core: 802.1x: pass pac-file as blob for private connections

This is also a file containing secret, so it need to be checked for
user's permissions in private connections too.

Closes: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1899
Fixes: e85cc46d0b ('core: pass certificates as blobs to supplicant for private connections')

src/core/supplicant/nm-supplicant-config.c

@@ -1597,8 +1597,14 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
     g_string_free(phase2, TRUE);
 
     /* PAC file */
-    path = nm_setting_802_1x_get_pac_file(setting);
-    if (path) {
+    path  = nm_setting_802_1x_get_pac_file(setting);
+    bytes = priv->private_user && path ? nm_g_hash_table_lookup(files, path) : NULL;
+    if (bytes) {
+        if (!nm_supplicant_config_add_blob_for_connection(self, bytes, "pac_file", con_uuid, error))
+            return FALSE;
+    } else if (path) {
+        /* Private connections cannot use paths */
+        g_return_val_if_fail(!priv->private_user, FALSE);
         if (!add_string_val(self, path, "pac_file", FALSE, NULL, error))
             return FALSE;
     } else {

src/libnm-core-impl/nm-setting-8021x.c

@@ -3133,6 +3133,12 @@ need_secrets(NMSetting *setting, gboolean check_rerequest)
 
 /*****************************************************************************/
 
+static NMSetting8021xCKScheme
+_force_private_key_scheme_path(NMSetting8021x *_sett)
+{
+    return NM_SETTING_802_1X_CK_SCHEME_PATH;
+}
+
 static void
 get_private_files(NMSetting *setting, GPtrArray *files)
 {
@@ -3159,6 +3165,9 @@ get_private_files(NMSetting *setting, GPtrArray *files)
         {NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
          nm_setting_802_1x_get_phase2_private_key_scheme,
          nm_setting_802_1x_get_phase2_private_key_path},
+        {NM_SETTING_802_1X_PAC_FILE,
+         _force_private_key_scheme_path,
+         nm_setting_802_1x_get_pac_file},
     };
     NMSetting8021x *s_8021x = NM_SETTING_802_1X(setting);
     const char     *path;
@@ -3390,7 +3399,7 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
                                               obj_properties,
                                               NM_SETTING_802_1X_PAC_FILE,
                                               PROP_PAC_FILE,
-                                              NM_SETTING_PARAM_NONE,
+                                              NM_SETTING_PARAM_CERT_KEY_FILE,
                                               NMSetting8021xPrivate,
                                               pac_file,
                                               .direct_string_allow_empty = TRUE);

src/libnm-core-impl/nm-setting-private.h

@@ -809,7 +809,8 @@ _nm_properties_override(GArray *properties_override, const NMSettInfoProperty *p
         G_STATIC_ASSERT(!NM_FLAGS_ANY((param_flags),                                              \
                                       ~(NM_SETTING_PARAM_SECRET | NM_SETTING_PARAM_FUZZY_IGNORE   \
                                         | NM_SETTING_PARAM_INFERRABLE | NM_SETTING_PARAM_REQUIRED \
-                                        | NM_SETTING_PARAM_REAPPLY_IMMEDIATELY)));                \
+                                        | NM_SETTING_PARAM_REAPPLY_IMMEDIATELY                    \
+                                        | NM_SETTING_PARAM_CERT_KEY_FILE)));                      \
                                                                                                   \
         nm_assert(_property_type);                                                                \
         nm_assert(g_variant_type_equal(_property_type->dbus_type, "s"));                          \