From 0060b63782b9d8ff5fbc11c4ecbdf6ff45401989 Mon Sep 17 00:00:00 2001 From: Andrew Zaborowski Date: Sun, 16 Sep 2018 03:42:47 +0200 Subject: [PATCH] wifi/iwd: don't save secrets in mirror NM connections When creating the mirror 802.1x connections for IWD 802.1x profiles set the NM_SETTING_SECRET_FLAG_NOT_SAVED flag on the secrets that may at some point be requested from our agent. The saved secrets could not be used anyway because of our use of NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW in nm_device_iwd_agent_query. But also try to respect whatever secret caching policy has been configured in the IWD profile for those secrets, IWD would be responsible for storing them if it was allowed in the profile. (cherry picked from commit e3aba12d14b5514dc3f6ddc9f3e58bc6ad57e03f) --- src/devices/wifi/nm-iwd-manager.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/devices/wifi/nm-iwd-manager.c b/src/devices/wifi/nm-iwd-manager.c index 407d0c7ab5..a3da9791ce 100644 --- a/src/devices/wifi/nm-iwd-manager.c +++ b/src/devices/wifi/nm-iwd-manager.c @@ -430,7 +430,16 @@ mirror_8021x_connection (NMIwdManager *self, NULL)); nm_connection_add_setting (connection, setting); - setting = NM_SETTING (g_object_new (NM_TYPE_SETTING_802_1X, NULL)); + /* "password" and "private-key-password" may be requested by the IWD agent + * from NM and IWD will implement a specific secret cache policy so by + * default respect that policy and don't save copies of those secrets in + * NM settings. The saved values can not be used anyway because of our + * use of NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW. + */ + setting = NM_SETTING (g_object_new (NM_TYPE_SETTING_802_1X, + NM_SETTING_802_1X_PASSWORD_FLAGS, NM_SETTING_SECRET_FLAG_NOT_SAVED, + NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS, NM_SETTING_SECRET_FLAG_NOT_SAVED, + NULL)); nm_setting_802_1x_add_eap_method (NM_SETTING_802_1X (setting), "external"); nm_connection_add_setting (connection, setting);