settings: fix check on existing system secrets

The previous check was based only on the presence of a non-NULL "existing_secrets" GVariant. That GVariant is created via: nm_connection_to_dbus(nm_settings_connection_get_connection(self), NM_CONNECTION_SERIALIZE_WITH_SECRETS_SYSTEM_OWNED) The function returns a GVariant containing a first-level dictionary for each setting, even for those that doesn't contain any secrets. As a result, the check was requiring the system.modify permission even if there weren't any cached secrets to send to the agent. Fix the check to actually check for the presence of any secrets in the cached dictionary. Some connection types have a third-level dictionary that can be empty, for example VPNs have vpn.secrets.
2026-02-25 13:00:28 +01:00 · 2026-02-23 17:23:23 +01:00 · 2026-02-23 17:23:23 +01:00 · 024360bffa
commit 024360bffa
parent db0825a110
1 changed files with 34 additions and 1 deletions
--- a/src/core/settings/nm-agent-manager.c
+++ b/src/core/settings/nm-agent-manager.c
@ -1083,6 +1083,39 @@ _con_get_request_start_validated(NMAuthChain           *chain,
    _con_get_request_start_proceed(req, req->con.current_has_modify);
 }

+static gboolean
+_req_has_existing_secrets(Request *req)
+{
+    GVariantIter iter;
+    const char  *setting_name;
+    GVariant    *setting_dict;
+    gboolean     has;
+
+    if (!req->con.get.existing_secrets)
+        return FALSE;
+
+    nm_assert(g_variant_is_of_type(req->con.get.existing_secrets, NM_VARIANT_TYPE_CONNECTION));
+
+    g_variant_iter_init(&iter, req->con.get.existing_secrets);
+    while (g_variant_iter_next(&iter, "{&s@a{sv}}", &setting_name, &setting_dict)) {
+        GVariantIter setting_iter;
+        GVariant    *val;
+
+        g_variant_iter_init(&setting_iter, setting_dict);
+        while (g_variant_iter_next(&setting_iter, "{&sv}", NULL, &val)) {
+            has = !g_variant_is_container(val) || g_variant_n_children(val) > 0;
+            g_variant_unref(val);
+            if (has) {
+                g_variant_unref(setting_dict);
+                return TRUE;
+            }
+        }
+        g_variant_unref(setting_dict);
+    }
+
+    return FALSE;
+}
+
 static void
 _con_get_request_start(Request *req)
 {
@ -1103,7 +1136,7 @@ _con_get_request_start(Request *req)
     * unprivileged users.
     */
    if ((req->con.get.flags != NM_SECRET_AGENT_GET_SECRETS_FLAG_NONE)
-        && (req->con.get.existing_secrets
+        && (_req_has_existing_secrets(req)
            || _nm_connection_aggregate(req->con.connection,
                                        NM_CONNECTION_AGGREGATE_ANY_SYSTEM_SECRET_FLAGS,
                                        NULL))) {