feat: 修复dde-api-proxy安全漏洞

dde-api-proxy系统级的dbus接口，使用普通用户也可以使用，有安全问题，因此添加了polkit鉴权。

Log: 修复dde-api-proxy安全漏洞
pms: task-371895

Author: fly602

misc/CMakeLists.txt

@@ -13,3 +13,6 @@ install(FILES ${INSTALL_SYSTEMD_SYSTEM} DESTINATION lib/systemd/system/)
 
 file(GLOB_RECURSE INSTALL_SYSTEMD_USER ${CMAKE_CURRENT_SOURCE_DIR}/systemd/user/*.service)
 install(FILES ${INSTALL_SYSTEMD_USER} DESTINATION lib/systemd/user/)
+
+file(GLOB_RECURSE INSTALL_POLKIT_1 ${CMAKE_CURRENT_SOURCE_DIR}/polkit-1/actions/*.policy)
+install(FILES ${INSTALL_POLKIT_1} DESTINATION share/polkit-1/actions/)

misc/polkit-1/actions/org.deepin.dde.api.proxy.policy

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy 1.0//EN"
+    "http://www.freedesktop.org/standards/PolicyKit/1.0/policykit-policy.dtd">
+<policyconfig>
+    <action id="org.deepin.dde.api.proxy">
+        <message>Authentication is required to call the system proxy interface</message>
+        <message xml:lang="zh_CN">调用系统代理接口需要认证</message>
+        <defaults>
+            <allow_any>no</allow_any>
+            <allow_inactive>no</allow_inactive>
+            <allow_active>auth_admin_keep</allow_active>
+        </defaults>
+        <allow_users>
+            <user>root</user>
+        </allow_users>
+    </action>
+</policyconfig>

src/dbus-proxy/CMakeLists.txt

@@ -13,6 +13,7 @@ find_package(Qt${QT_VERSION_MAJOR} COMPONENTS Core DBus REQUIRED)
 find_package(PkgConfig REQUIRED)
 find_package(DtkCore REQUIRED)
 find_package(DtkTools REQUIRED)
+find_package(PolkitQt5-1 REQUIRED)
 
 macro(qt5_add_dbus_proxy_interface_fix srcs xml class file neednamespace)
     if(${neednamespace})

src/dbus-proxy/common/dbusproxybase.hpp

@@ -20,6 +20,7 @@
 #include <QtCore/QStringList>
 #include <QtCore/QVariant>
 #include <QtDBus/QtDBus>
+#include <PolkitQt1/Authority>
 
 DCORE_USE_NAMESPACE
 
@@ -89,6 +90,28 @@ class DBusProxyBase : public QDBusVirtualObject {
         m_filterMethods = list;
     }
 
+    // 不设置默认不检验，全部有权限；设置了后list中指定的才有权限
+    void InitCheckAuthorization(QMap<QString,QString> list) {
+        m_checkAuthentication = true;
+        m_methodActions = list;
+    }
+
+    bool checkAuthorization(const QString &actionId, const QString &service,const QDBusConnection &connection) const
+    {
+        auto pid = connection.interface()->servicePid(service).value();
+        auto authority = PolkitQt1::Authority::instance();
+        auto result = authority->checkAuthorizationSync(actionId,
+                                                        PolkitQt1::UnixProcessSubject(pid),
+                                                        PolkitQt1::Authority::AllowUserInteraction);
+        if (authority->hasError()) {
+            qWarning() << "checkAuthorizationSync failed:" << authority->lastError()
+                       << authority->errorDetails();
+            return false;
+        }
+
+        return result == PolkitQt1::Authority::Result::Yes;
+    }
+
     virtual bool handleMessage(const QDBusMessage &message, const QDBusConnection &connection)
     {
         qInfo() << "[statistics]";
@@ -110,6 +133,14 @@ class DBusProxyBase : public QDBusVirtualObject {
                 connection.send(message.createErrorReply("com.deepin.dde.error.NotAllowed", "is not allowed"));
                 return true;
             }
+            if (m_checkAuthentication && m_methodActions.contains(message.member())) {
+                if (!checkAuthorization(m_methodActions[message.member()], message.service(), connection)) {
+                    qInfo() << m_proxyDbusInterface << "method authentication:" << message.member() << "is not allowed.";
+                    connection.send(message.createErrorReply("com.deepin.dde.error.NotAllowed", "is not allowed"));
+                    return true;
+                }
+            }
+
             QDBusPendingCall call = m_proxy->asyncCallWithArgumentList(message.member(), message.arguments());
             call.waitForFinished();
             connection.send(message.createReply(call.reply().arguments()));
@@ -476,6 +507,8 @@ class DBusProxyBase : public QDBusVirtualObject {
     QStringList m_filterProperies;
     bool m_filterMethodsEnable;
     QStringList m_filterMethods;
+    bool m_checkAuthentication;
+    QMap<QString, QString> m_methodActions;
     // subpath
     QMap<QString, DBusProxyBase *> m_pathMap;
     QMap<QString, DBusProxySubPathInfo> m_pathInfoMap;

src/dbus-proxy/v1/CMakeLists.txt

@@ -78,6 +78,7 @@ target_link_libraries(${PRO_NAME}
     Qt${QT_VERSION_MAJOR}::Core
     Qt${QT_VERSION_MAJOR}::DBus
     ${DtkCore_LIBRARIES}
+    PolkitQt5-1::Core
  )
 target_include_directories(${PRO_NAME} PUBLIC
     ${CMAKE_CURRENT_SOURCE_DIR}

src/dbus-proxy/v1/system/org_deepin_dde_Accounts1.hpp

@@ -15,6 +15,17 @@ class SystemAccounts1Proxy : public DBusProxyBase {
         QDBusConnection::BusType dbusType, QObject *parent = nullptr) 
         : DBusProxyBase(dbusName, dbusPath, dbusInterface, proxyDbusName, proxyDbusPath, proxyDbusInterface, dbusType, parent)
     {
+        QMap<QString, QString> auth;
+        auth["AllowGuestAccount"] = "org.deepin.dde.api.proxy";
+        auth["CreateGroup"] = "org.deepin.dde.api.proxy";
+        auth["CreateGuestAccount"] = "org.deepin.dde.api.proxy";
+        auth["CreateUser"] = "org.deepin.dde.api.proxy";
+        auth["DeleteGroup"] = "org.deepin.dde.api.proxy";
+        auth["DeleteUser"] = "org.deepin.dde.api.proxy";
+        auth["EnablePasswdChangedHandler"] = "org.deepin.dde.api.proxy";
+        auth["ModifyGroup"] = "org.deepin.dde.api.proxy";
+        auth["SetTerminalLocked"] = "org.deepin.dde.api.proxy";
+        InitCheckAuthorization(auth);
         ServiceStart();
     }
     virtual DDBusExtendedAbstractInterface *initConnect()

src/dbus-proxy/v1/system/org_deepin_dde_Accounts1_User.hpp

@@ -13,6 +13,42 @@ class SystemAccounts1UserProxy : public DBusProxyBase {
         QDBusConnection::BusType dbusType, QObject *parent = nullptr) 
         : DBusProxyBase(dbusName, dbusPath, dbusInterface, proxyDbusName, proxyDbusPath, proxyDbusInterface, dbusType, parent)
     {
+        QMap<QString, QString> auth;
+        auth["AddGroup"] = "org.deepin.dde.api.proxy";
+        auth["DeleteGroup"] = "org.deepin.dde.api.proxy";
+        auth["DeleteIconFile"] = "org.deepin.dde.api.proxy";
+        auth["DeleteSecretKey"] = "org.deepin.dde.api.proxy";
+        auth["EnableNoPasswdLogin"] = "org.deepin.dde.api.proxy";
+        auth["EnableWechatAuth"] = "org.deepin.dde.api.proxy";
+        auth["SetAutomaticLogin"] = "org.deepin.dde.api.proxy";
+        auth["SetCurrentWorkspace"] = "org.deepin.dde.api.proxy";
+        auth["SetDesktopBackgrounds"] = "org.deepin.dde.api.proxy";
+        auth["SetFullName"] = "org.deepin.dde.api.proxy";
+        auth["SetGreeterBackground"] = "org.deepin.dde.api.proxy";
+        auth["SetGroups"] = "org.deepin.dde.api.proxy";
+        auth["SetHistoryLayout"] = "org.deepin.dde.api.proxy";
+        auth["SetHomeDir"] = "org.deepin.dde.api.proxy";
+        auth["SetIconFile"] = "org.deepin.dde.api.proxy";
+        auth["SetLayout"] = "org.deepin.dde.api.proxy";
+        auth["SetLocale"] = "org.deepin.dde.api.proxy";
+        auth["SetLocked"] = "org.deepin.dde.api.proxy";
+        auth["SetLongDateFormat"] = "org.deepin.dde.api.proxy";
+        auth["SetMaxPasswordAge"] = "org.deepin.dde.api.proxy";
+        auth["SetPassword"] = "org.deepin.dde.api.proxy";
+        auth["SetPasswordHint"] = "org.deepin.dde.api.proxy";
+        auth["SetQuickLogin"] = "org.deepin.dde.api.proxy";
+        auth["SetSecretKey"] = "org.deepin.dde.api.proxy";
+        auth["SetSecretQuestions"] = "org.deepin.dde.api.proxy";
+        auth["SetShell"] = "org.deepin.dde.api.proxy";
+        auth["SetShortDateFormat"] = "org.deepin.dde.api.proxy";
+        auth["SetShortTimeFormat"] = "org.deepin.dde.api.proxy";
+        auth["SetUse24HourFormat"] = "org.deepin.dde.api.proxy";
+        auth["SetWeekBegins"] = "org.deepin.dde.api.proxy";
+        auth["SetWeekdayFormat"] = "org.deepin.dde.api.proxy";
+        auth["UpdateWechatAuthState"] = "org.deepin.dde.api.proxy";
+        auth["VerifySecretQuestions"] = "org.deepin.dde.api.proxy";
+        auth["SetLongTimeFormat"] = "org.deepin.dde.api.proxy";
+        InitCheckAuthorization(auth);
         ServiceStart();
     }
     virtual DDBusExtendedAbstractInterface * initConnect() {

src/dbus-proxy/v1/system/org_deepin_dde_AirplaneMode1.hpp

@@ -13,6 +13,11 @@ class SystemAirplaneMode1Proxy : public DBusProxyBase {
         QDBusConnection::BusType dbusType, QObject *parent = nullptr) 
         : DBusProxyBase(dbusName, dbusPath, dbusInterface, proxyDbusName, proxyDbusPath, proxyDbusInterface, dbusType, parent)
     {
+        QMap<QString, QString> auth;
+        auth["Enable"] = "org.deepin.dde.api.proxy";
+        auth["EnableBluetooth"] = "org.deepin.dde.api.proxy";
+        auth["EnableWifi"] = "org.deepin.dde.api.proxy";
+        InitCheckAuthorization(auth);
         ServiceStart();
     }
     virtual DDBusExtendedAbstractInterface *initConnect()

src/dbus-proxy/v1/system/org_deepin_dde_Display1.hpp

@@ -15,6 +15,10 @@ class SystemDisplay1Proxy : public DBusProxyBase {
     {
         InitFilterProperies(QStringList({}));
         InitFilterMethods(QStringList({"GetConfig"}));
+        QMap<QString, QString> auth;
+        auth["SetBacklightBrightness"] = "org.deepin.dde.api.proxy";
+        auth["SetConfig"] = "org.deepin.dde.api.proxy";
+        InitCheckAuthorization(auth);
         ServiceStart();
     }
     virtual DDBusExtendedAbstractInterface *initConnect()

src/dbus-proxy/v1/system/org_deepin_dde_Gesture1.hpp

@@ -15,6 +15,11 @@ class SystemGesture1Proxy : public DBusProxyBase {
     {
         InitFilterProperies(QStringList({}));
         InitFilterMethods(QStringList({}));
+        QMap<QString, QString> auth;
+        auth["SetEdgeMoveStopDuration"] = "org.deepin.dde.api.proxy";
+        auth["SetInputIgnore"] = "org.deepin.dde.api.proxy";
+        auth["SetShortPressDuration"] = "org.deepin.dde.api.proxy";
+        InitCheckAuthorization(auth);
         ServiceStart();
     }
     virtual DDBusExtendedAbstractInterface *initConnect()