mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git
synced 2025-12-30 03:50:10 +01:00
Remove at_console, ensuring that all necessary calls are protected by PolicyKit authorization (which at_console is redundant with). Allows sessions that are not necessarily local (like SSH or remote desktop) to talk to NetworkManager, subject to administrator PolicyKit rules.
This commit is contained in:
Dan Williams
commit
4b39267b9d
11 changed files with 193 additions and 118 deletions
|
|
@ -30,6 +30,14 @@
|
|||
<property name="WinsServers" type="au" access="read">
|
||||
<tp:docstring>The Windows Internet Name Service servers associated with the connection. Each address is in network byte order.</tp:docstring>
|
||||
</property>
|
||||
|
||||
<signal name="PropertiesChanged">
|
||||
<arg name="properties" type="a{sv}" tp:type="String_Variant_Map">
|
||||
<tp:docstring>
|
||||
A dictionary mapping property names to variant boxed values
|
||||
</tp:docstring>
|
||||
</arg>
|
||||
</signal>
|
||||
</interface>
|
||||
</node>
|
||||
|
||||
|
|
|
|||
|
|
@ -20,6 +20,14 @@
|
|||
<property name="Searches" type="as" access="read">
|
||||
<tp:docstring>A list of dns searches.</tp:docstring>
|
||||
</property>
|
||||
|
||||
<signal name="PropertiesChanged">
|
||||
<arg name="properties" type="a{sv}" tp:type="String_Variant_Map">
|
||||
<tp:docstring>
|
||||
A dictionary mapping property names to variant boxed values
|
||||
</tp:docstring>
|
||||
</arg>
|
||||
</signal>
|
||||
</interface>
|
||||
</node>
|
||||
|
||||
|
|
|
|||
|
|
@ -209,6 +209,7 @@
|
|||
|
||||
<method name="SetLogging">
|
||||
<annotation name="org.freedesktop.DBus.GLib.CSymbol" value="impl_manager_set_logging"/>
|
||||
<annotation name="org.freedesktop.DBus.GLib.Async" value=""/>
|
||||
<tp:docstring>
|
||||
Set logging verbosity and which operations are logged.
|
||||
</tp:docstring>
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@
|
|||
Retrieve the object path of a connection, given that connection's UUID.
|
||||
</tp:docstring>
|
||||
<annotation name="org.freedesktop.DBus.GLib.CSymbol" value="impl_settings_get_connection_by_uuid"/>
|
||||
<annotation name="org.freedesktop.DBus.GLib.Async" value=""/>
|
||||
<arg name="uuid" type="s" direction="in">
|
||||
<tp:docstring>
|
||||
The UUID to find the connection object path for.
|
||||
|
|
|
|||
|
|
@ -85,8 +85,7 @@
|
|||
<_description>Modify personal network connections</_description>
|
||||
<_message>System policy prevents modification of personal network settings</_message>
|
||||
<defaults>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>yes</allow_active>
|
||||
<allow_any>yes</allow_any>
|
||||
</defaults>
|
||||
</action>
|
||||
|
||||
|
|
@ -94,8 +93,7 @@
|
|||
<_description>Modify network connections for all users</_description>
|
||||
<_message>System policy prevents modification of network settings for all users</_message>
|
||||
<defaults>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
|
||||
<allow_any>@NM_MODIFY_SYSTEM_POLICY@</allow_any>
|
||||
</defaults>
|
||||
</action>
|
||||
|
||||
|
|
@ -103,8 +101,7 @@
|
|||
<_description>Modify persistent system hostname</_description>
|
||||
<_message>System policy prevents modification of the persistent system hostname</_message>
|
||||
<defaults>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
<allow_any>auth_admin_keep</allow_any>
|
||||
</defaults>
|
||||
</action>
|
||||
|
||||
|
|
|
|||
|
|
@ -1688,5 +1688,7 @@ nm_ip4_config_class_init (NMIP4ConfigClass *config_class)
|
|||
|
||||
g_object_class_install_properties (object_class, LAST_PROP, obj_properties);
|
||||
|
||||
dbus_g_object_type_install_info (G_TYPE_FROM_CLASS (config_class), &dbus_glib_nm_ip4_config_object_info);
|
||||
nm_dbus_manager_register_exported_type (nm_dbus_manager_get (),
|
||||
G_TYPE_FROM_CLASS (config_class),
|
||||
&dbus_glib_nm_ip4_config_object_info);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1509,6 +1509,7 @@ nm_ip6_config_class_init (NMIP6ConfigClass *config_class)
|
|||
|
||||
g_object_class_install_properties (object_class, LAST_PROP, obj_properties);
|
||||
|
||||
dbus_g_object_type_install_info (G_TYPE_FROM_CLASS (config_class),
|
||||
&dbus_glib_nm_ip6_config_object_info);
|
||||
nm_dbus_manager_register_exported_type (nm_dbus_manager_get (),
|
||||
G_TYPE_FROM_CLASS (config_class),
|
||||
&dbus_glib_nm_ip6_config_object_info);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -123,10 +123,10 @@ static gboolean impl_manager_get_state (NMManager *manager,
|
|||
guint32 *state,
|
||||
GError **error);
|
||||
|
||||
static gboolean impl_manager_set_logging (NMManager *manager,
|
||||
const char *level,
|
||||
const char *domains,
|
||||
GError **error);
|
||||
static void impl_manager_set_logging (NMManager *manager,
|
||||
const char *level,
|
||||
const char *domains,
|
||||
DBusGMethodInvocation *context);
|
||||
|
||||
static void impl_manager_get_logging (NMManager *manager,
|
||||
char **level,
|
||||
|
|
@ -4002,13 +4002,31 @@ impl_manager_get_state (NMManager *manager, guint32 *state, GError **error)
|
|||
return TRUE;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
static void
|
||||
impl_manager_set_logging (NMManager *manager,
|
||||
const char *level,
|
||||
const char *domains,
|
||||
GError **error)
|
||||
DBusGMethodInvocation *context)
|
||||
{
|
||||
if (nm_logging_setup (level, domains, NULL, error)) {
|
||||
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (manager);
|
||||
GError *error = NULL;
|
||||
gulong caller_uid = G_MAXULONG;
|
||||
|
||||
if (!nm_dbus_manager_get_caller_info (priv->dbus_mgr, context, NULL, &caller_uid, NULL)) {
|
||||
error = g_error_new_literal (NM_MANAGER_ERROR,
|
||||
NM_MANAGER_ERROR_PERMISSION_DENIED,
|
||||
"Failed to get request UID.");
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (0 != caller_uid) {
|
||||
error = g_error_new_literal (NM_MANAGER_ERROR,
|
||||
NM_MANAGER_ERROR_PERMISSION_DENIED,
|
||||
"Permission denied");
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (nm_logging_setup (level, domains, NULL, &error)) {
|
||||
char *new_level = nm_logging_level_to_string ();
|
||||
char *new_domains = nm_logging_domains_to_string ();
|
||||
|
||||
|
|
@ -4016,9 +4034,12 @@ impl_manager_set_logging (NMManager *manager,
|
|||
new_level, new_domains);
|
||||
g_free (new_level);
|
||||
g_free (new_domains);
|
||||
return TRUE;
|
||||
}
|
||||
return FALSE;
|
||||
|
||||
done:
|
||||
if (error)
|
||||
dbus_g_method_return_error (context, error);
|
||||
g_clear_error (&error);
|
||||
}
|
||||
|
||||
static void
|
||||
|
|
|
|||
|
|
@ -234,18 +234,19 @@ nm_session_monitor_uid_has_session (NMSessionMonitor *monitor,
|
|||
const char **out_user,
|
||||
GError **error)
|
||||
{
|
||||
int ret;
|
||||
int num_sessions;
|
||||
|
||||
if (!nm_session_uid_to_user (uid, out_user, error))
|
||||
return FALSE;
|
||||
|
||||
ret = sd_uid_get_sessions (uid, FALSE, NULL) > 0;
|
||||
if (ret < 0) {
|
||||
/* Get all sessions (including inactive ones) for the user */
|
||||
num_sessions = sd_uid_get_sessions (uid, 0, NULL);
|
||||
if (num_sessions < 0) {
|
||||
nm_log_warn (LOGD_CORE, "Failed to get systemd sessions for uid %d: %d",
|
||||
uid, ret);
|
||||
uid, num_sessions);
|
||||
return FALSE;
|
||||
}
|
||||
return ret > 0 ? TRUE : FALSE;
|
||||
return num_sessions > 0;
|
||||
}
|
||||
|
||||
gboolean
|
||||
|
|
@ -253,13 +254,14 @@ nm_session_monitor_uid_active (NMSessionMonitor *monitor,
|
|||
uid_t uid,
|
||||
GError **error)
|
||||
{
|
||||
int ret;
|
||||
int num_sessions;
|
||||
|
||||
ret = sd_uid_get_sessions (uid, TRUE, NULL) > 0;
|
||||
if (ret < 0) {
|
||||
/* Get active sessions for the user */
|
||||
num_sessions = sd_uid_get_sessions (uid, 1, NULL);
|
||||
if (num_sessions < 0) {
|
||||
nm_log_warn (LOGD_CORE, "Failed to get active systemd sessions for uid %d: %d",
|
||||
uid, ret);
|
||||
uid, num_sessions);
|
||||
return FALSE;
|
||||
}
|
||||
return ret > 0 ? TRUE : FALSE;
|
||||
return num_sessions > 0;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,93 +26,99 @@
|
|||
<allow send_destination="org.freedesktop.NetworkManager.ssh"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager.iodine"/>
|
||||
</policy>
|
||||
<policy at_console="true">
|
||||
<allow send_destination="org.freedesktop.NetworkManager"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.DBus.Introspectable"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.DBus.Properties"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.AccessPoint"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Modem"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Wired"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Serial"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Wireless"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.DHCP4Config"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.IP4Config"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.VPN.Connection"/>
|
||||
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.AgentManager"/>
|
||||
|
||||
<deny send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager"
|
||||
send_member="SetLogging"/>
|
||||
|
||||
<deny send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager"
|
||||
send_member="Sleep"/>
|
||||
|
||||
<deny send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager"
|
||||
send_member="sleep"/>
|
||||
|
||||
<deny send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager"
|
||||
send_member="wake"/>
|
||||
</policy>
|
||||
<policy context="default">
|
||||
<deny own="org.freedesktop.NetworkManager"/>
|
||||
|
||||
<deny send_destination="org.freedesktop.NetworkManager"/>
|
||||
|
||||
<!-- Basic D-Bus API stuff -->
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.DBus.Introspectable"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.DBus.Properties"/>
|
||||
|
||||
<!-- Devices (read-only properties, no methods) -->
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Adsl"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Bond"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Bridge"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Bluetooth"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Wired"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Generic"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Gre"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Infiniband"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Macvlan"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Modem"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.OlpcMesh"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Team"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Tun"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Veth"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Vlan"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.WiMax.Nsp"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.AccessPoint"/>
|
||||
|
||||
<!-- Devices (read-only, no security required) -->
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.WiMax"/>
|
||||
|
||||
<!-- Devices (read/write, secured with PolicyKit) -->
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device.Wireless"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Device"/>
|
||||
|
||||
<!-- Core stuff (read-only properties, no methods) -->
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.DHCP4Config"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.DHCP6Config"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.IP4Config"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.IP6Config"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.VPN.Connection"/>
|
||||
|
||||
<!-- Core stuff (read/write, secured with PolicyKit) -->
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Settings"/>
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.Settings.Connection"/>
|
||||
|
||||
<!-- Agents; secured with PolicyKit. Any process can talk to
|
||||
the AgentManager API, but only NetworkManager can talk
|
||||
to the agents themselves. -->
|
||||
<allow send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager.AgentManager"/>
|
||||
<deny send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
|
||||
|
||||
<deny send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager"
|
||||
send_member="SetLogging"/>
|
||||
|
||||
<deny send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager"
|
||||
send_member="Sleep"/>
|
||||
|
||||
<deny send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager"
|
||||
send_member="sleep"/>
|
||||
|
||||
<deny send_destination="org.freedesktop.NetworkManager"
|
||||
send_interface="org.freedesktop.NetworkManager"
|
||||
send_member="wake"/>
|
||||
<!-- Root-only functions -->
|
||||
<deny send_interface="org.freedesktop.NetworkManager" send_member="SetLogging"/>
|
||||
<deny send_interface="org.freedesktop.NetworkManager" send_member="Sleep"/>
|
||||
<deny send_interface="org.freedesktop.NetworkManager.Settings" send_member="LoadConnections"/>
|
||||
<deny send_interface="org.freedesktop.NetworkManager.Settings" send_member="ReloadConnections"/>
|
||||
<deny send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
|
||||
<deny send_interface="org.freedesktop.NetworkManager.PPP"/>
|
||||
</policy>
|
||||
</busconfig>
|
||||
|
||||
|
|
|
|||
|
|
@ -91,10 +91,10 @@ static gboolean impl_settings_list_connections (NMSettings *self,
|
|||
GPtrArray **connections,
|
||||
GError **error);
|
||||
|
||||
static gboolean impl_settings_get_connection_by_uuid (NMSettings *self,
|
||||
const char *uuid,
|
||||
char **out_object_path,
|
||||
GError **error);
|
||||
static void impl_settings_get_connection_by_uuid (NMSettings *self,
|
||||
const char *uuid,
|
||||
char **out_object_path,
|
||||
DBusGMethodInvocation *context);
|
||||
|
||||
static void impl_settings_add_connection (NMSettings *self,
|
||||
GHashTable *settings,
|
||||
|
|
@ -268,25 +268,53 @@ nm_settings_get_connection_by_uuid (NMSettings *self, const char *uuid)
|
|||
return NULL;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
static void
|
||||
impl_settings_get_connection_by_uuid (NMSettings *self,
|
||||
const char *uuid,
|
||||
char **out_object_path,
|
||||
GError **error)
|
||||
DBusGMethodInvocation *context)
|
||||
{
|
||||
NMSettingsConnection *connection = NULL;
|
||||
NMAuthSubject *subject;
|
||||
GError *error = NULL;
|
||||
char *error_desc = NULL;
|
||||
|
||||
connection = nm_settings_get_connection_by_uuid (self, uuid);
|
||||
if (connection)
|
||||
*out_object_path = g_strdup (nm_connection_get_path (NM_CONNECTION (connection)));
|
||||
else {
|
||||
g_set_error_literal (error,
|
||||
NM_SETTINGS_ERROR,
|
||||
NM_SETTINGS_ERROR_INVALID_CONNECTION,
|
||||
"No connection with the UUID was found.");
|
||||
if (!connection) {
|
||||
error = g_error_new_literal (NM_SETTINGS_ERROR,
|
||||
NM_SETTINGS_ERROR_INVALID_CONNECTION,
|
||||
"No connection with the UUID was found.");
|
||||
goto error;
|
||||
}
|
||||
|
||||
return !!connection;
|
||||
subject = nm_auth_subject_new_from_context (context);
|
||||
if (!subject) {
|
||||
error = g_error_new_literal (NM_SETTINGS_ERROR,
|
||||
NM_SETTINGS_ERROR_PERMISSION_DENIED,
|
||||
"Unable to determine UID of request.");
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (!nm_auth_uid_in_acl (NM_CONNECTION (connection),
|
||||
nm_session_monitor_get (),
|
||||
nm_auth_subject_get_uid (subject),
|
||||
&error_desc)) {
|
||||
error = g_error_new_literal (NM_SETTINGS_ERROR,
|
||||
NM_SETTINGS_ERROR_PERMISSION_DENIED,
|
||||
error_desc);
|
||||
g_free (error_desc);
|
||||
goto error;
|
||||
}
|
||||
|
||||
g_clear_object (&subject);
|
||||
dbus_g_method_return (context, nm_connection_get_path (NM_CONNECTION (connection)));
|
||||
return;
|
||||
|
||||
error:
|
||||
g_assert (error);
|
||||
dbus_g_method_return_error (context, error);
|
||||
g_error_free (error);
|
||||
g_clear_object (&subject);
|
||||
}
|
||||
|
||||
static int
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue