udisks2/0001-udiskslinuxblock-Add-missing-polkit-check-for-Restor.patch

From baa7b9820e4dfc5ba813eee03b3ae37acb31e570 Mon Sep 17 00:00:00 2001
From: Tomas Bzatek <tbzatek@redhat.com>
Date: Fri, 13 Feb 2026 16:11:54 +0100
Subject: [PATCH] udiskslinuxblock: Add missing polkit check for
 RestoreEncryptedHeader()

The handle_restore_encrypted_header() method call handler was missing
a polkit authorization check, allowing unprivileged local users to freely
invoke this D-Bus method.

CVE-ID: CVE-2026-26103

Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
---
 src/udiskslinuxblock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/src/udiskslinuxblock.c b/src/udiskslinuxblock.c
index 174efe2a..55703f92 100644
--- a/src/udiskslinuxblock.c
+++ b/src/udiskslinuxblock.c
@@ -4244,6 +4244,7 @@ handle_restore_encrypted_header (UDisksBlock           *encrypted,
     UDisksBlock *block;
     UDisksDaemon *daemon;
     UDisksState *state = NULL;
+    const gchar *action_id;
     uid_t caller_uid;
     GError *error = NULL;
     UDisksBaseJob *job = NULL;
@@ -4268,6 +4269,33 @@ handle_restore_encrypted_header (UDisksBlock           *encrypted,
         goto out;
       }
 
+    action_id = "org.freedesktop.udisks2.modify-device";
+    if (!udisks_daemon_util_setup_by_user (daemon, object, caller_uid))
+      {
+        if (udisks_block_get_hint_system (block))
+          {
+            action_id = "org.freedesktop.udisks2.modify-device-system";
+          }
+        else if (!udisks_daemon_util_on_user_seat (daemon, object, caller_uid))
+          {
+            action_id = "org.freedesktop.udisks2.modify-device-other-seat";
+          }
+      }
+
+    if (!udisks_daemon_util_check_authorization_sync (daemon,
+                                                      object,
+                                                      action_id,
+                                                      options,
+                                                      /* Translators: Shown in authentication dialog when restoring
+                                                       * a LUKS header on a device.
+                                                       *
+                                                       * Do not translate $(device.name), it's a placeholder and will
+                                                       * be replaced by the name of the drive/device in question
+                                                       */
+                                                      N_("Authentication is required to restore the encrypted header on $(device.name)"),
+                                                      invocation))
+      goto out;
+
     job = udisks_daemon_launch_simple_job (daemon,
                                            UDISKS_OBJECT (object),
                                            "block-restore-encrypted-header",
-- 
2.53.0