From 09153c6825e5b5157fba7600cefabb762d887891 Mon Sep 17 00:00:00 2001
From: Robert Ancell <robert.ancell@ubuntu.com>
Date: Thu, 6 Aug 2009 15:57:15 +0100
Subject: [PATCH 1/2] Add PolicyKit support to GDM settings D-Bus interface
Ubuntu: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/395299
Upstream: http://bugzilla.gnome.org/show_bug.cgi?id=587750

--- gdm-3.1.90/data/Makefile.am.wiget	2011-08-31 02:04:37.000000000 +0200
+++ gdm-3.1.90/data/Makefile.am	2011-09-05 21:46:13.070224232 +0200
@@ -45,6 +45,8 @@ schemasdir = $(pkgdatadir)
 schemas_in_files = gdm.schemas.in
 schemas_DATA = $(schemas_in_files:.schemas.in=.schemas)
 
+@INTLTOOL_POLICY_RULE@
+
 gdm.schemas.in: $(srcdir)/gdm.schemas.in.in
 	sed	-e 's,[@]GDMPREFETCHCMD[@],$(GDMPREFETCHCMD),g' \
 		-e 's,[@]GDM_CUSTOM_CONF[@],$(GDM_CUSTOM_CONF),g' \
@@ -84,11 +86,18 @@ localealias_DATA = locale.alias
 sessiondir = $(datadir)/gnome-session/sessions
 session_DATA = gdm-fallback.session gdm-shell.session
 
+polkitdir = $(datadir)/polkit-1/actions
+polkit_in_files = gdm.policy.in
+polkit_DATA = $(polkit_in_files:.policy.in=.policy)
+check:
+	$(POLKIT_POLICY_FILE_VALIDATE) $(polkit_DATA)
+
 EXTRA_DIST =			\
 	$(schemas_in_files)	\
 	$(schemas_DATA)		\
 	$(dbusconf_in_files)	\
 	$(localealias_DATA)	\
+	$(polkit_in_files)	\
 	gdm.schemas.in.in	\
 	gdm.conf-custom.in 	\
 	Xsession.in 		\
@@ -118,6 +127,7 @@ CLEANFILES = 				\
 
 DISTCLEANFILES =			\
 	$(dbusconf_DATA)		\
+	$(polkit_DATA)			\
 	gdm-shell.session		\
 	gdm.schemas			\
 	dconf-override-db		\
--- gdm-3.1.90/data/gdm.conf.in.wiget	2011-08-09 22:08:42.000000000 +0200
+++ gdm-3.1.90/data/gdm.conf.in	2011-09-05 21:44:39.831640332 +0200
@@ -34,8 +34,6 @@
     <deny send_destination="org.gnome.DisplayManager"
           send_interface="org.gnome.DisplayManager.LocalDisplayFactory"/>
     <deny send_destination="org.gnome.DisplayManager"
-          send_interface="org.gnome.DisplayManager.Settings"/>
-    <deny send_destination="org.gnome.DisplayManager"
           send_interface="org.gnome.DisplayManager.Slave"/>
     <deny send_destination="org.gnome.DisplayManager"
           send_interface="org.gnome.DisplayManager.Session"/>
@@ -44,6 +42,10 @@
     <allow send_destination="org.gnome.DisplayManager"
            send_interface="org.freedesktop.DBus.Introspectable"/>
 
+    <!-- Controlled by PolicyKit -->
+    <allow send_destination="org.gnome.DisplayManager"
+           send_interface="org.gnome.DisplayManager.Settings"/>
+
     <allow send_destination="org.gnome.DisplayManager"
            send_interface="org.gnome.DisplayManager.Display"
            send_member="GetId"/>
--- gdm-3.1.90/data/gdm.policy.in.wiget	2011-09-05 21:44:39.831640332 +0200
+++ gdm-3.1.90/data/gdm.policy.in	2011-09-05 21:44:39.831640332 +0200
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
+<policyconfig>
+  <vendor>The GNOME Project</vendor>
+  <vendor_url>http://www.gnome.org/</vendor_url>
+  <icon_name>gdm</icon_name>
+
+  <action id="org.gnome.displaymanager.settings.write">
+    <description>Change login screen configuration</description>
+    <message>Privileges are required to change the login screen configuration.</message>
+    <defaults>
+      <allow_inactive>no</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+</policyconfig>
--- gdm-3.1.90/common/Makefile.am.wiget	2011-08-09 22:08:42.000000000 +0200
+++ gdm-3.1.90/common/Makefile.am	2011-09-05 21:44:39.831640332 +0200
@@ -99,6 +99,7 @@ libgdmcommon_la_CFLAGS =		\
 	$(NULL)
 
 libgdmcommon_la_LIBADD =		\
+	$(COMMON_LIBS)			\
 	$(NULL)
 
 libgdmcommon_la_LDFLAGS = 	\
--- gdm-3.1.90/common/gdm-settings.c.wiget	2011-08-09 22:08:42.000000000 +0200
+++ gdm-3.1.90/common/gdm-settings.c	2011-09-05 21:44:39.831640332 +0200
@@ -36,6 +36,7 @@
 #define DBUS_API_SUBJECT_TO_CHANGE
 #include <dbus/dbus-glib.h>
 #include <dbus/dbus-glib-lowlevel.h>
+#include <polkit/polkit.h>
 
 #include "gdm-settings.h"
 #include "gdm-settings-glue.h"
@@ -108,6 +109,90 @@ gdm_settings_get_value (GdmSettings *set
         return res;
 }
 
+static void
+unlock_auth_cb (PolkitAuthority *authority,
+                GAsyncResult *result,
+                DBusGMethodInvocation *context)
+{
+        PolkitAuthorizationResult *auth_result;
+        GError  *error = NULL;
+
+        auth_result = polkit_authority_check_authorization_finish (authority, result, &error);
+
+        if (!auth_result)
+                dbus_g_method_return_error (context, error);
+        else {
+                dbus_g_method_return (context,
+                                      polkit_authorization_result_get_is_authorized (auth_result));
+        }
+    
+        if (auth_result)
+                g_object_unref (auth_result);
+        if (error)
+                g_error_free (error);
+}
+
+gboolean
+gdm_settings_unlock (GdmSettings *settings,
+                     DBusGMethodInvocation *context)
+{
+        polkit_authority_check_authorization (polkit_authority_get (),
+                                              polkit_system_bus_name_new (dbus_g_method_get_sender (context)),
+                                              "org.gnome.displaymanager.settings.write",
+                                              NULL,
+                                              POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
+                                              NULL,
+                                              (GAsyncReadyCallback) unlock_auth_cb,
+                                              context);
+}
+
+typedef struct
+{
+        GdmSettings *settings;
+        DBusGMethodInvocation *context;
+        gchar *key, *value;
+} SetValueData;
+
+static void
+set_value_auth_cb (PolkitAuthority *authority,
+                   GAsyncResult *result,
+                   SetValueData *data)
+{
+        PolkitAuthorizationResult *auth_result;
+        GError  *error = NULL;
+
+        auth_result = polkit_authority_check_authorization_finish (authority, result, &error);
+
+        if (!auth_result)
+                dbus_g_method_return_error (data->context, error);
+        else {
+                if (polkit_authorization_result_get_is_authorized (auth_result)) {
+                        gboolean result;
+                    
+                        result = gdm_settings_backend_set_value (data->settings->priv->backend,
+                                                                 data->key,
+                                                                 data->value,
+                                                                 &error);
+                        if (result)
+                                dbus_g_method_return (data->context);
+                        else
+                                dbus_g_method_return_error (data->context, error);
+                }
+                else {
+                        error = g_error_new (DBUS_GERROR_REMOTE_EXCEPTION, 0, "Not authorized");
+                        dbus_g_method_return_error (data->context, error);
+                }
+        }
+    
+        if (auth_result)
+                g_object_unref (auth_result);
+        if (error)
+                g_error_free (error);
+        g_free (data->key);
+        g_free (data->value);
+        g_free (data);
+}
+
 /*
 dbus-send --system --print-reply --dest=org.gnome.DisplayManager /org/gnome/DisplayManager/Settings org.gnome.DisplayManager.Settings.SetValue string:"xdmcp/Enable" string:"false"
 */
@@ -116,26 +201,30 @@ gboolean
 gdm_settings_set_value (GdmSettings *settings,
                         const char  *key,
                         const char  *value,
-                        GError     **error)
+                        DBusGMethodInvocation *context)
 {
-        GError  *local_error;
-        gboolean res;
-
+        SetValueData *data;
+    
         g_return_val_if_fail (GDM_IS_SETTINGS (settings), FALSE);
         g_return_val_if_fail (key != NULL, FALSE);
 
         g_debug ("Setting value %s", key);
-
-        local_error = NULL;
-        res = gdm_settings_backend_set_value (settings->priv->backend,
-                                              key,
-                                              value,
-                                              &local_error);
-        if (! res) {
-                g_propagate_error (error, local_error);
-        }
-
-        return res;
+    
+        /* Authorize with PolicyKit */
+        data = g_malloc (sizeof(SetValueData));
+        data->settings = settings;
+        data->context = context;
+        data->key = g_strdup(key);
+        data->value = g_strdup(value);    
+        polkit_authority_check_authorization (polkit_authority_get (),
+                                              polkit_system_bus_name_new (dbus_g_method_get_sender (context)),
+                                              "org.gnome.displaymanager.settings.write",
+                                              NULL,
+                                              POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
+                                              NULL,
+                                              (GAsyncReadyCallback) set_value_auth_cb,
+                                              data);
+        return TRUE;
 }
 
 static gboolean
--- gdm-3.1.90/common/gdm-settings.xml.wiget	2011-04-25 17:55:04.000000000 +0200
+++ gdm-3.1.90/common/gdm-settings.xml	2011-09-05 21:44:39.831640332 +0200
@@ -5,7 +5,12 @@
       <arg name="key" direction="in" type="s"/>
       <arg name="value" direction="out" type="s"/>
     </method>
+    <method name="Unlock">
+      <annotation name="org.freedesktop.DBus.GLib.Async" value=""/>
+      <arg name="is_unlocked" direction="out" type="b"/>
+    </method>
     <method name="SetValue">
+      <annotation name="org.freedesktop.DBus.GLib.Async" value=""/>
       <arg name="key" direction="in" type="s"/>
       <arg name="value" direction="in" type="s"/>
     </method>
--- gdm-3.1.90/common/gdm-settings.h.wiget	2011-04-25 17:55:04.000000000 +0200
+++ gdm-3.1.90/common/gdm-settings.h	2011-09-05 21:44:39.831640332 +0200
@@ -23,6 +23,7 @@
 #define __GDM_SETTINGS_H
 
 #include <glib-object.h>
+#include <dbus/dbus-glib.h>
 
 G_BEGIN_DECLS
 
@@ -70,10 +71,12 @@ gboolean            gdm_settings_get_val
                                                                  const char  *key,
                                                                  char       **value,
                                                                  GError     **error);
+gboolean            gdm_settings_unlock                         (GdmSettings *settings,
+                                                                 DBusGMethodInvocation *context);
 gboolean            gdm_settings_set_value                      (GdmSettings *settings,
                                                                  const char  *key,
                                                                  const char  *value,
-                                                                 GError     **error);
+                                                                 DBusGMethodInvocation *context);
 
 G_END_DECLS
 
--- gdm-3.1.90/configure.ac.wiget	2011-08-30 20:24:43.000000000 +0200
+++ gdm-3.1.90/configure.ac	2011-09-05 21:45:16.999745584 +0200
@@ -56,6 +56,7 @@ dnl - Dependencies
 dnl ---------------------------------------------------------------------------
 
 DBUS_GLIB_REQUIRED_VERSION=0.74
+POLKIT_GOBJECT_REQUIRED_VERSION=0.92
 GLIB_REQUIRED_VERSION=2.29.3
 GTK_REQUIRED_VERSION=2.91.1
 PANGO_REQUIRED_VERSION=1.3.0
@@ -78,6 +79,7 @@ AC_SUBST(GTHREAD_LIBS)
 
 PKG_CHECK_MODULES(COMMON,
         dbus-glib-1 >= $DBUS_GLIB_REQUIRED_VERSION
+        polkit-gobject-1 >= $POLKIT_GOBJECT_REQUIRED_VERSION
         gobject-2.0 >= $GLIB_REQUIRED_VERSION
         gio-2.0 >= $GLIB_REQUIRED_VERSION
 )
@@ -86,6 +88,7 @@ AC_SUBST(COMMON_LIBS)
 
 PKG_CHECK_MODULES(DAEMON,
         dbus-glib-1 >= $DBUS_GLIB_REQUIRED_VERSION
+        polkit-gobject-1 >= $POLKIT_GOBJECT_REQUIRED_VERSION
         gobject-2.0 >= $GLIB_REQUIRED_VERSION
         gio-2.0 >= $GLIB_REQUIRED_VERSION
         accountsservice >= $ACCOUNTS_SERVICE_REQUIRED_VERSION