merge: branch 'bg/secret-permissions'

Fix the handling of permissions for connection secrets https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2367
2026-05-06 07:58:00 +02:00 · 2026-02-25 08:24:10 +00:00 · 2026-02-25 08:24:10 +00:00 · 20f975abe3
commit 20f975abe3
parent 128b49fe21 024360bffa
3 changed files with 39 additions and 2 deletions
--- a/src/core/settings/nm-agent-manager.c
+++ b/src/core/settings/nm-agent-manager.c
@ -1083,6 +1083,39 @@ _con_get_request_start_validated(NMAuthChain           *chain,
    _con_get_request_start_proceed(req, req->con.current_has_modify);
 }

+static gboolean
+_req_has_existing_secrets(Request *req)
+{
+    GVariantIter iter;
+    const char  *setting_name;
+    GVariant    *setting_dict;
+    gboolean     has;
+
+    if (!req->con.get.existing_secrets)
+        return FALSE;
+
+    nm_assert(g_variant_is_of_type(req->con.get.existing_secrets, NM_VARIANT_TYPE_CONNECTION));
+
+    g_variant_iter_init(&iter, req->con.get.existing_secrets);
+    while (g_variant_iter_next(&iter, "{&s@a{sv}}", &setting_name, &setting_dict)) {
+        GVariantIter setting_iter;
+        GVariant    *val;
+
+        g_variant_iter_init(&setting_iter, setting_dict);
+        while (g_variant_iter_next(&setting_iter, "{&sv}", NULL, &val)) {
+            has = !g_variant_is_container(val) || g_variant_n_children(val) > 0;
+            g_variant_unref(val);
+            if (has) {
+                g_variant_unref(setting_dict);
+                return TRUE;
+            }
+        }
+        g_variant_unref(setting_dict);
+    }
+
+    return FALSE;
+}
+
 static void
 _con_get_request_start(Request *req)
 {
@ -1103,7 +1136,7 @@ _con_get_request_start(Request *req)
     * unprivileged users.
     */
    if ((req->con.get.flags != NM_SECRET_AGENT_GET_SECRETS_FLAG_NONE)
-        && (req->con.get.existing_secrets
+        && (_req_has_existing_secrets(req)
            || _nm_connection_aggregate(req->con.connection,
                                        NM_CONNECTION_AGGREGATE_ANY_SYSTEM_SECRET_FLAGS,
                                        NULL))) {
--- a/src/core/settings/nm-settings-connection.c
+++ b/src/core/settings/nm-settings-connection.c
@ -781,7 +781,8 @@ validate_secret_flags(NMConnection *connection, GVariant *secrets, ForEachSecret
 static gboolean
 secret_is_system_owned(NMSettingSecretFlags flags, gpointer user_data)
 {
-    return !NM_FLAGS_HAS(flags, NM_SETTING_SECRET_FLAG_AGENT_OWNED);
+    return !NM_FLAGS_ANY(flags,
+                         NM_SETTING_SECRET_FLAG_AGENT_OWNED | NM_SETTING_SECRET_FLAG_NOT_SAVED);
 }

 static void
--- a/src/libnm-core-impl/nm-setting-ip-config.c
+++ b/src/libnm-core-impl/nm-setting-ip-config.c
@ -5079,6 +5079,9 @@ routing_rules_to_dbus(_NM_SETT_INFO_PROP_TO_DBUS_FCN_ARGS _nm_nil)
    gboolean                  any = FALSE;
    guint                     i;

+    if (!_nm_connection_serialize_non_secret(flags))
+        return NULL;
+
    priv = NM_SETTING_IP_CONFIG_GET_PRIVATE(self);

    if (!priv->routing_rules || priv->routing_rules->len == 0)