From 255bd0dbc129b0c1a95ff34eddf808cc3ed10c2d Mon Sep 17 00:00:00 2001
From: wangrong <wangrong@uniontech.com>
Date: Thu, 11 Jun 2026 14:34:18 +0800
Subject: [PATCH] fix(auth): add polkit authorization check for Start
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add Polkit authentication to the `Start` interface in the service, and
perform Polkit authentication in advance when the application starts.

在服务中为 `Start` 接口添加 Polkit 身份验证，并在应用启动时预先进行 Polkit 身份验证。

Log: 在服务中为 Start 接口添加 Polkit 身份验证
PMS: BUG-364715
Influence: 应用启动时会先进行Polkit身份验证，验证失败则直接退出。
---
 src/app/main.cpp                 | 41 ++++++++++++++++++++++++++++++++
 src/service/bootmakerservice.cpp |  8 ++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/src/app/main.cpp b/src/app/main.cpp
index 58feae15..1b95da17 100644
--- a/src/app/main.cpp
+++ b/src/app/main.cpp
@@ -14,11 +14,26 @@
 #include <DApplication>
 #include <DWidgetUtil>
 #include <DGuiApplicationHelper>
+#include <QDBusConnection>
 
 #if QT_VERSION < QT_VERSION_CHECK(6, 0, 0)
 #include <DApplicationSettings>
 #endif
 
+#if QT_VERSION < QT_VERSION_CHECK(6, 0, 0)
+#if defined (Q_OS_LINUX)
+#include <polkit-qt5-1/PolkitQt1/Authority>
+#include <polkit-qt5-1/PolkitQt1/Subject>
+#endif
+#else
+#if defined (Q_OS_LINUX)
+#include <polkit-qt6-1/PolkitQt1/Authority>
+#include <polkit-qt6-1/PolkitQt1/Subject>
+#endif
+#endif
+
+const QString s_PolkitActionCreate = "com.deepin.bootmaker.create";
+
 
 DCORE_USE_NAMESPACE
 DWIDGET_USE_NAMESPACE
@@ -53,6 +68,27 @@ static bool switchToRoot(QApplication &app)
 
 #endif
 
+// 在前端中预先进行身份验证, 便于流程控制
+static bool checkAuthorization()
+{
+#if defined (Q_OS_LINUX)
+    QString busName = QDBusConnection::systemBus().baseService();
+    auto authority = PolkitQt1::Authority::instance();
+    if (!authority) {
+        qWarning() << "Failed to get Polkit authority instance";
+        return false;
+    }
+    PolkitQt1::Authority::Result ret = authority->checkAuthorizationSync(
+        s_PolkitActionCreate,
+        PolkitQt1::SystemBusNameSubject(busName),
+        PolkitQt1::Authority::AllowUserInteraction);
+
+    return PolkitQt1::Authority::Yes == ret;
+#else
+    return true;
+#endif
+}
+
 int main(int argc, char **argv)
 {
     qInfo() << "Starting Boot Maker application";
@@ -78,6 +114,11 @@ int main(int argc, char **argv)
 //    app.setApplicationVersion(DApplication::buildVersion(VERSION));
 //    app.setTheme("light");
 
+    if (!checkAuthorization()) {
+        qInfo() << "Authorization failed, exiting";
+        exit(0);
+    }
+
 #ifdef Q_OS_MAC
     qDebug() << "Checking root privileges on macOS";
     if (switchToRoot(app)) {
diff --git a/src/service/bootmakerservice.cpp b/src/service/bootmakerservice.cpp
index 0b81f2ce..8052d2cc 100644
--- a/src/service/bootmakerservice.cpp
+++ b/src/service/bootmakerservice.cpp
@@ -128,7 +128,13 @@ void BootMakerService::Reboot()
 
 void BootMakerService::Start()
 {
-    // 启动服务, 不会修改系统, 不需要鉴权
+    Q_D(BootMakerService);
+    qInfo() << "Start requested";
+    if (!d->checkAuthorization(s_PolkitActionCreate)) {
+        qWarning() << "Start request denied - Authorization failed";
+        return;
+    }
+
     qDebug() << "Starting Boot Maker";
     emit s_StartBootMarker();
 }