From 3945f75bda13961519f038be47b94f12e23cffc4 Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Thu, 26 Aug 2010 14:26:12 -0500 Subject: [PATCH] core: consolidate all permissions checking into main D-Bus interface Moves the system settings permissions checking into the core service's permissions checking, which at the same time enables 3-way permission reporting (yes, no, auth) instead of the old yes/no that we had for system settings permissions before. This allows UI to show a lock icon or such when the user could authenticate to gain the permission. It also moves the wifi-create permissions' namespace to the main namespace (not .settings) since they really should be checked before starting a shared wifi connection, rather than having anything to do with the settings service. --- introspection/nm-settings.xml | 37 ---- libnm-glib/nm-client.c | 31 ++- libnm-glib/nm-client.h | 8 +- libnm-glib/nm-remote-settings.c | 101 ---------- libnm-glib/nm-remote-settings.h | 21 -- .../org.freedesktop.NetworkManager.policy.in | 36 ++-- src/nm-manager-auth.h | 14 +- src/nm-manager.c | 8 + src/system-settings/nm-polkit-helpers.h | 5 - src/system-settings/nm-sysconfig-connection.c | 15 +- src/system-settings/nm-sysconfig-settings.c | 184 +----------------- src/system-settings/nm-sysconfig-settings.h | 10 - 12 files changed, 79 insertions(+), 391 deletions(-) diff --git a/introspection/nm-settings.xml b/introspection/nm-settings.xml index d907cf7bcd..f10a6e1c63 100644 --- a/introspection/nm-settings.xml +++ b/introspection/nm-settings.xml @@ -44,19 +44,6 @@ - - - Returns a bitfield indicating certain operations the caller is permitted to perform. Some of these operations may require authorization by the user. - - - - - - A bitfield of permitted operations. Some of these operations may require the user to authorize via password entry or other means. - - - - The machine hostname stored in persistent configuration. @@ -77,12 +64,6 @@ - - - Emitted when system authorization details change, indicating that clients may wish to recheck permissions with GetPermissions. - - - Emitted when a new connection has been added. @@ -94,24 +75,6 @@ - - - No permissions. - - - Can modify/add/delete connections. - - - Can share connections via a encrypted user-created WiFi network. - - - Can share connections via a open/unencrypted user-created WiFi network. - - - Can modify the persistent system hostname. - - - diff --git a/libnm-glib/nm-client.c b/libnm-glib/nm-client.c index 88f71af2a2..e7770df64e 100644 --- a/libnm-glib/nm-client.c +++ b/libnm-glib/nm-client.c @@ -290,9 +290,15 @@ register_for_property_changed (NMClient *client) property_changed_info); } -#define NM_AUTH_PERMISSION_ENABLE_DISABLE_NETWORK "org.freedesktop.NetworkManager.enable-disable-network" -#define NM_AUTH_PERMISSION_ENABLE_DISABLE_WIFI "org.freedesktop.NetworkManager.enable-disable-wifi" -#define NM_AUTH_PERMISSION_ENABLE_DISABLE_WWAN "org.freedesktop.NetworkManager.enable-disable-wwan" +#define NM_AUTH_PERMISSION_ENABLE_DISABLE_NETWORK "org.freedesktop.NetworkManager.enable-disable-network" +#define NM_AUTH_PERMISSION_ENABLE_DISABLE_WIFI "org.freedesktop.NetworkManager.enable-disable-wifi" +#define NM_AUTH_PERMISSION_ENABLE_DISABLE_WWAN "org.freedesktop.NetworkManager.enable-disable-wwan" +#define NM_AUTH_PERMISSION_SLEEP_WAKE "org.freedesktop.NetworkManager.sleep-wake" +#define NM_AUTH_PERMISSION_NETWORK_CONTROL "org.freedesktop.NetworkManager.network-control" +#define NM_AUTH_PERMISSION_WIFI_SHARE_PROTECTED "org.freedesktop.NetworkManager.wifi.share.protected" +#define NM_AUTH_PERMISSION_WIFI_SHARE_OPEN "org.freedesktop.NetworkManager.wifi.share.open" +#define NM_AUTH_PERMISSION_SETTINGS_CONNECTION_MODIFY "org.freedesktop.NetworkManager.settings.modify" +#define NM_AUTH_PERMISSION_SETTINGS_HOSTNAME_MODIFY "org.freedesktop.NetworkManager.settings.hostname.modify" static NMClientPermission nm_permission_to_client (const char *nm) @@ -303,6 +309,19 @@ nm_permission_to_client (const char *nm) return NM_CLIENT_PERMISSION_ENABLE_DISABLE_WIFI; else if (!strcmp (nm, NM_AUTH_PERMISSION_ENABLE_DISABLE_WWAN)) return NM_CLIENT_PERMISSION_ENABLE_DISABLE_WWAN; + else if (!strcmp (nm, NM_AUTH_PERMISSION_SLEEP_WAKE)) + return NM_CLIENT_PERMISSION_SLEEP_WAKE; + else if (!strcmp (nm, NM_AUTH_PERMISSION_NETWORK_CONTROL)) + return NM_CLIENT_PERMISSION_NETWORK_CONTROL; + else if (!strcmp (nm, NM_AUTH_PERMISSION_WIFI_SHARE_PROTECTED)) + return NM_CLIENT_PERMISSION_WIFI_SHARE_PROTECTED; + else if (!strcmp (nm, NM_AUTH_PERMISSION_WIFI_SHARE_OPEN)) + return NM_CLIENT_PERMISSION_WIFI_SHARE_OPEN; + else if (!strcmp (nm, NM_AUTH_PERMISSION_SETTINGS_CONNECTION_MODIFY)) + return NM_CLIENT_PERMISSION_SETTINGS_CONNECTION_MODIFY; + else if (!strcmp (nm, NM_AUTH_PERMISSION_SETTINGS_HOSTNAME_MODIFY)) + return NM_CLIENT_PERMISSION_SETTINGS_HOSTNAME_MODIFY; + return NM_CLIENT_PERMISSION_NONE; } @@ -461,9 +480,9 @@ constructor (GType type, get_permissions_sync (NM_CLIENT (object)); priv->bus_proxy = dbus_g_proxy_new_for_name (connection, - "org.freedesktop.DBus", - "/org/freedesktop/DBus", - "org.freedesktop.DBus"); + DBUS_SERVICE_DBUS, + DBUS_PATH_DBUS, + DBUS_INTERFACE_DBUS); dbus_g_proxy_add_signal (priv->bus_proxy, "NameOwnerChanged", G_TYPE_STRING, G_TYPE_STRING, G_TYPE_STRING, diff --git a/libnm-glib/nm-client.h b/libnm-glib/nm-client.h index e863161160..69847fdcc6 100644 --- a/libnm-glib/nm-client.h +++ b/libnm-glib/nm-client.h @@ -56,8 +56,14 @@ typedef enum { NM_CLIENT_PERMISSION_ENABLE_DISABLE_NETWORK = 1, NM_CLIENT_PERMISSION_ENABLE_DISABLE_WIFI = 2, NM_CLIENT_PERMISSION_ENABLE_DISABLE_WWAN = 3, + NM_CLIENT_PERMISSION_SLEEP_WAKE = 4, + NM_CLIENT_PERMISSION_NETWORK_CONTROL = 5, + NM_CLIENT_PERMISSION_WIFI_SHARE_PROTECTED = 6, + NM_CLIENT_PERMISSION_WIFI_SHARE_OPEN = 7, + NM_CLIENT_PERMISSION_SETTINGS_CONNECTION_MODIFY = 8, + NM_CLIENT_PERMISSION_SETTINGS_HOSTNAME_MODIFY = 9, - NM_CLIENT_PERMISSION_LAST = NM_CLIENT_PERMISSION_ENABLE_DISABLE_WWAN + NM_CLIENT_PERMISSION_LAST = NM_CLIENT_PERMISSION_SETTINGS_HOSTNAME_MODIFY } NMClientPermission; typedef enum { diff --git a/libnm-glib/nm-remote-settings.c b/libnm-glib/nm-remote-settings.c index eb3288d117..f263df29fa 100644 --- a/libnm-glib/nm-remote-settings.c +++ b/libnm-glib/nm-remote-settings.c @@ -44,8 +44,6 @@ typedef struct { gboolean service_running; DBusGProxy *props_proxy; - NMSettingsPermissions permissions; - gboolean have_permissions; char *hostname; gboolean can_modify; @@ -70,7 +68,6 @@ enum { enum { NEW_CONNECTION, CONNECTIONS_READ, - CHECK_PERMISSIONS, LAST_SIGNAL }; @@ -412,77 +409,6 @@ nm_remote_settings_save_hostname (NMRemoteSettings *settings, return TRUE; } -typedef struct { - NMRemoteSettings *settings; - NMRemoteSettingsGetPermissionsFunc callback; - gpointer callback_data; -} GetPermissionsInfo; - -static void -get_permissions_cb (DBusGProxy *proxy, - DBusGProxyCall *call, - gpointer user_data) -{ - GetPermissionsInfo *info = user_data; - NMRemoteSettings *self = NM_REMOTE_SETTINGS (info->settings); - NMRemoteSettingsPrivate *priv = NM_REMOTE_SETTINGS_GET_PRIVATE (self); - NMSettingsPermissions permissions = NM_SETTINGS_PERMISSION_NONE; - GError *error = NULL; - - dbus_g_proxy_end_call (proxy, call, &error, - G_TYPE_UINT, &permissions, - G_TYPE_INVALID); - priv->permissions = permissions; - priv->have_permissions = !error; - info->callback (info->settings, permissions, error, info->callback_data); - g_clear_error (&error); -} - -/** - * nm_remote_settings_get_permissions: - * @settings: the %NMRemoteSettings - * @callback: callback to be called when the permissions operation completes - * @user_data: caller-specific data passed to @callback - * - * Requests an indication of the operations the caller is permitted to perform - * including those that may require authorization. - * - * Returns: TRUE if the request was successful, FALSE if it failed - **/ -gboolean -nm_remote_settings_get_permissions (NMRemoteSettings *settings, - NMRemoteSettingsGetPermissionsFunc callback, - gpointer user_data) -{ - NMRemoteSettingsPrivate *priv; - GetPermissionsInfo *info; - - g_return_val_if_fail (settings != NULL, FALSE); - g_return_val_if_fail (NM_IS_REMOTE_SETTINGS (settings), FALSE); - g_return_val_if_fail (callback != NULL, FALSE); - - priv = NM_REMOTE_SETTINGS_GET_PRIVATE (settings); - - /* Skip D-Bus if we already have permissions */ - if (priv->have_permissions) { - callback (settings, priv->permissions, NULL, user_data); - return TRUE; - } - - /* Otherwise fetch them from NM */ - info = g_malloc0 (sizeof (GetPermissionsInfo)); - info->settings = settings; - info->callback = callback; - info->callback_data = user_data; - - dbus_g_proxy_begin_call (priv->proxy, "GetPermissions", - get_permissions_cb, - info, - g_free, - G_TYPE_INVALID); - return TRUE; -} - static void name_owner_changed (DBusGProxy *proxy, const char *name, @@ -509,17 +435,6 @@ name_owner_changed (DBusGProxy *proxy, } } -static void -check_permissions_cb (DBusGProxy *proxy, gpointer user_data) -{ - NMRemoteSettings *self = NM_REMOTE_SETTINGS (user_data); - NMRemoteSettingsPrivate *priv = NM_REMOTE_SETTINGS_GET_PRIVATE (self); - - /* Permissions need to be re-fetched */ - priv->have_permissions = FALSE; - g_signal_emit (self, signals[CHECK_PERMISSIONS], 0); -} - static void properties_changed_cb (DBusGProxy *proxy, GHashTable *properties, @@ -690,13 +605,6 @@ constructor (GType type, object, NULL); - /* Monitor for permissions changes */ - dbus_g_proxy_add_signal (priv->proxy, "CheckPermissions", G_TYPE_INVALID); - dbus_g_proxy_connect_signal (priv->proxy, "CheckPermissions", - G_CALLBACK (check_permissions_cb), - object, - NULL); - /* Get properties */ dbus_g_proxy_begin_call (priv->props_proxy, "GetAll", get_all_cb, @@ -843,14 +751,5 @@ nm_remote_settings_class_init (NMRemoteSettingsClass *class) NULL, NULL, g_cclosure_marshal_VOID__VOID, G_TYPE_NONE, 0); - - signals[CHECK_PERMISSIONS] = - g_signal_new (NM_REMOTE_SETTINGS_CHECK_PERMISSIONS, - G_OBJECT_CLASS_TYPE (object_class), - G_SIGNAL_RUN_FIRST, - G_STRUCT_OFFSET (NMRemoteSettingsClass, check_permissions), - NULL, NULL, - g_cclosure_marshal_VOID__VOID, - G_TYPE_NONE, 0); } diff --git a/libnm-glib/nm-remote-settings.h b/libnm-glib/nm-remote-settings.h index 77b172c12d..a1d3cee838 100644 --- a/libnm-glib/nm-remote-settings.h +++ b/libnm-glib/nm-remote-settings.h @@ -31,15 +31,6 @@ G_BEGIN_DECLS -// FIXME this is temporary, permissions format to be improved -typedef enum { - NM_SETTINGS_PERMISSION_NONE = 0x0, - NM_SETTINGS_PERMISSION_CONNECTION_MODIFY = 0x1, - NM_SETTINGS_PERMISSION_WIFI_SHARE_PROTECTED = 0x2, - NM_SETTINGS_PERMISSION_WIFI_SHARE_OPEN = 0x4, - NM_SETTINGS_PERMISSION_HOSTNAME_MODIFY = 0x8 -} NMSettingsPermissions; - #define NM_TYPE_REMOTE_SETTINGS (nm_remote_settings_get_type ()) #define NM_REMOTE_SETTINGS(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_REMOTE_SETTINGS, NMRemoteSettings)) #define NM_REMOTE_SETTINGS_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_REMOTE_SETTINGS, NMRemoteSettingsClass)) @@ -54,7 +45,6 @@ typedef enum { #define NM_REMOTE_SETTINGS_NEW_CONNECTION "new-connection" #define NM_REMOTE_SETTINGS_CONNECTIONS_READ "connections-read" -#define NM_REMOTE_SETTINGS_CHECK_PERMISSIONS "check-permissions" typedef struct _NMRemoteSettings NMRemoteSettings; typedef struct _NMRemoteSettingsClass NMRemoteSettingsClass; @@ -68,11 +58,6 @@ typedef void (*NMRemoteSettingsSaveHostnameFunc) (NMRemoteSettings *settings, GError *error, gpointer user_data); -typedef void (*NMRemoteSettingsGetPermissionsFunc) (NMRemoteSettings *settings, - NMSettingsPermissions permissions, - GError *error, - gpointer user_data); - struct _NMRemoteSettings { GObject parent; @@ -87,8 +72,6 @@ struct _NMRemoteSettingsClass { void (*connections_read) (NMRemoteSettings *settings); - void (*check_permissions) (NMRemoteSettings *settings); - /* Padding for future expansion */ void (*_reserved1) (void); void (*_reserved2) (void); @@ -117,10 +100,6 @@ gboolean nm_remote_settings_save_hostname (NMRemoteSettings *settings, NMRemoteSettingsSaveHostnameFunc callback, gpointer user_data); -gboolean nm_remote_settings_get_permissions (NMRemoteSettings *settings, - NMRemoteSettingsGetPermissionsFunc callback, - gpointer user_data); - G_END_DECLS #endif /* NM_REMOTE_SETTINGS_H */ diff --git a/policy/org.freedesktop.NetworkManager.policy.in b/policy/org.freedesktop.NetworkManager.policy.in index 32b8ab00b9..af4b9a15b4 100644 --- a/policy/org.freedesktop.NetworkManager.policy.in +++ b/policy/org.freedesktop.NetworkManager.policy.in @@ -54,6 +54,24 @@ + + <_description>Connection sharing via a protected WiFi network + <_message>System policy prevents sharing connections via a protected WiFi network + + no + yes + + + + + <_description>Connection sharing via an open WiFi network + <_message>System policy prevents sharing connections via an open WiFi network + + no + yes + + + <_description>Modify system connections <_message>System policy prevents modification of system settings @@ -72,23 +90,5 @@ - - <_description>Connection sharing via a protected WiFi network - <_message>System policy prevents sharing connections via a protected WiFi network - - no - yes - - - - - <_description>Connection sharing via an open WiFi network - <_message>System policy prevents sharing connections via an open WiFi network - - no - yes - - - diff --git a/src/nm-manager-auth.h b/src/nm-manager-auth.h index 13489f39db..9fae64c5fb 100644 --- a/src/nm-manager-auth.h +++ b/src/nm-manager-auth.h @@ -27,11 +27,15 @@ #include "nm-dbus-manager.h" -#define NM_AUTH_PERMISSION_ENABLE_DISABLE_NETWORK "org.freedesktop.NetworkManager.enable-disable-network" -#define NM_AUTH_PERMISSION_SLEEP_WAKE "org.freedesktop.NetworkManager.sleep-wake" -#define NM_AUTH_PERMISSION_ENABLE_DISABLE_WIFI "org.freedesktop.NetworkManager.enable-disable-wifi" -#define NM_AUTH_PERMISSION_ENABLE_DISABLE_WWAN "org.freedesktop.NetworkManager.enable-disable-wwan" -#define NM_AUTH_PERMISSION_NETWORK_CONTROL "org.freedesktop.NetworkManager.network-control" +#define NM_AUTH_PERMISSION_ENABLE_DISABLE_NETWORK "org.freedesktop.NetworkManager.enable-disable-network" +#define NM_AUTH_PERMISSION_SLEEP_WAKE "org.freedesktop.NetworkManager.sleep-wake" +#define NM_AUTH_PERMISSION_ENABLE_DISABLE_WIFI "org.freedesktop.NetworkManager.enable-disable-wifi" +#define NM_AUTH_PERMISSION_ENABLE_DISABLE_WWAN "org.freedesktop.NetworkManager.enable-disable-wwan" +#define NM_AUTH_PERMISSION_NETWORK_CONTROL "org.freedesktop.NetworkManager.network-control" +#define NM_AUTH_PERMISSION_WIFI_SHARE_PROTECTED "org.freedesktop.NetworkManager.wifi.share.protected" +#define NM_AUTH_PERMISSION_WIFI_SHARE_OPEN "org.freedesktop.NetworkManager.wifi.share.open" +#define NM_AUTH_PERMISSION_SETTINGS_CONNECTION_MODIFY "org.freedesktop.NetworkManager.settings.modify" +#define NM_AUTH_PERMISSION_SETTINGS_HOSTNAME_MODIFY "org.freedesktop.NetworkManager.settings.hostname.modify" typedef struct NMAuthChain NMAuthChain; diff --git a/src/nm-manager.c b/src/nm-manager.c index 5cef1fe6f0..2368eeef03 100644 --- a/src/nm-manager.c +++ b/src/nm-manager.c @@ -2735,6 +2735,10 @@ get_permissions_done_cb (NMAuthChain *chain, get_perm_add_result (chain, results, NM_AUTH_PERMISSION_ENABLE_DISABLE_WIFI); get_perm_add_result (chain, results, NM_AUTH_PERMISSION_ENABLE_DISABLE_WWAN); get_perm_add_result (chain, results, NM_AUTH_PERMISSION_NETWORK_CONTROL); + get_perm_add_result (chain, results, NM_AUTH_PERMISSION_WIFI_SHARE_PROTECTED); + get_perm_add_result (chain, results, NM_AUTH_PERMISSION_WIFI_SHARE_OPEN); + get_perm_add_result (chain, results, NM_AUTH_PERMISSION_SETTINGS_CONNECTION_MODIFY); + get_perm_add_result (chain, results, NM_AUTH_PERMISSION_SETTINGS_HOSTNAME_MODIFY); dbus_g_method_return (context, results); g_hash_table_destroy (results); } @@ -2761,6 +2765,10 @@ impl_manager_get_permissions (NMManager *self, nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_ENABLE_DISABLE_WIFI, FALSE); nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_ENABLE_DISABLE_WWAN, FALSE); nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_NETWORK_CONTROL, FALSE); + nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_WIFI_SHARE_PROTECTED, FALSE); + nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_WIFI_SHARE_OPEN, FALSE); + nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_SETTINGS_CONNECTION_MODIFY, FALSE); + nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_SETTINGS_HOSTNAME_MODIFY, FALSE); } /* Legacy 0.6 compatibility interface */ diff --git a/src/system-settings/nm-polkit-helpers.h b/src/system-settings/nm-polkit-helpers.h index 48841486c2..dfe9ecefc3 100644 --- a/src/system-settings/nm-polkit-helpers.h +++ b/src/system-settings/nm-polkit-helpers.h @@ -25,11 +25,6 @@ #include #include -#define NM_SYSCONFIG_POLICY_ACTION_CONNECTION_MODIFY "org.freedesktop.NetworkManager.settings.modify" -#define NM_SYSCONFIG_POLICY_ACTION_WIFI_SHARE_PROTECTED "org.freedesktop.NetworkManager.settings.wifi.share.protected" -#define NM_SYSCONFIG_POLICY_ACTION_WIFI_SHARE_OPEN "org.freedesktop.NetworkManager.settings.wifi.share.open" -#define NM_SYSCONFIG_POLICY_ACTION_HOSTNAME_MODIFY "org.freedesktop.NetworkManager.settings.hostname.modify" - /* Fix for polkit 0.97 and later */ #if !HAVE_POLKIT_AUTHORITY_GET_SYNC static inline PolkitAuthority * diff --git a/src/system-settings/nm-sysconfig-connection.c b/src/system-settings/nm-sysconfig-connection.c index 62e776ee12..b42c8e3ec8 100644 --- a/src/system-settings/nm-sysconfig-connection.c +++ b/src/system-settings/nm-sysconfig-connection.c @@ -31,6 +31,7 @@ #include "nm-dbus-glib-types.h" #include "nm-polkit-helpers.h" #include "nm-logging.h" +#include "nm-manager-auth.h" static void impl_sysconfig_connection_get_settings (NMSysconfigConnection *connection, DBusGMethodInvocation *context); @@ -717,13 +718,13 @@ auth_get_session_cb (NMSessionInfo *session, g_free (sender); polkit_authority_check_authorization (priv->authority, - info->subject, - NM_SYSCONFIG_POLICY_ACTION_CONNECTION_MODIFY, - NULL, - POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION, - info->cancellable, - auth_pk_cb, - info); + info->subject, + NM_AUTH_PERMISSION_SETTINGS_CONNECTION_MODIFY, + NULL, + POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION, + info->cancellable, + auth_pk_cb, + info); } } diff --git a/src/system-settings/nm-sysconfig-settings.c b/src/system-settings/nm-sysconfig-settings.c index 67355258d8..197c01584a 100644 --- a/src/system-settings/nm-sysconfig-settings.c +++ b/src/system-settings/nm-sysconfig-settings.c @@ -59,6 +59,7 @@ #include "nm-default-wired-connection.h" #include "nm-logging.h" #include "nm-dbus-manager.h" +#include "nm-manager-auth.h" #define CONFIG_KEY_NO_AUTO_DEFAULT "no-auto-default" @@ -92,9 +93,6 @@ static void impl_settings_save_hostname (NMSysconfigSettings *self, const char *hostname, DBusGMethodInvocation *context); -static void impl_settings_get_permissions (NMSysconfigSettings *self, - DBusGMethodInvocation *context); - #include "nm-settings-glue.h" static void unmanaged_specs_changed (NMSystemConfigInterface *config, gpointer user_data); @@ -108,7 +106,6 @@ typedef struct { char *config_file; GSList *pk_calls; - GSList *permissions_calls; GSList *plugins; gboolean connections_loaded; @@ -124,7 +121,6 @@ G_DEFINE_TYPE (NMSysconfigSettings, nm_sysconfig_settings, G_TYPE_OBJECT) enum { PROPERTIES_CHANGED, NEW_CONNECTION, - CHECK_PERMISSIONS, LAST_SIGNAL }; @@ -627,9 +623,6 @@ typedef struct { gpointer callback_data; char *hostname; - - NMSettingsPermissions permissions; - guint32 permissions_calls; } PolkitCall; #include "nm-dbus-manager.h" @@ -799,7 +792,7 @@ impl_settings_add_connection (NMSysconfigSettings *self, g_assert (call); polkit_authority_check_authorization (priv->authority, call->subject, - NM_SYSCONFIG_POLICY_ACTION_CONNECTION_MODIFY, + NM_AUTH_PERMISSION_SETTINGS_CONNECTION_MODIFY, NULL, POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION, call->cancellable, @@ -904,7 +897,7 @@ impl_settings_save_hostname (NMSysconfigSettings *self, g_assert (call); polkit_authority_check_authorization (priv->authority, call->subject, - NM_SYSCONFIG_POLICY_ACTION_HOSTNAME_MODIFY, + NM_AUTH_PERMISSION_SETTINGS_HOSTNAME_MODIFY, NULL, POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION, call->cancellable, @@ -913,151 +906,6 @@ impl_settings_save_hostname (NMSysconfigSettings *self, priv->pk_calls = g_slist_append (priv->pk_calls, call); } -static void -pk_authority_changed_cb (GObject *object, gpointer user_data) -{ - /* Let clients know they should re-check their authorization */ - g_signal_emit (NM_SYSCONFIG_SETTINGS (user_data), signals[CHECK_PERMISSIONS], 0); -} - -typedef struct { - PolkitCall *pk_call; - const char *pk_action; - GCancellable *cancellable; - NMSettingsPermissions permission; - gboolean disposed; -} PermissionsCall; - -static void -permission_call_done (GObject *object, GAsyncResult *result, gpointer user_data) -{ - PermissionsCall *call = user_data; - PolkitCall *pk_call = call->pk_call; - NMSysconfigSettings *self = pk_call->self; - NMSysconfigSettingsPrivate *priv; - PolkitAuthorizationResult *pk_result; - GError *error = NULL; - - /* If NMSysconfigSettings is gone, just skip to the end */ - if (call->disposed) - goto done; - - priv = NM_SYSCONFIG_SETTINGS_GET_PRIVATE (self); - - priv->permissions_calls = g_slist_remove (priv->permissions_calls, call); - - pk_result = polkit_authority_check_authorization_finish (priv->authority, - result, - &error); - /* Some random error happened */ - if (error) { - nm_log_err (LOGD_SYS_SET, "error checking '%s' permission: (%d) %s", - __FILE__, __LINE__, __func__, - call->pk_action, - error ? error->code : -1, - error && error->message ? error->message : "(unknown)"); - if (error) - g_error_free (error); - } else { - /* If the caller is authorized, or the caller could authorize via a - * challenge, then authorization is possible. Otherwise, caller is out of - * luck. - */ - if ( polkit_authorization_result_get_is_authorized (pk_result) - || polkit_authorization_result_get_is_challenge (pk_result)) - pk_call->permissions |= call->permission; - } - - g_object_unref (pk_result); - -done: - pk_call->permissions_calls--; - if (pk_call->permissions_calls == 0) { - if (call->disposed) { - error = g_error_new_literal (NM_SYSCONFIG_SETTINGS_ERROR, - NM_SYSCONFIG_SETTINGS_ERROR_GENERAL, - "Request was canceled."); - dbus_g_method_return_error (pk_call->context, error); - g_error_free (error); - } else { - /* All the permissions calls are done, return the full permissions - * bitfield back to the user. - */ - dbus_g_method_return (pk_call->context, pk_call->permissions); - } - - polkit_call_free (pk_call); - } - memset (call, 0, sizeof (PermissionsCall)); - g_free (call); -} - -static void -start_permission_check (NMSysconfigSettings *self, - PolkitCall *pk_call, - const char *pk_action, - NMSettingsPermissions permission) -{ - NMSysconfigSettingsPrivate *priv = NM_SYSCONFIG_SETTINGS_GET_PRIVATE (self); - PermissionsCall *call; - - g_return_if_fail (pk_call != NULL); - g_return_if_fail (pk_action != NULL); - g_return_if_fail (permission != NM_SETTINGS_PERMISSION_NONE); - - call = g_malloc0 (sizeof (PermissionsCall)); - call->pk_call = pk_call; - call->pk_action = pk_action; - call->permission = permission; - call->cancellable = g_cancellable_new (); - - pk_call->permissions_calls++; - - polkit_authority_check_authorization (priv->authority, - pk_call->subject, - pk_action, - NULL, - 0, - call->cancellable, - permission_call_done, - call); - priv->permissions_calls = g_slist_append (priv->permissions_calls, call); -} - -static void -impl_settings_get_permissions (NMSysconfigSettings *self, - DBusGMethodInvocation *context) -{ - PolkitCall *call; - - call = polkit_call_new (self, context, NULL, FALSE); - g_assert (call); - - /* Start checks for the various permissions */ - - /* Only check for connection-modify if one of our plugins supports it. */ - if (get_plugin (self, NM_SYSTEM_CONFIG_INTERFACE_CAP_MODIFY_CONNECTIONS)) { - start_permission_check (self, call, - NM_SYSCONFIG_POLICY_ACTION_CONNECTION_MODIFY, - NM_SETTINGS_PERMISSION_CONNECTION_MODIFY); - } - - /* Only check for hostname-modify if one of our plugins supports it. */ - if (get_plugin (self, NM_SYSTEM_CONFIG_INTERFACE_CAP_MODIFY_HOSTNAME)) { - start_permission_check (self, call, - NM_SYSCONFIG_POLICY_ACTION_HOSTNAME_MODIFY, - NM_SETTINGS_PERMISSION_HOSTNAME_MODIFY); - } - - // FIXME: hook these into plugin permissions like the modify permissions */ - start_permission_check (self, call, - NM_SYSCONFIG_POLICY_ACTION_WIFI_SHARE_OPEN, - NM_SETTINGS_PERMISSION_WIFI_SHARE_OPEN); - start_permission_check (self, call, - NM_SYSCONFIG_POLICY_ACTION_WIFI_SHARE_PROTECTED, - NM_SETTINGS_PERMISSION_WIFI_SHARE_PROTECTED); -} - static gboolean have_connection_for_device (NMSysconfigSettings *self, GByteArray *mac) { @@ -1440,16 +1288,6 @@ dispose (GObject *object) g_slist_free (priv->pk_calls); priv->pk_calls = NULL; - /* Cancel PolicyKit permissions requests */ - for (iter = priv->permissions_calls; iter; iter = g_slist_next (iter)) { - PermissionsCall *call = iter->data; - - call->disposed = TRUE; - g_cancellable_cancel (call->cancellable); - } - g_slist_free (priv->permissions_calls); - priv->permissions_calls = NULL; - G_OBJECT_CLASS (nm_sysconfig_settings_parent_class)->dispose (object); } @@ -1560,15 +1398,6 @@ nm_sysconfig_settings_class_init (NMSysconfigSettingsClass *class) g_cclosure_marshal_VOID__OBJECT, G_TYPE_NONE, 1, G_TYPE_OBJECT); - signals[CHECK_PERMISSIONS] = - g_signal_new (NM_SYSCONFIG_SETTINGS_CHECK_PERMISSIONS, - G_OBJECT_CLASS_TYPE (object_class), - G_SIGNAL_RUN_FIRST, - 0, - NULL, NULL, - g_cclosure_marshal_VOID__VOID, - G_TYPE_NONE, 0); - dbus_g_error_domain_register (NM_SYSCONFIG_SETTINGS_ERROR, NM_DBUS_IFACE_SETTINGS, NM_TYPE_SYSCONFIG_SETTINGS_ERROR); @@ -1607,12 +1436,7 @@ nm_sysconfig_settings_init (NMSysconfigSettings *self) priv->all_connections = g_hash_table_new_full (g_direct_hash, g_direct_equal, g_object_unref, NULL); priv->authority = polkit_authority_get_sync (NULL, &error); - if (priv->authority) { - priv->auth_changed_id = g_signal_connect (priv->authority, - "changed", - G_CALLBACK (pk_authority_changed_cb), - self); - } else { + if (!priv->authority) { nm_log_warn (LOGD_SYS_SET, "failed to create PolicyKit authority: (%d) %s", error ? error->code : -1, error && error->message ? error->message : "(unknown)"); diff --git a/src/system-settings/nm-sysconfig-settings.h b/src/system-settings/nm-sysconfig-settings.h index 7a7f7db508..d4e58a6964 100644 --- a/src/system-settings/nm-sysconfig-settings.h +++ b/src/system-settings/nm-sysconfig-settings.h @@ -32,15 +32,6 @@ #include "nm-system-config-interface.h" #include "nm-device.h" -// FIXME this is temporary, permissions format to be improved -typedef enum { - NM_SETTINGS_PERMISSION_NONE = 0x0, - NM_SETTINGS_PERMISSION_CONNECTION_MODIFY = 0x1, - NM_SETTINGS_PERMISSION_WIFI_SHARE_PROTECTED = 0x2, - NM_SETTINGS_PERMISSION_WIFI_SHARE_OPEN = 0x4, - NM_SETTINGS_PERMISSION_HOSTNAME_MODIFY = 0x8 -} NMSettingsPermissions; - #define NM_TYPE_SYSCONFIG_SETTINGS (nm_sysconfig_settings_get_type ()) #define NM_SYSCONFIG_SETTINGS(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_SYSCONFIG_SETTINGS, NMSysconfigSettings)) #define NM_SYSCONFIG_SETTINGS_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_SYSCONFIG_SETTINGS, NMSysconfigSettingsClass)) @@ -53,7 +44,6 @@ typedef enum { #define NM_SYSCONFIG_SETTINGS_CAN_MODIFY "can-modify" #define NM_SYSCONFIG_SETTINGS_NEW_CONNECTION "new-connection" -#define NM_SYSCONFIG_SETTINGS_CHECK_PERMISSIONS "check-permissions" typedef struct { GObject parent_instance;