fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-05-19 16:48:10 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
NetworkManager/src/core/nm-sudo-call.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

16 lines
507 B
C
Raw Normal View History

sudo: introduce nm-sudo D-Bus service NetworkManager runs as root and has lots of capabilities. We want to reduce the attach surface by dropping capabilities, but there is a genuine need to do certain things. For example, we currently require dac_override capability, to open the unix socket of ovsdb. Most users wouldn't use OVS, so we should find a way to not require that dac_override capability. The solution is to have a separate, D-Bus activate service (nm-sudo), which has the capability to open and provide the file descriptor. For authentication, we only rely on D-Bus. We watch the name owner of NetworkManager, and only accept requests from that service. We trust D-Bus to get it right a request from that name owner is really coming from NetworkManager. If we couldn't trust that, how could PolicyKit or any authentication via D-Bus work? For testing, the user can set NM_SUDO_NO_AUTH_FOR_TESTING=1. https://bugzilla.redhat.com/show_bug.cgi?id=1921826
2021-07-18 08:53:43 +02:00
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#ifndef __NM_SUDO_CALL_H__
#define __NM_SUDO_CALL_H__
core: get file descriptor to ovsdb unix socket from nm-sudo To talk to ovsdb, we use the unix socket at /var/run/openvswitch/db.sock. But that socket is owned by another user and NetworkManager would need dac_override capability to open it. We want to drop dac_override, but we still need to talk to ovsdb. Add a GetFD() method to nm-sudo. We still first try to open the socket directly. Maybe it just works. Note that SELinux may block passing file descriptors from nm-sudo. If it doesn't work for you, test with SELinux permissive mode and wait for an SELinux update.
2021-07-21 16:31:48 +02:00
#include "libnm-base/nm-sudo-utils.h"
typedef void (*NMSudoCallGetFDCallback)(int fd_take, GError *error, gpointer user_data);
void nm_sudo_call_get_fd(NMSudoGetFDType fd_type,
GCancellable * cancellable,
NMSudoCallGetFDCallback callback,
gpointer user_data);
sudo: introduce nm-sudo D-Bus service NetworkManager runs as root and has lots of capabilities. We want to reduce the attach surface by dropping capabilities, but there is a genuine need to do certain things. For example, we currently require dac_override capability, to open the unix socket of ovsdb. Most users wouldn't use OVS, so we should find a way to not require that dac_override capability. The solution is to have a separate, D-Bus activate service (nm-sudo), which has the capability to open and provide the file descriptor. For authentication, we only rely on D-Bus. We watch the name owner of NetworkManager, and only accept requests from that service. We trust D-Bus to get it right a request from that name owner is really coming from NetworkManager. If we couldn't trust that, how could PolicyKit or any authentication via D-Bus work? For testing, the user can set NM_SUDO_NO_AUTH_FOR_TESTING=1. https://bugzilla.redhat.com/show_bug.cgi?id=1921826
2021-07-18 08:53:43 +02:00
#endif /* __NM_SUDO_CALL_H__ */
Reference in a new issue Copy permalink