Core API Reference - System Dependecies
Desktop Apps Training - Policy Kit

System Dependencies

System Dependencies — Various platform specific utility functions

 

Synopsis



polkit_uint64_t polkit_sysdeps_get_start_time_for_pid
(pid_t pid);
int polkit_sysdeps_get_exe_for_pid (pid_t pid,
char *out_buf,
size_t buf_size);
int polkit_sysdeps_get_exe_for_pid_with_helper
(pid_t pid,
char *out_buf,
size_t buf_size);

Description

Various platform specific utility functions.

 

Details

polkit_sysdeps_get_start_time_for_pid ()

polkit_uint64_t     polkit_sysdeps_get_start_time_for_pid
(pid_t pid);

Get when a process started.

 

pid :

process id

Returns :

start time for the process or 0 if an error occured and errno will be set

Since 0.7


polkit_sysdeps_get_exe_for_pid ()

int                 polkit_sysdeps_get_exe_for_pid      (pid_t pid,
char *out_buf,
size_t buf_size);

Get the name of the binary a given process was started from.

Note that this is not necessary reliable information and as such shouldn't be relied on 100% to make a security decision. In fact, this information is only trustworthy in situations where the given binary is securely locked down meaning that 1) it can't be ptrace(2)'d; 2) libc secure mode kicks in (e.g LD_PRELOAD won't work); 3) there are no other attack vectors (e.g. GTK_MODULES, X11, CORBA, D-Bus) to patch running code into the process.

In other words: the risk of relying on constraining an authorization to the output of this function is high. Suppose that the program /usr/bin/gullible obtains an authorization via authentication for the action org.example.foo. We add a constraint to say that the gained authorization only applies to processes for whom /proc/pid/exe points to /usr/bin/gullible. Now enter /usr/bin/evil. It knows that the program /usr/bin/gullible is not "securely locked down" (per the definition in the above paragraph). So /usr/bin/evil simply sets LD_PRELOAD and execs /usr/bin/gullible and it can now run code in a process where /proc/pid/exe points to /usr/bin/gullible. Thus, the recently gained authorization for org.example.foo applies. Also, /usr/bin/evil could use a host of other attack vectors to run it's own code under the disguise of pretending to be /usr/bin/gullible.

Specifically for interpreted languages like Python and Mono it is the case that /proc/pid/exe always points to /usr/bin/python resp. /usr/bin/mono. Thus, it's not very useful to rely on that the result for this function if you want to constrain an authorization to e.g. /usr/bin/tomboy or /usr/bin/banshee.

If the information could not be obtained, such as if the given process is owned by another user than the caller, -1 is returned and out_buf will be set to "(unknown)". See also the function polkit_sysdeps_get_exe_for_pid_with_helper().

 

pid :

process id

out_buf :

buffer to store the string representation in

buf_size :

size of buffer

Returns :

Number of characters written (not including trailing '\0'). If the output was truncated due to the buffer being too small, buf_size will be returned. Thus, a return value of buf_size or more indicates that the output was truncated (see snprintf(3)) or an error occured. If the name cannot be found, -1 will be returned.

Since 0.7


polkit_sysdeps_get_exe_for_pid_with_helper ()

int                 polkit_sysdeps_get_exe_for_pid_with_helper
(pid_t pid,
char *out_buf,
size_t buf_size);

Like polkit_sysdeps_get_exe_for_pid() but if the given process is owned by another user, a setuid root helper is used to obtain the information. This helper only works if 1) the caller is authorized for the org.freedesktop.policykit.read authorization; or 2) the calling user is polkituser; or 3) the calling user is setegid polkituser.

So -1 might still be returned (the process might also have exited).

 

pid :

process id

out_buf :

buffer to store the string representation in

buf_size :

size of buffer

Returns :

See polkit_sysdeps_get_exe_for_pid().

Since 0.8