logind: Restore chvt as non-root user without polkit

4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke
the ability to write user sessions that run graphical sessions (e.g.
weston/X11). This was partially amended in 19bb87fbfa ("login: allow
non-console sessions to change vt") by changing the default PolicyKit
policy so that non-root users with a session are again allowed to switch
the VT. This makes the policy when PolKit is not enabled (as on many
embedded systems) closer the default PolKit policy and allows launching
graphical sessions as a non-root user.

Closes #17473

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>

1 files changed, 24 insertions, 0 deletions

diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c
new file mode 100644
index 0000000000..d221bee8cd
--- /dev/null
+++ b/src/login/logind-polkit.c
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include "bus-polkit.h"
+#include "logind-polkit.h"
+#include "missing_capability.h"
+#include "user-util.h"
+
+int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) {
+#if ENABLE_POLKIT
+        return bus_verify_polkit_async(
+                        message,
+                        CAP_SYS_ADMIN,
+                        "org.freedesktop.login1.chvt",
+                        NULL,
+                        false,
+                        UID_INVALID,
+                        &manager->polkit_registry,
+                        error);
+#else
+        /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a
+         * non-root user when polkit is not compiled in, more closely matching the default polkit policy */
+        return 1;
+#endif
+}