accounts-service: Add accounts service vendor extension for app filter
Use accounts service’s vendor extension support for storing the app filter per user, in a way that persists and which access to is controlled by polkit (so writes can be restricted to administrators). Signed-off-by: Philip Withnall <withnall@endlessm.com> https://phabricator.endlessm.com/T23858
This commit is contained in:
parent
311e9d1c08
commit
79a4c41eee
|
@ -0,0 +1,35 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
|
||||
"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
|
||||
<node>
|
||||
<interface name="com.endlessm.ParentalControls.AppFilter">
|
||||
|
||||
<annotation name="org.freedesktop.Accounts.VendorExtension" value="true"/>
|
||||
|
||||
<annotation name="org.freedesktop.Accounts.Authentication.ChangeOwn"
|
||||
value="com.endlessm.ParentalControls.AppFilter.ChangeOwn"/>
|
||||
<annotation name="org.freedesktop.Accounts.Authentication.ReadOwn"
|
||||
value="com.endlessm.ParentalControls.AppFilter.ReadOwn"/>
|
||||
<annotation name="org.freedesktop.Accounts.Authentication.ChangeAny"
|
||||
value="com.endlessm.ParentalControls.AppFilter.ChangeAny"/>
|
||||
<annotation name="org.freedesktop.Accounts.Authentication.ReadAny"
|
||||
value="com.endlessm.ParentalControls.AppFilter.ReadAny"/>
|
||||
|
||||
<!--
|
||||
app-filter:
|
||||
|
||||
A filter for which applications and binaries the user can run. This is
|
||||
intended to be set by administrators and read by users, rather than being
|
||||
editable by the user themselves.
|
||||
|
||||
The string list contains flatpak application IDs (containing at least one
|
||||
dot and no leading slash) and absolute binary paths (containing a leading
|
||||
slash). The boolean value indicates whether this is a whitelist (true) or
|
||||
blacklist (false).
|
||||
-->
|
||||
<property name="app-filter" type="(bas)" access="readwrite">
|
||||
<annotation name="org.freedesktop.Accounts.DefaultValue"
|
||||
value="(false, [])"/>
|
||||
</property>
|
||||
</interface>
|
||||
</node>
|
|
@ -0,0 +1,42 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<policyconfig>
|
||||
<action id="com.endlessm.ParentalControls.AppFilter.ChangeOwn">
|
||||
<description>Change your own app filter</description>
|
||||
<message>Authentication is required to change your app filter.</message>
|
||||
<defaults>
|
||||
<allow_any>auth_admin_keep</allow_any>
|
||||
<allow_inactive>auth_admin_keep</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
|
||||
<action id="com.endlessm.ParentalControls.AppFilter.ReadOwn">
|
||||
<description>Read your own app filter</description>
|
||||
<message>Authentication is required to read your app filter.</message>
|
||||
<defaults>
|
||||
<allow_any>yes</allow_any>
|
||||
<allow_inactive>yes</allow_inactive>
|
||||
<allow_active>yes</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
|
||||
<action id="com.endlessm.ParentalControls.AppFilter.ChangeAny">
|
||||
<description>Change another user’s app filter</description>
|
||||
<message>Authentication is required to change another user’s app filter.</message>
|
||||
<defaults>
|
||||
<allow_any>auth_admin_keep</allow_any>
|
||||
<allow_inactive>auth_admin_keep</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
|
||||
<action id="com.endlessm.ParentalControls.AppFilter.ReadAny">
|
||||
<description>Read another user’s app filter</description>
|
||||
<message>Authentication is required to read another user’s app filter.</message>
|
||||
<defaults>
|
||||
<allow_any>auth_admin_keep</allow_any>
|
||||
<allow_inactive>auth_admin_keep</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
</policyconfig>
|
|
@ -0,0 +1,8 @@
|
|||
install_data('com.endlessm.ParentalControls.policy',
|
||||
install_dir: polkitpolicydir)
|
||||
|
||||
install_data('com.endlessm.ParentalControls.AppFilter.xml',
|
||||
install_dir: dbusinterfacesdir)
|
||||
meson.add_install_script(meson_make_symlink,
|
||||
join_paths(dbusinterfacesdir, 'com.endlessm.ParentalControls.AppFilter.xml'),
|
||||
join_paths(accountsserviceinterfacesdir, 'com.endlessm.ParentalControls.AppFilter.xml'))
|
|
@ -0,0 +1,30 @@
|
|||
project('eos-parental-controls', 'c',
|
||||
version : '0.1.0',
|
||||
meson_version : '>= 0.47.0',
|
||||
license: 'LGPLv2.1+',
|
||||
default_options : [
|
||||
'buildtype=debugoptimized',
|
||||
'warning_level=2',
|
||||
'c_std=gnu11',
|
||||
]
|
||||
)
|
||||
|
||||
pkgconfig = import('pkgconfig')
|
||||
|
||||
meson_make_symlink = join_paths(meson.source_root(), 'tools', 'meson-make-symlink.sh')
|
||||
|
||||
prefix = get_option('prefix')
|
||||
datadir = join_paths(prefix, get_option('datadir'))
|
||||
|
||||
# FIXME: This isn’t exposed in accountsservice.pc
|
||||
accountsserviceinterfacesdir = join_paths(datadir, 'accountsservice', 'interfaces')
|
||||
|
||||
dbus = dependency('dbus-1')
|
||||
dbusinterfacesdir = dbus.get_pkgconfig_variable('interfaces_dir',
|
||||
define_variable: ['datadir', datadir])
|
||||
|
||||
polkit_gobject = dependency('polkit-gobject-1')
|
||||
polkitpolicydir = polkit_gobject.get_pkgconfig_variable('policydir',
|
||||
define_variable: ['prefix', prefix])
|
||||
|
||||
subdir('accounts-service')
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
# this is needed mostly because $DESTDIR is provided as a variable,
|
||||
# and we need to create the target directory...
|
||||
|
||||
mkdir -vp "$(dirname "${DESTDIR:-}$2")"
|
||||
if [ "$(dirname $1)" = . ]; then
|
||||
ln -vfs -T "$1" "${DESTDIR:-}$2"
|
||||
else
|
||||
ln -vfs -T --relative "${DESTDIR:-}$1" "${DESTDIR:-}$2"
|
||||
fi
|
Loading…
Reference in New Issue