fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-01-04 00:30:17 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

core: also return unknown permission check result

Browse source 
For example with

  mount -o remount,rw,hidepid=1 /proc/

all permission checks will fail with an error. Internally, we map the
failure to NM_AUTH_CALL_RESULT_UNKNOWN.

    <trace> [1575645672.5958] auth: call[1069]: CheckAuthorization(org.freedesktop.NetworkManager.enable-disable-connectivity-check), subject=unix-process[pid=468316, uid=1000, start=1912881]
    <trace> [1575645672.6295] auth: call[1069]: completed: failed: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file “/proc/468316/status”: No such file or directory
    <debug> [1575645672.6296] manager: unknown auth chain result 0

First of all, we should not log a debug message about that (we already log the
result of permission checks separately).

Also, we should include the unknown result in the response. The permission was
checked, and omitting it from GetPermissions() result seems wrong (even if we
failed to get the result).

Note that "unknown" is now a new possible return value on D-Bus. But
see how nm_permission_result_to_client() would map such a value to
"unknown" as well. So, it's probably a fine extension of the D-Bus API.

Note that NMClient API is currently quite limited. The user won't know
whether permissions were received (and if they were received, they
could not distinguish between UNKNOWN and absent). Hence, returning
all permissions as unknown (or not at all) causes `nmcli general permissions`
to hang. The solution here is to improve NMClient API to allow the user
to know when the permissions are received. But this patch doesn't
fix the hanging of nmcli nor the limitation of NMClient's API.
This commit is contained in:
Thomas Haller 2019-12-05 13:54:27 +01:00
parent b650d1d181
commit 50a12ce2d5
2 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
clients/cli/general.c
View file

@ -582,7 +582,10 @@ got_permissions (NmCli *nmc)
NMClientPermission perm;
/* The server returns all the permissions at once, so if at least one is there
* we already received the reply. */
* we already received the reply.
*
* FIXME: this is wrong, because all permissions could be unknown. We should instead
* have a signal in NMClient to indicate when permissions are received. */
for (perm = NM_CLIENT_PERMISSION_NONE + 1; perm <= NM_CLIENT_PERMISSION_LAST; perm++) {
if (nm_client_get_permission_result (nmc->client, perm) != NM_CLIENT_PERMISSION_RESULT_UNKNOWN)
return TRUE;

7
src/nm-manager.c
View file

@ -6210,9 +6210,10 @@ get_perm_add_result (NMManager *self, NMAuthChain *chain, GVariantBuilder *resul
g_variant_builder_add (results, "{ss}", permission, "no");
else if (result == NM_AUTH_CALL_RESULT_AUTH)
g_variant_builder_add (results, "{ss}", permission, "auth");
else {
_LOGD (LOGD_CORE, "unknown auth chain result %d", result);
}
else if (result == NM_AUTH_CALL_RESULT_UNKNOWN)
g_variant_builder_add (results, "{ss}", permission, "unknown");
else
nm_assert_not_reached ();
}
static void