 @@ public Q_SLOTS:
     QStringList _setRulesByDefault(const QStringList &rules, quint32 startOffset, quint32 endOffset) const;
     QStringList _enterSearch(const QString &path, const QString &keyword, const QStringList &rules, quint32 &startOffsetReturn, quint32 &endOffsetReturn) const;
     int _doSearch(void *vbuf, quint32 maxCount, const QString &path, const QString &keyword, quint32 *startOffset, quint32 *endOffset, QList<uint32_t> &results, const QStringList &rules = {}) const;
+
+    bool checkAuthorization(void);
 };
 
 #endif // LFTMANAGER_H