fix(auth): unify caller authentication to isTrustedSender and remove binary path identification

Replace binary path-based caller identification (getExecutablePathAndCmdline,
mapMethodCaller, checkInvokePermission, checkSenderNsMntValid) with
isTrustedSender + polkit authentication across all protected interfaces
(InstallPackage, RemovePackage, DistUpgradePartly, PrepareDistUpgradePartly,
PrepareFullScreenUpgrade, PowerOff, SetUpdateSources, UpdateMode,
CheckUpdateModeWrite). Remove hardcoded executable path constants and
whitelists (allowInstallPackageExecPaths, allowRemovePackageExecPaths).

Introduce manager_auth.go with allow-caller registration, lightdm trusted
UID support, and persistent runtime state under /run/lastore. Export
SetAllowCaller D-Bus method for deepin-security-loader integration.
Add D-Bus access rules: deny SetAllowCaller/PowerOff for default policy,
allow deepin-daemon and lightdm groups. Configure RuntimeDirectoryMode
to 0700 with RuntimeDirectoryPreserve=yes. Add appstore_intranet.list
to trusted source list. Remove deprecated deny-exec-whitelist and
install-package-support-auth config items. Add isInstallLikeJobType
helper. Refactor PrepareFullScreenUpgrade to use terminate() closure
and add dde-update fallback path.

Add unit tests for manager_auth (isTrustedSender, SetAllowCaller
persistence, runtime state load/remove, bus restart cleanup) and
isInstallLikeJobType. Fix appinfo_test to use t.TempDir() instead
of hardcoded /tmp path.

Author: Fire-dtx

lib/systemd/system/lastore-daemon.service

@@ -23,7 +23,8 @@ ExecStart=/usr/libexec/lastore-daemon/lastore-daemon
 NoNewPrivileges=true
 ProtectClock=true
 RuntimeDirectory=lastore
-RuntimeDirectoryMode=0750
+RuntimeDirectoryMode=0700
+RuntimeDirectoryPreserve=yes
 StandardError=null
 StandardOutput=null
 Type=dbus

src/lastore-daemon/common.go

@@ -9,7 +9,6 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -23,16 +22,13 @@ import (
 	"time"
 	"unicode/utf8"
 
-	"github.com/linuxdeepin/dde-api/polkit"
 	utils2 "github.com/linuxdeepin/go-lib/utils"
 	"github.com/linuxdeepin/lastore-daemon/src/internal/config"
 	"github.com/linuxdeepin/lastore-daemon/src/internal/system"
 	"github.com/linuxdeepin/lastore-daemon/src/internal/system/apt"
 
 	"github.com/godbus/dbus/v5"
-	"github.com/linuxdeepin/go-lib/dbusutil"
 	"github.com/linuxdeepin/go-lib/procfs"
-	"github.com/linuxdeepin/go-lib/strv"
 )
 
 var _urlReg = regexp.MustCompile(`^[ ]*deb .*((?:https?|ftp|file|p2p|delivery)://[^ ]+)`)
@@ -270,82 +266,6 @@ func parseAutoDownloadRange(idleDownloadConfig idleDownloadConfig, now time.Time
 	return NewTimeRange(beginTime, endTime), nil
 }
 
-const (
-	appStoreDaemonPath    = "/usr/bin/deepin-app-store-daemon"
-	oldAppStoreDaemonPath = "/usr/bin/deepin-appstore-daemon"
-	printerPath           = "/usr/bin/dde-printer"
-	printerHelperPath     = "/usr/bin/dde-printer-helper"
-	sessionDaemonPath     = "/usr/lib/deepin-daemon/dde-session-daemon"
-	langSelectorPath      = "/usr/lib/deepin-daemon/langselector"
-	controlCenterPath     = "/usr/bin/dde-control-center"
-	controlCenterCmdLine  = "/usr/share/applications/dde-control-center.deskto" // 缺个 p 是因为 deepin-turbo 修改命令的时候 buffer 不够用, 所以截断了.
-	oldControlCenterPath  = "/usr/lib/x86_64-linux-gnu/dde-control-center/dde-control-center-old"
-	dataTransferPath      = "/usr/bin/deepin-data-transfer"
-	amDaemonPath          = "/usr/bin/dde-application-manager"
-	launcherPath          = "/usr/bin/dde-launcher"
-	amDaemonCompatPath    = "/usr/libexec/dde-application-wizard-daemon-compat"
-)
-
-// TODO delete
-var (
-	allowInstallPackageExecPaths = strv.Strv{
-		appStoreDaemonPath,
-		oldAppStoreDaemonPath,
-		printerPath,
-		printerHelperPath,
-		langSelectorPath,
-		controlCenterPath,
-		oldControlCenterPath,
-		dataTransferPath,
-	}
-	allowRemovePackageExecPaths = strv.Strv{
-		appStoreDaemonPath,
-		oldAppStoreDaemonPath,
-		sessionDaemonPath,
-		langSelectorPath,
-		controlCenterPath,
-		oldControlCenterPath,
-		amDaemonPath,
-		launcherPath,
-		amDaemonCompatPath,
-	}
-)
-
-// execPath和cmdLine可以有一个为空,其中一个存在即可作为判断调用者的依据
-func getExecutablePathAndCmdline(service *dbusutil.Service, sender dbus.Sender) (string, string, error) {
-	pid, err := service.GetConnPID(string(sender))
-	if err != nil {
-		return "", "", err
-	}
-
-	proc := procfs.Process(pid)
-	execPath, err := proc.Exe()
-	if err != nil {
-		// 当调用者在使用过程中发生了更新,则在获取该进程的exe时,会出现lstat xxx (deleted)此类的error,如果发生的是覆盖,则该路径依旧存在,因此增加以下判断
-		var pErr *os.PathError
-		ok := errors.As(err, &pErr)
-		if ok {
-			if os.IsNotExist(pErr.Err) {
-				errExecPath := strings.Replace(pErr.Path, "(deleted)", "", -1)
-				oldExecPath := strings.TrimSpace(errExecPath)
-				if system.NormalFileExists(oldExecPath) {
-					execPath = oldExecPath
-					err = nil
-				}
-			}
-		}
-	}
-
-	cmdLine, err1 := proc.Cmdline()
-	if err != nil && err1 != nil {
-		return "", "", errors.New(strings.Join([]string{
-			err.Error(),
-			err1.Error(),
-		}, ";"))
-	}
-	return execPath, strings.Join(cmdLine, " "), nil
-}
-
 // 根据类型过滤数据
 func getFilterPackages(infosMap map[string][]string, updateType system.UpdateType) []string {
 	var r []string
@@ -556,62 +476,13 @@ func getCoreListOnline() []string {
 	return pkgs
 }
 
-var _initProcNsMnt string
-var _once sync.Once
-
-// 通过判断/proc/pid/ns/mnt 和 /proc/1/ns/mnt是否相同，如果不相同，则进程exe字段不可信
-func checkSenderNsMntValid(pid uint32) bool {
-	_once.Do(func() {
-		out, err := os.Readlink("/proc/1/ns/mnt")
-		if err != nil {
-			fmt.Println(err)
-			return
-		}
-		_initProcNsMnt = strings.TrimSpace(out)
-	})
-	c, err := os.Readlink(fmt.Sprintf("/proc/%v/ns/mnt", pid))
-	if err != nil {
-		fmt.Println(err)
-		return false
-	}
-	defer func() {
-		fmt.Printf("pid 1 mnt ns is %v,pid %v mnt ns is %v\n", _initProcNsMnt, pid, strings.TrimSpace(c))
-	}()
-	return strings.TrimSpace(c) == _initProcNsMnt
-}
-
 const (
 	polkitActionChangeOwnData          = "com.deepin.lastore.user-administration"
 	polkitActionChangeUpgradeDelivery  = "com.deepin.lastore.doUpgradeDelivery"
 	polkitActionEnableUpgradeDelivery  = "com.deepin.lastore.enableUpgradeDelivery"
 	polkitActionDisableUpgradeDelivery = "com.deepin.lastore.disableUpgradeDelivery"
 )
 
-func checkInvokePermission(service *dbusutil.Service, sender dbus.Sender) error {
-	uid, err := service.GetConnUID(string(sender))
-	if err != nil {
-		return fmt.Errorf("failed to get sender conn uid:%v", err)
-	}
-	if uid != 0 {
-		execPath, cmdLine, err := getExecutablePathAndCmdline(service, sender)
-		if err != nil {
-			logger.Warning(err)
-			return polkit.CheckAuth(polkitActionChangeOwnData, string(sender), nil)
-		}
-		caller := mapMethodCaller(execPath, cmdLine)
-		if methodCallerControlCenter == caller {
-			return nil
-		} else {
-			logger.Infof("not allow %v  call this method ,need check auth by polkit", caller)
-			return polkit.CheckAuth(polkitActionChangeOwnData, string(sender), nil)
-		}
-
-	} else {
-		logger.Info("caller's uid is 0,allow to call this method")
-		return nil
-	}
-}
-
 type UpdateSourceConfig map[config.RepoType]*RepoInfo
 type RepoInfo struct {
 	/*

src/lastore-daemon/exported_methods_auto.go

@@ -31,23 +31,6 @@ const (
 	methodCallerAppStore
 )
 
-func mapMethodCaller(execPath string, cmdLine string) methodCaller {
-	logger.Debug("execPath:", execPath, "cmdLine:", cmdLine)
-	switch execPath {
-	case appStoreDaemonPath, oldAppStoreDaemonPath:
-		return methodCallerAppStore
-	case controlCenterPath:
-		return methodCallerControlCenter
-	default:
-		switch cmdLine {
-		case controlCenterCmdLine:
-			return methodCallerControlCenter
-		default:
-			return methodCallerOtherCaller
-		}
-	}
-}
-
 func (m *Manager) updateSystemOnChanging(onChanging bool, caller methodCaller) {
 	if onChanging && m.inhibitFd == -1 {
 		var why string

src/lastore-daemon/inhibitor.go

@@ -254,6 +254,20 @@ func (jm *JobManager) CreateJob(jobName, jobType string, packages []string, envi
 	return false, job, jm.markReady(job)
 }
 
+func isInstallLikeJobType(jobType string) bool {
+	switch jobType {
+	case system.InstallJobType,
+		system.OnlyInstallJobType,
+		system.SystemUpgradeJobType,
+		system.SecurityUpgradeJobType,
+		system.UnknownUpgradeJobType,
+		system.AppStoreUpgradeJobType:
+		return true
+	default:
+		return false
+	}
+}
+
 func (jm *JobManager) markStart(job *Job) error {
 	jm.markDirty()
 

src/lastore-daemon/job_manager.go

@@ -86,8 +86,7 @@ func main() {
 
 	aptImpl := dut.NewSystem(config.NonUnknownList, config.OtherSourceList, config.UseIncrementalUpdate())
 	system.SetSystemUpdate(config.PlatformUpdate) // 设置是否通过平台更新
-	allowInstallPackageExecPaths = append(allowInstallPackageExecPaths, config.AllowInstallRemovePkgExecPaths...)
-	allowRemovePackageExecPaths = append(allowRemovePackageExecPaths, config.AllowInstallRemovePkgExecPaths...)
+	// 安装/卸载接口不再追加可执行路径白名单，改由 allow-caller、特殊 uid 和 polkit 共同鉴权。
 	manager := NewManager(service, aptImpl, config)
 	updater := NewUpdater(service, manager, config)
 

src/lastore-daemon/main.go

@@ -114,6 +114,9 @@ type Manager struct {
 	logTmpFile *os.File
 
 	isAutoCheckTimerFirstRun bool
+	allowCallServiceList    strv.Strv
+	// 特殊 uid 调用方直接放行，当前用于兼容 lightdm greeter 场景。
+	trustedCallerUIDs map[uint32]struct{}
 }
 
 /*
@@ -143,6 +146,7 @@ func NewManager(service *dbusutil.Service, updateApi system.System, c *config.Co
 		securitySourceConfig:    make(UpdateSourceConfig),
 		systemSourceConfig:      make(UpdateSourceConfig),
 		DownloadLimitOnChanging: false,
+		trustedCallerUIDs:       initTrustedCallerUIDs(),
 	}
 	m.reloadOemConfig(true)
 	m.signalLoop.Start()
@@ -206,6 +210,7 @@ func (m *Manager) initDbusSignalListen() {
 			if m.userAgents != nil {
 				m.userAgents.handleNameLost(name)
 			}
+			m.removeAllowCaller(name)
 		}
 	})
 	if err != nil {
@@ -384,12 +389,6 @@ func (m *Manager) delUpdatePackage(sender dbus.Sender, jobName string, packages
 		return nil, fmt.Errorf("invalid packages arguments %q : %v", packages, err)
 	}
 
-	execPath, cmdLine, err := getExecutablePathAndCmdline(m.service, sender)
-	if err != nil {
-		logger.Warning(err)
-		return nil, dbusutil.ToError(err)
-	}
-	caller := mapMethodCaller(execPath, cmdLine)
 	m.ensureUpdateSourceOnce()
 	environ, err := makeEnvironWithSender(m, sender)
 	if err != nil {
@@ -410,7 +409,6 @@ func (m *Manager) delUpdatePackage(sender dbus.Sender, jobName string, packages
 		return nil, err
 	}
 
-	job.caller = caller
 	return job, err
 }
 
@@ -696,7 +694,7 @@ func (m *Manager) delFixError(sender dbus.Sender, errType string) (*Job, error)
 
 func (m *Manager) updateModeWriteCallback(pw *dbusutil.PropertyWrite) *dbus.Error {
 	// 调用者判断
-	err := checkInvokePermission(m.service, pw.Sender)
+	err := m.checkInvokePermission(pw.Sender)
 	if err != nil {
 		logger.Warning(err)
 		return dbusutil.ToError(err)
@@ -757,7 +755,7 @@ func (m *Manager) syncThirdPartyDconfig() {
 
 func (m *Manager) checkUpdateModeWriteCallback(pw *dbusutil.PropertyWrite) *dbus.Error {
 	// 调用者判断
-	err := checkInvokePermission(m.service, pw.Sender)
+	err := m.checkInvokePermission(pw.Sender)
 	if err != nil {
 		logger.Warning(err)
 		return dbusutil.ToError(err)
@@ -1337,3 +1335,22 @@ func (m *Manager) processLogFds(message string) {
 	// 更新logFds，只保留有效的fd
 	m.logFds = validFds
 }
+
+func (m *Manager) checkInvokePermission(sender dbus.Sender) error {
+	uid, err := m.service.GetConnUID(string(sender))
+	if err != nil {
+		return fmt.Errorf("failed to get sender conn uid:%v", err)
+	}
+	m.PropsMu.RLock()
+	// 控制中心等前端可能经 deepin-security-loader 启动，先按 trusted sender 放行，其余调用方再走 polkit。
+	if !m.isTrustedSender(uid, sender) {
+		err = polkit.CheckAuth(polkitActionChangeOwnData, string(sender), nil)
+		if err != nil {
+			logger.Warning(err)
+			m.PropsMu.RUnlock()
+			return dbusutil.ToError(err)
+		}
+	}
+	m.PropsMu.RUnlock()
+	return nil
+}