dns: specify a temporary file name when writing no-stub-resolv.conf

Using g_file_set_contents() makes it impossible to write a proper SELinux policy because the function creates a file with a random suffix, and SELinux file transitions can't match on wildcards. Use a fixed temporary file name. In this case it's fine because /run/NetworkManager is only writable by root and NetworkManager is the only process writing into it.
2025-12-20 03:30:09 +01:00 · 2025-10-14 10:42:53 +02:00 · 2025-10-14 10:42:53 +02:00 · 2d438ebef8
commit 2d438ebef8
parent c312390932
1 changed files with 11 additions and 2 deletions
--- a/src/core/dns/nm-dns-manager.c
+++ b/src/core/dns/nm-dns-manager.c
@ -26,6 +26,7 @@

 #include "libnm-core-intern/nm-core-internal.h"
 #include "libnm-glib-aux/nm-str-buf.h"
+#include "libnm-glib-aux/nm-io-utils.h"

 #include "NetworkManagerUtils.h"
 #include "devices/nm-device.h"
@ -1007,6 +1008,7 @@ _read_link_cached(const char *path, gboolean *is_cached, char **cached)
 #define RESOLV_CONF_TMP    "/etc/.resolv.conf.NetworkManager"

 #define NO_STUB_RESOLV_CONF     NMRUNDIR "/no-stub-resolv.conf"
+#define NO_STUB_RESOLV_CONF_TMP NMRUNDIR "/no-stub-resolv.conf.tmp"

 static void
 update_resolv_conf_no_stub(NMDnsManager      *self,
@ -1019,7 +1021,14 @@ update_resolv_conf_no_stub(NMDnsManager      *self,

    content = create_resolv_conf(searches, nameservers, options);

-    if (!g_file_set_contents(NO_STUB_RESOLV_CONF, content, -1, &local)) {
+    if (!nm_utils_file_set_contents(NO_STUB_RESOLV_CONF,
+                                    content,
+                                    -1,
+                                    0644,
+                                    NULL,
+                                    NO_STUB_RESOLV_CONF_TMP,
+                                    NULL,
+                                    &local)) {
        _LOGD("update-resolv-no-stub: failure to write file: %s", local->message);
        g_error_free(local);
        return;