settings: fix check on existing system secrets

The previous check was based only on the presence of a non-NULL "existing_secrets" GVariant. That GVariant is created via: nm_connection_to_dbus(nm_settings_connection_get_connection(self), NM_CONNECTION_SERIALIZE_WITH_SECRETS_SYSTEM_OWNED) The function returns a GVariant containing a first-level dictionary for each setting, even for those that doesn't contain any secrets. As a result, the check was requiring the system.modify permission even if there weren't any cached secrets to send to the agent. Fix the check to actually check for the presence of any secrets in the cached dictionary. Some connection types have a third-level dictionary that can be empty, for example VPNs have vpn.secrets. (cherry picked from commit 024360bffa)
2026-02-25 16:30:43 +01:00 · 2026-02-23 17:23:23 +01:00 · 2026-02-23 17:23:23 +01:00 · 375be1c1b0
commit 375be1c1b0
parent 480ba052f3
1 changed files with 34 additions and 1 deletions
--- a/src/core/settings/nm-agent-manager.c
+++ b/src/core/settings/nm-agent-manager.c
@ -1083,6 +1083,39 @@ _con_get_request_start_validated(NMAuthChain           *chain,
    _con_get_request_start_proceed(req, req->con.current_has_modify);
 }

+static gboolean
+_req_has_existing_secrets(Request *req)
+{
+    GVariantIter iter;
+    const char  *setting_name;
+    GVariant    *setting_dict;
+    gboolean     has;
+
+    if (!req->con.get.existing_secrets)
+        return FALSE;
+
+    nm_assert(g_variant_is_of_type(req->con.get.existing_secrets, NM_VARIANT_TYPE_CONNECTION));
+
+    g_variant_iter_init(&iter, req->con.get.existing_secrets);
+    while (g_variant_iter_next(&iter, "{&s@a{sv}}", &setting_name, &setting_dict)) {
+        GVariantIter setting_iter;
+        GVariant    *val;
+
+        g_variant_iter_init(&setting_iter, setting_dict);
+        while (g_variant_iter_next(&setting_iter, "{&sv}", NULL, &val)) {
+            has = !g_variant_is_container(val) || g_variant_n_children(val) > 0;
+            g_variant_unref(val);
+            if (has) {
+                g_variant_unref(setting_dict);
+                return TRUE;
+            }
+        }
+        g_variant_unref(setting_dict);
+    }
+
+    return FALSE;
+}
+
 static void
 _con_get_request_start(Request *req)
 {
@ -1103,7 +1136,7 @@ _con_get_request_start(Request *req)
     * unprivileged users.
     */
    if ((req->con.get.flags != NM_SECRET_AGENT_GET_SECRETS_FLAG_NONE)
-        && (req->con.get.existing_secrets
+        && (_req_has_existing_secrets(req)
            || _nm_connection_aggregate(req->con.connection,
                                        NM_CONNECTION_AGGREGATE_ANY_SYSTEM_SECRET_FLAGS,
                                        NULL))) {