fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-02-09 06:10:29 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

clients,shared: merge branch 'ac/polkit_agent'

Browse source 
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/365
This commit is contained in:
Antonio Cardace 2019-12-24 11:17:57 +01:00
commit d6509baf1f
35 changed files with 1251 additions and 677 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
Makefile.am
View file

@ -476,6 +476,8 @@ shared_nm_libnm_core_intern_libnm_libnm_core_intern_la_SOURCES = \
shared/nm-libnm-core-intern/nm-ethtool-utils.h \
shared/nm-libnm-core-intern/nm-libnm-core-utils.c \
shared/nm-libnm-core-intern/nm-libnm-core-utils.h \
shared/nm-libnm-core-intern/nm-auth-subject.c \
shared/nm-libnm-core-intern/nm-auth-subject.h \
$(NULL)
shared_nm_libnm_core_intern_libnm_libnm_core_intern_la_LDFLAGS = \
@ -2244,8 +2246,6 @@ src_libNetworkManager_la_SOURCES = \
src/nm-proxy-config.h \
src/nm-auth-manager.c \
src/nm-auth-manager.h \
src/nm-auth-subject.c \
src/nm-auth-subject.h \
src/nm-auth-utils.c \
src/nm-auth-utils.h \
src/nm-manager.c \
@ -4255,6 +4255,8 @@ clients_common_libnmc_base_la_SOURCES = \
clients/common/nm-vpn-helpers.h \
clients/common/nm-client-utils.c \
clients/common/nm-client-utils.h \
clients/common/nm-polkit-listener.c \
clients/common/nm-polkit-listener.h \
$(NULL)
EXTRA_DIST += \
@ -4446,14 +4448,6 @@ clients_cli_nmcli_LDADD = \
$(GLIB_LIBS) \
$(READLINE_LIBS)
if WITH_POLKIT_AGENT
clients_cli_nmcli_CPPFLAGS += $(POLKIT_CFLAGS)
clients_cli_nmcli_SOURCES += \
clients/common/nm-polkit-listener.c \
clients/common/nm-polkit-listener.h
clients_cli_nmcli_LDADD += $(POLKIT_LIBS)
endif
clients_cli_nmcli_LDFLAGS = \
-Wl,--version-script="$(srcdir)/linker-script-binary.ver" \
$(SANITIZER_EXEC_LDFLAGS)

34
clients/cli/agent.c
View file

@ -16,6 +16,7 @@
#include "utils.h"
#include "nm-secret-agent-simple.h"
#include "polkit-agent.h"
#include "nm-polkit-listener.h"
static void
usage (void)
@ -149,27 +150,50 @@ do_agent_secret (NmCli *nmc, int argc, char **argv)
return nmc->return_value;
}
static void
polkit_registered (gpointer instance,
gpointer user_data)
{
g_print (_("nmcli successfully registered as a polkit agent.\n"));
}
static void
polkit_error (gpointer instance,
const char *error,
gpointer user_data)
{
g_main_loop_quit (loop);
}
static NMCResultCode
do_agent_polkit (NmCli *nmc, int argc, char **argv)
{
GError *error = NULL;
gs_free_error GError *error = NULL;
next_arg (nmc, &argc, &argv, NULL);
if (nmc->complete)
return nmc->return_value;
/* Initialize polkit agent */
if (!nmc_polkit_agent_init (nmc, TRUE, &error)) {
g_dbus_error_strip_remote_error (error);
g_string_printf (nmc->return_text, _("Error: polkit agent initialization failed: %s"),
g_string_printf (nmc->return_text,
_("Error: polkit agent initialization failed: %s"),
error->message);
nmc->return_value = NMC_RESULT_ERROR_UNKNOWN;
g_error_free (error);
} else {
/* We keep running */
nmc->should_wait++;
g_signal_connect (nmc->pk_listener,
NM_POLKIT_LISTENER_SIGNAL_ERROR,
G_CALLBACK (polkit_error),
NULL);
g_signal_connect (nmc->pk_listener,
NM_POLKIT_LISTENER_SIGNAL_REGISTERED,
G_CALLBACK (polkit_registered),
NULL);
g_print (_("nmcli successfully registered as a polkit agent.\n"));
/* keep running */
nmc->should_wait++;
}
return nmc->return_value;

29
clients/cli/meson.build
View file

@ -6,18 +6,6 @@ install_data(
install_dir: join_paths(nm_datadir, 'bash-completion', 'completions'),
)
sources = files(
'agent.c',
'common.c',
'connections.c',
'devices.c',
'general.c',
'nmcli.c',
'polkit-agent.c',
'settings.c',
'utils.c',
)
deps = [
libnmc_base_dep,
libnmc_dep,
@ -25,14 +13,19 @@ deps = [
libnm_libnm_aux_dep,
]
if enable_polkit_agent
sources += nm_polkit_listener
deps += polkit_agent_dep
endif
executable(
name,
sources,
files(
'agent.c',
'common.c',
'connections.c',
'devices.c',
'general.c',
'nmcli.c',
'polkit-agent.c',
'settings.c',
'utils.c',
),
dependencies: deps,
c_args: clients_c_flags + ['-DG_LOG_DOMAIN="@0@"'.format(name)],
link_args: ldflags_linker_script_binary,

97
clients/cli/polkit-agent.c
View file

@ -14,16 +14,12 @@
#include "nm-polkit-listener.h"
#include "common.h"
#if WITH_POLKIT_AGENT
static char *
polkit_request (NMPolkitListener *listener,
const char *request,
const char *action_id,
const char *message,
const char *icon_name,
const char *user,
gboolean echo_on,
gpointer user_data)
polkit_read_passwd (gpointer instance,
const char *action_id,
const char *message,
const char *user,
gpointer user_data)
{
NmCli *nmc = user_data;
@ -32,87 +28,68 @@ polkit_request (NMPolkitListener *listener,
/* Ask user for polkit authorization password */
if (user) {
gs_free char *tmp = NULL;
char *p;
/* chop of ": " if present */
tmp = g_strdup (request);
p = strrchr (tmp, ':');
if (p && nm_streq (p, ": "))
*p = '\0';
return nmc_readline_echo (&nmc->nmc_config, echo_on, "%s (%s): ", tmp, user);
return nmc_readline_echo (&nmc->nmc_config, FALSE, "password (%s): ", user);
}
return nmc_readline_echo (&nmc->nmc_config, echo_on, "%s", request);
return nmc_readline_echo (&nmc->nmc_config, FALSE, "password: ");
}
static void
polkit_show_info (NMPolkitListener *listener,
const char *text,
gpointer user_data)
polkit_error (gpointer instance,
const char *error,
gpointer user_data)
{
g_print (_("Authentication message: %s\n"), text);
g_printerr (_("Error: polkit agent failed: %s\n"), error);
}
static void
polkit_show_error (NMPolkitListener *listener,
const char *text,
gpointer user_data)
{
g_print (_("Authentication error: %s\n"), text);
}
static void
polkit_completed (NMPolkitListener *listener,
gboolean gained_authorization,
gpointer user_data)
{
/* We don't print anything here. The outcome will be evident from
* the operation result anyway. */
}
#endif
gboolean
nmc_polkit_agent_init (NmCli* nmc, gboolean for_session, GError **error)
{
#if WITH_POLKIT_AGENT
static const NMPolkitListenVtable vtable = {
.on_request = polkit_request,
.on_show_info = polkit_show_info,
.on_show_error = polkit_show_error,
.on_completed = polkit_completed,
};
NMPolkitListener *listener;
GDBusConnection *dbus_connection = NULL;
g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
listener = nm_polkit_listener_new (for_session, error);
if (!listener)
return FALSE;
if (nmc->client && nm_client_get_dbus_connection (nmc->client)) {
dbus_connection = nm_client_get_dbus_connection (nmc->client);
listener = nm_polkit_listener_new (dbus_connection, for_session);
} else {
dbus_connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM,
NULL,
error);
nm_polkit_listener_set_vtable (listener, &vtable, nmc);
if (!dbus_connection) {
return FALSE;
}
listener = nm_polkit_listener_new (dbus_connection, for_session);
g_object_unref (dbus_connection);
}
g_signal_connect (listener,
NM_POLKIT_LISTENER_SIGNAL_REQUEST,
G_CALLBACK (polkit_read_passwd),
nmc);
g_signal_connect (listener,
NM_POLKIT_LISTENER_SIGNAL_ERROR,
G_CALLBACK (polkit_error),
NULL);
nmc->pk_listener = listener;
#endif
return TRUE;
}
void
nmc_polkit_agent_fini (NmCli* nmc)
{
#if WITH_POLKIT_AGENT
if (nmc->pk_listener) {
nm_polkit_listener_set_vtable (nmc->pk_listener, NULL, NULL);
g_clear_object (&nmc->pk_listener);
}
#endif
}
gboolean
nmc_start_polkit_agent_start_try (NmCli *nmc)
{
#if WITH_POLKIT_AGENT
GError *error = NULL;
gs_free_error GError *error = NULL;
/* We don't register polkit agent at all when running non-interactively */
if (!nmc->ask)
@ -121,9 +98,7 @@ nmc_start_polkit_agent_start_try (NmCli *nmc)
if (!nmc_polkit_agent_init (nmc, FALSE, &error)) {
g_printerr (_("Warning: polkit agent initialization failed: %s\n"),
error->message);
g_error_free (error);
return FALSE;
}
#endif
return TRUE;
}

3
clients/common/meson.build
View file

@ -1,7 +1,5 @@
common_inc = include_directories('.')
nm_polkit_listener = files('nm-polkit-listener.c')
common_deps = [
libnm_dep,
libnm_nm_default_dep,
@ -13,6 +11,7 @@ sources = files(
'nm-client-utils.c',
'nm-secret-agent-simple.c',
'nm-vpn-helpers.c',
'nm-polkit-listener.c',
)
libnmc_base = static_library(

1134
clients/common/nm-polkit-listener.c
View file

File diff suppressed because it is too large Load diff

133
clients/common/nm-polkit-listener.h
View file

@ -6,133 +6,16 @@
#ifndef __NM_POLKIT_LISTENER_H__
#define __NM_POLKIT_LISTENER_H__
#if WITH_POLKIT_AGENT
typedef struct _NMPolkitListener NMPolkitListener;
typedef struct _NMPolkitListenerClass NMPolkitListenerClass;
typedef struct {
/*
* @request: the request asked by polkit agent
* @action_id: the action_id of the polkit request
* @message: the message of the polkit request
* @icon_name: the icon name of the polkit request
* @user: user name
* @echo_on: whether the response to the request should be echoed to the screen
* @user_data: user data for the callback
*
* Called as a result of a request by polkit. The function should obtain response
* to the request from user, i.e. get the password required.
*/
char *(*on_request) (NMPolkitListener *self,
const char *request,
const char *action_id,
const char *message,
const char *icon_name,
const char *user,
gboolean echo_on,
gpointer user_data);
/*
* @text: the info text from polkit
*
* Called as a result of show-info signal by polkit.
*/
void (*on_show_info) (NMPolkitListener *self,
const char *text,
gpointer user_data);
/*
* @text: the error text from polkit
*
* Called as a result of show-error signal by polkit.
*/
void (*on_show_error) (NMPolkitListener *self,
const char *text,
gpointer user_data);
/*
* @gained_authorization: whether the authorization was successful
*
* Called as a result of completed signal by polkit.
*/
void (*on_completed) (NMPolkitListener *self,
gboolean gained_authorization,
gpointer user_data);
} NMPolkitListenVtable;
/*****************************************************************************/
#define POLKIT_AGENT_I_KNOW_API_IS_SUBJECT_TO_CHANGE
#include <polkitagent/polkitagent.h>
#define NM_TYPE_POLKIT_LISTENER (nm_polkit_listener_get_type ())
#define NM_POLKIT_LISTENER(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_POLKIT_LISTENER, NMPolkitListener))
#define NM_POLKIT_LISTENER_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_POLKIT_LISTENER, NMPolkitListenerClass))
#define NM_IS_POLKIT_LISTENER(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_POLKIT_LISTENER))
#define NM_IS_POLKIT_LISTENER_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), NM_TYPE_POLKIT_LISTENER))
#define NM_POLKIT_LISTENER_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_POLKIT_LISTENER, NMPolkitListenerClass))
G_DECLARE_FINAL_TYPE (NMPolkitListener, nm_polkit_listener, NM, POLKIT_LISTENER, GObject)
/**
* NMPolkitListenerOnRequestFunc:
* @request: the request asked by polkit agent
* @action_id: the action_id of the polkit request
* @message: the message of the polkit request
* @icon_name: the icon name of the polkit request
* @user: user name
* @echo_on: whether the response to the request should be echoed to the screen
* @user_data: user data for the callback
*
* Called as a result of a request by polkit. The function should obtain response
* to the request from user, i.e. get the password required.
*/
typedef char * (*NMPolkitListenerOnRequestFunc) (const char *request,
const char *action_id,
const char *message,
const char *icon_name,
const char *user,
gboolean echo_on,
gpointer user_data);
/**
* NMPolkitListenerOnShowInfoFunc:
* @text: the info text from polkit
*
* Called as a result of show-info signal by polkit.
*/
typedef void (*NMPolkitListenerOnShowInfoFunc) (const char *text);
/**
* NMPolkitListenerOnShowErrorFunc:
* @text: the error text from polkit
*
* Called as a result of show-error signal by polkit.
*/
typedef void (*NMPolkitListenerOnShowErrorFunc) (const char *text);
/**
* NMPolkitListenerCompletedFunc:
* @gained_authorization: whether the authorization was successful
*
* Called as a result of completed signal by polkit.
*/
typedef void (*NMPolkitListenerOnCompletedFunc) (gboolean gained_authorization);
NMPolkitListener *nm_polkit_listener_new (GDBusConnection *dbus_connection, gboolean session_agent);
struct _NMPolkitListener {
PolkitAgentListener parent;
};
struct _NMPolkitListenerClass {
PolkitAgentListenerClass parent;
};
GType nm_polkit_listener_get_type (void);
NMPolkitListener *nm_polkit_listener_new (gboolean for_session,
GError **error);
void nm_polkit_listener_set_vtable (NMPolkitListener *self,
const NMPolkitListenVtable *vtable,
gpointer user_data);
#endif
/* Signals */
#define NM_POLKIT_LISTENER_SIGNAL_REGISTERED "registered"
#define NM_POLKIT_LISTENER_SIGNAL_REQUEST "secret-request"
#define NM_POLKIT_LISTENER_SIGNAL_AUTH_SUCCESS "auth-success"
#define NM_POLKIT_LISTENER_SIGNAL_AUTH_FAILURE "auth-failure"
#define NM_POLKIT_LISTENER_SIGNAL_ERROR "error"
#endif /* __NM_POLKIT_LISTENER_H__ */

4
config.h.meson
View file

@ -221,8 +221,8 @@
/* Define if you have oFono support (experimental) */
#mesondefine WITH_OFONO
/* Define if you have polkit agent */
#mesondefine WITH_POLKIT_AGENT
/* Define the polkit agent package prefix */
#mesondefine POLKIT_PACKAGE_PREFIX
/* Define if you have PPP support */
#mesondefine WITH_PPP

18
configure.ac
View file

@ -655,18 +655,13 @@ AC_DEFINE_UNQUOTED(NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT, "$enable_polkit", [The de
AC_SUBST(NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT_TEXT, "$enable_polkit")
PKG_CHECK_MODULES(POLKIT, [polkit-agent-1 >= 0.97], [have_pk_agent=yes],[have_pk_agent=no])
AC_ARG_ENABLE(polkit-agent,
AS_HELP_STRING([--enable-polkit-agent], [enable polkit agent for clients]),
[enable_polkit_agent=${enableval}], [enable_polkit_agent=${have_pk_agent}])
if (test "${enable_polkit_agent}" = "yes"); then
if test x"$have_pk_agent" = x"no"; then
AC_MSG_ERROR(Polkit agent is required)
fi
AC_DEFINE(WITH_POLKIT_AGENT, 1, [Define if you have polkit agent])
else
AC_DEFINE(WITH_POLKIT_AGENT, 0, [Define if you have polkit agent])
if test x"$have_pk_agent" = x"no"; then
AC_MSG_ERROR(Polkit agent is required)
fi
AM_CONDITIONAL(WITH_POLKIT_AGENT, test "${enable_polkit_agent}" = "yes")
POLKIT_PACKAGE_PREFIX=`$PKG_CONFIG --variable=prefix polkit-agent-1`
AC_DEFINE_UNQUOTED([POLKIT_PACKAGE_PREFIX],
["$POLKIT_PACKAGE_PREFIX"],
[polkit-agent package prefix])
AC_ARG_ENABLE(modify-system, AS_HELP_STRING([--enable-modify-system], [Allow users to modify system connections]))
if test "${enable_modify_system}" = "yes"; then
@ -1323,7 +1318,6 @@ if test "${enable_modify_system}" = "yes"; then
else
echo " policykit: main.auth-polkit=${enable_polkit} (restrictive modify.system)"
fi
echo " polkit agent: ${enable_polkit_agent}"
echo " selinux: $have_selinux"
echo " systemd-journald: $have_systemd_journal (default: logging.backend=${nm_config_logging_backend_default})"
echo " hostname persist: ${hostname_persist}"

2
contrib/fedora/rpm/NetworkManager.spec
View file

@ -586,7 +586,6 @@ This tool is still experimental.
-Dselinux=true \
-Dpolkit=true \
-Dconfig_auth_polkit_default=true \
-Dpolkit_agent=true \
-Dmodify_system=true \
-Dconcheck=true \
%if 0%{?fedora}
@ -717,7 +716,6 @@ intltoolize --automake --copy --force
%endif
--with-selinux=yes \
--enable-polkit=yes \
--enable-polkit-agent \
--enable-modify-system=yes \
--enable-concheck \
%if 0%{?fedora}

2
libnm-core/meson.build
View file

@ -85,7 +85,7 @@ libnm_core_enum_sources = gnome.mkenums_simple(
libnm_libnm_core_intern = static_library(
'nm-libnm-core-intern',
sources: nm_ethtool_utils_source + nm_libnm_core_utils_source + [libnm_core_enum_sources[1]],
sources: nm_ethtool_utils_source + nm_libnm_core_utils_source + nm_auth_subject_source + [libnm_core_enum_sources[1]],
dependencies: libnm_core_nm_default_dep,
c_args: common_c_flags,
)

10
meson.build
View file

@ -494,11 +494,12 @@ config_h.set_quoted('NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT', config_auth_polkit_def
enable_modify_system = get_option('modify_system')
enable_polkit_agent = get_option('polkit_agent')
if enable_polkit_agent
polkit_agent_dep = dependency('polkit-agent-1', version: '>= 0.97')
polkit_agent_dep = dependency('polkit-agent-1', version: '>= 0.97', required : false)
if polkit_agent_dep.found()
config_h.set_quoted('POLKIT_PACKAGE_PREFIX', polkit_agent_dep.get_pkgconfig_variable('prefix'))
else
config_h.set_quoted('POLKIT_PACKAGE_PREFIX', '/usr')
endif
config_h.set10('WITH_POLKIT_AGENT', enable_polkit_agent)
crypto = get_option('crypto')
@ -971,7 +972,6 @@ if enable_polkit
output += ' modify.system)'
endif
output += '\n'
output += ' polkit agent: ' + enable_polkit_agent.to_string() + '\n'
output += ' selinux: ' + enable_selinux.to_string() + '\n'
output += ' systemd-journald: ' + enable_systemd_journal.to_string() + ' (default: logging.backend=' + config_logging_backend_default + ')\n'
output += ' hostname persist: ' + hostname_persist + '\n'

2
shared/meson.build
View file

@ -119,6 +119,8 @@ nm_test_utils_impl_source = files('nm-test-utils-impl.c')
nm_vpn_plugin_utils_source = files('nm-utils/nm-vpn-plugin-utils.c')
nm_auth_subject_source = files('nm-libnm-core-intern/nm-auth-subject.c')
c_flags = [
'-DG_LOG_DOMAIN="@0@"'.format(libnm_name),
'-DNETWORKMANAGER_COMPILATION=0',

32
shared/nm-glib-aux/nm-io-utils.c
View file

@ -438,3 +438,35 @@ nm_utils_file_stat (const char *filename, struct stat *out_st)
return -NM_ERRNO_NATIVE (errno);
return 0;
}
/**
* nm_utils_fd_read:
* @fd: the fd to read from.
* @out_string: (out): output string where read bytes will be stored.
*
* Returns: <0 on failure, which is -(errno)
* 0 on EOF or if the call would block (if the fd is nonblocking),
* >0 on success, which is the number of bytes read */
ssize_t
nm_utils_fd_read (int fd, GString *out_string)
{
size_t start_len;
ssize_t n_read;
g_return_val_if_fail (fd >= 0, -1);
g_return_val_if_fail (out_string, -1);
start_len = out_string->len;
g_string_set_size (out_string, start_len + 1024);
n_read = read (fd, &out_string->str[start_len], 1024);
if (n_read < 0) {
if (errno != EAGAIN) {
return -NM_ERRNO_NATIVE (errno);
}
n_read = 0;
} else {
g_string_set_size (out_string, start_len + n_read);
}
return n_read;
}

2
shared/nm-glib-aux/nm-io-utils.h
View file

@ -47,6 +47,8 @@ gboolean nm_utils_file_set_contents (const char *filename,
int *out_errsv,
GError **error);
ssize_t nm_utils_fd_read (int fd, GString *out_string);
struct stat;
int nm_utils_file_stat (const char *filename, struct stat *out_st);

218
src/nm-auth-subject.c → shared/nm-libnm-core-intern/nm-auth-subject.c
View file

@ -17,14 +17,13 @@
#include <stdlib.h>
#include "nm-dbus-manager.h"
enum {
PROP_0,
PROP_SUBJECT_TYPE,
PROP_UNIX_PROCESS_DBUS_SENDER,
PROP_UNIX_PROCESS_PID,
PROP_UNIX_PROCESS_UID,
PROP_UNIX_SESSION_ID,
PROP_LAST,
};
@ -37,6 +36,10 @@ typedef struct {
guint64 start_time;
char *dbus_sender;
} unix_process;
struct {
char *id;
} unix_session;
} NMAuthSubjectPrivate;
struct _NMAuthSubject {
@ -78,6 +81,10 @@ nm_auth_subject_to_string (NMAuthSubject *self, char *buf, gsize buf_len)
case NM_AUTH_SUBJECT_TYPE_INTERNAL:
g_strlcpy (buf, "internal", buf_len);
break;
case NM_AUTH_SUBJECT_TYPE_UNIX_SESSION:
g_snprintf (buf, buf_len, "unix-session[id=%s]",
priv->unix_session.id);
break;
default:
g_strlcpy (buf, "invalid", buf_len);
break;
@ -87,23 +94,32 @@ nm_auth_subject_to_string (NMAuthSubject *self, char *buf, gsize buf_len)
/* returns a floating variant */
GVariant *
nm_auth_subject_unix_process_to_polkit_gvariant (NMAuthSubject *self)
nm_auth_subject_unix_to_polkit_gvariant (NMAuthSubject *self)
{
GVariantBuilder builder;
GVariant *dict;
GVariant *ret;
CHECK_SUBJECT_TYPED (self, NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS, NULL);
CHECK_SUBJECT (self, NULL);
g_variant_builder_init (&builder, G_VARIANT_TYPE ("a{sv}"));
g_variant_builder_add (&builder, "{sv}", "pid",
g_variant_new_uint32 (priv->unix_process.pid));
g_variant_builder_add (&builder, "{sv}", "start-time",
g_variant_new_uint64 (priv->unix_process.start_time));
g_variant_builder_add (&builder, "{sv}", "uid",
g_variant_new_int32 (priv->unix_process.uid));
dict = g_variant_builder_end (&builder);
ret = g_variant_new ("(s@a{sv})", "unix-process", dict);
return ret;
switch (priv->subject_type) {
case NM_AUTH_SUBJECT_TYPE_UNIX_SESSION:
g_variant_builder_init (&builder, G_VARIANT_TYPE ("a{sv}"));
g_variant_builder_add (&builder, "{sv}", "session-id",
g_variant_new_string (priv->unix_session.id));
return g_variant_new ("(sa{sv})", "unix-session", &builder);
case NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS:
g_variant_builder_init (&builder, G_VARIANT_TYPE ("a{sv}"));
g_variant_builder_add (&builder, "{sv}", "pid",
g_variant_new_uint32 (priv->unix_process.pid));
g_variant_builder_add (&builder, "{sv}", "start-time",
g_variant_new_uint64 (priv->unix_process.start_time));
g_variant_builder_add (&builder, "{sv}", "uid",
g_variant_new_int32 (priv->unix_process.uid));
return g_variant_new ("(sa{sv})", "unix-process", &builder);
default:
g_return_val_if_reached (NULL);
}
}
NMAuthSubjectType
@ -114,18 +130,6 @@ nm_auth_subject_get_subject_type (NMAuthSubject *subject)
return priv->subject_type;
}
gboolean
nm_auth_subject_is_internal (NMAuthSubject *subject)
{
return nm_auth_subject_get_subject_type (subject) == NM_AUTH_SUBJECT_TYPE_INTERNAL;
}
gboolean
nm_auth_subject_is_unix_process (NMAuthSubject *subject)
{
return nm_auth_subject_get_subject_type (subject) == NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS;
}
gulong
nm_auth_subject_get_unix_process_pid (NMAuthSubject *subject)
{
@ -150,76 +154,16 @@ nm_auth_subject_get_unix_process_dbus_sender (NMAuthSubject *subject)
return priv->unix_process.dbus_sender;
}
const char *
nm_auth_subject_get_unix_session_id (NMAuthSubject *subject)
{
CHECK_SUBJECT_TYPED (subject, NM_AUTH_SUBJECT_TYPE_UNIX_SESSION, NULL);
return priv->unix_session.id;
}
/*****************************************************************************/
static NMAuthSubject *
_new_unix_process (GDBusMethodInvocation *context,
GDBusConnection *connection,
GDBusMessage *message)
{
NMAuthSubject *self;
const char *dbus_sender = NULL;
gulong uid = 0;
gulong pid = 0;
gboolean success;
g_return_val_if_fail (context || (connection && message), NULL);
if (context) {
success = nm_dbus_manager_get_caller_info (nm_dbus_manager_get (),
context,
&dbus_sender,
&uid,
&pid);
} else {
nm_assert (message);
success = nm_dbus_manager_get_caller_info_from_message (nm_dbus_manager_get (),
connection,
message,
&dbus_sender,
&uid,
&pid);
}
if (!success)
return NULL;
g_return_val_if_fail (dbus_sender && *dbus_sender, NULL);
/* polkit glib library stores uid and pid as int. There might be some
* pitfalls if the id ever happens to be larger then that. Just assert against
* it here. */
g_return_val_if_fail (uid <= MIN (G_MAXINT, G_MAXINT32), NULL);
g_return_val_if_fail (pid > 0 && pid <= MIN (G_MAXINT, G_MAXINT32), NULL);
self = NM_AUTH_SUBJECT (g_object_new (NM_TYPE_AUTH_SUBJECT,
NM_AUTH_SUBJECT_SUBJECT_TYPE, (int) NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS,
NM_AUTH_SUBJECT_UNIX_PROCESS_DBUS_SENDER, dbus_sender,
NM_AUTH_SUBJECT_UNIX_PROCESS_PID, (gulong) pid,
NM_AUTH_SUBJECT_UNIX_PROCESS_UID, (gulong) uid,
NULL));
if (NM_AUTH_SUBJECT_GET_PRIVATE (self)->subject_type != NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS) {
/* this most likely happened because the process is gone (start_time==0).
* Either that is not assert-worthy, or constructed() already asserted.
* Just return NULL. */
g_clear_object (&self);
}
return self;
}
NMAuthSubject *
nm_auth_subject_new_unix_process_from_context (GDBusMethodInvocation *context)
{
return _new_unix_process (context, NULL, NULL);
}
NMAuthSubject *
nm_auth_subject_new_unix_process_from_message (GDBusConnection *connection,
GDBusMessage *message)
{
return _new_unix_process (NULL, connection, message);
}
/**
* nm_auth_subject_new_internal():
*
@ -231,10 +175,57 @@ NMAuthSubject *
nm_auth_subject_new_internal (void)
{
return NM_AUTH_SUBJECT (g_object_new (NM_TYPE_AUTH_SUBJECT,
NM_AUTH_SUBJECT_SUBJECT_TYPE, (int) NM_AUTH_SUBJECT_TYPE_INTERNAL,
NM_AUTH_SUBJECT_SUBJECT_TYPE, (int) NM_AUTH_SUBJECT_TYPE_INTERNAL,
NULL));
}
/**
* nm_auth_subject_new_unix_session():
*
* Creates a new auth subject representing a given unix session.
*
* Returns: the new #NMAuthSubject
*/
NMAuthSubject *
nm_auth_subject_new_unix_session (const char *session_id)
{
return NM_AUTH_SUBJECT (g_object_new (NM_TYPE_AUTH_SUBJECT,
NM_AUTH_SUBJECT_SUBJECT_TYPE, (int) NM_AUTH_SUBJECT_TYPE_UNIX_SESSION,
NM_AUTH_SUBJECT_UNIX_SESSION_ID, session_id,
NULL));
}
/**
* nm_auth_subject_new_unix_process():
*
* Creates a new auth subject representing a given unix process.
*
* Returns: the new #NMAuthSubject
*/
NMAuthSubject *
nm_auth_subject_new_unix_process (const char *dbus_sender, gulong pid, gulong uid)
{
return NM_AUTH_SUBJECT (g_object_new (NM_TYPE_AUTH_SUBJECT,
NM_AUTH_SUBJECT_SUBJECT_TYPE, (int) NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS,
NM_AUTH_SUBJECT_UNIX_PROCESS_DBUS_SENDER, dbus_sender,
NM_AUTH_SUBJECT_UNIX_PROCESS_PID, pid,
NM_AUTH_SUBJECT_UNIX_PROCESS_UID, uid,
NULL));
}
/**
* nm_auth_subject_new_unix_process_self():
*
* Creates a new auth subject representing the current executing process.
*
* Returns: the new #NMAuthSubject
*/
NMAuthSubject *
nm_auth_subject_new_unix_process_self (void)
{
return nm_auth_subject_new_unix_process (NULL, getpid(), getuid());
}
/*****************************************************************************/
static void
@ -255,6 +246,9 @@ get_property (GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)
case PROP_UNIX_PROCESS_UID:
g_value_set_ulong (value, priv->unix_process.uid);
break;
case PROP_UNIX_SESSION_ID:
g_value_set_string (value, priv->unix_session.id);
break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break;
@ -274,7 +268,10 @@ set_property (GObject *object, guint prop_id, const GValue *value, GParamSpec *p
case PROP_SUBJECT_TYPE:
/* construct-only */
i = g_value_get_int (value);
g_return_if_fail (NM_IN_SET (i, (int) NM_AUTH_SUBJECT_TYPE_INTERNAL, (int) NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS));
g_return_if_fail (NM_IN_SET (i,
(int) NM_AUTH_SUBJECT_TYPE_INTERNAL,
(int) NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS,
(int) NM_AUTH_SUBJECT_TYPE_UNIX_SESSION));
subject_type = i;
priv->subject_type |= subject_type;
g_return_if_fail (priv->subject_type == subject_type);
@ -303,6 +300,14 @@ set_property (GObject *object, guint prop_id, const GValue *value, GParamSpec *p
priv->unix_process.uid = id;
}
break;
case PROP_UNIX_SESSION_ID:
/* construct-only */
if ((str = g_value_get_string (value))) {
priv->subject_type |= NM_AUTH_SUBJECT_TYPE_UNIX_SESSION;
g_return_if_fail (priv->subject_type == NM_AUTH_SUBJECT_TYPE_UNIX_SESSION);
priv->unix_session.id = g_strdup (str);
}
break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break;
@ -317,7 +322,9 @@ _clear_private (NMAuthSubject *self)
priv->subject_type = NM_AUTH_SUBJECT_TYPE_INVALID;
priv->unix_process.pid = G_MAXULONG;
priv->unix_process.uid = G_MAXULONG;
g_clear_pointer (&priv->unix_process.dbus_sender, g_free);
nm_clear_g_free (&priv->unix_process.dbus_sender);
nm_clear_g_free (&priv->unix_session.id);
}
static void
@ -349,8 +356,6 @@ constructed (GObject *object)
* Don't bother and require the user id as parameter. */
break;
}
if (!priv->unix_process.dbus_sender || !*priv->unix_process.dbus_sender)
break;
priv->unix_process.start_time = nm_utils_get_start_time_for_pid (priv->unix_process.pid, NULL, NULL);
@ -369,6 +374,8 @@ constructed (GObject *object)
* start-time, but polkit is not. */
}
return;
case NM_AUTH_SUBJECT_TYPE_UNIX_SESSION:
return;
default:
break;
}
@ -399,7 +406,7 @@ nm_auth_subject_class_init (NMAuthSubjectClass *config_class)
(object_class, PROP_SUBJECT_TYPE,
g_param_spec_int (NM_AUTH_SUBJECT_SUBJECT_TYPE, "", "",
NM_AUTH_SUBJECT_TYPE_INVALID,
NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS,
NM_AUTH_SUBJECT_TYPE_UNIX_SESSION,
NM_AUTH_SUBJECT_TYPE_INVALID,
G_PARAM_READWRITE |
G_PARAM_CONSTRUCT_ONLY |
@ -429,4 +436,11 @@ nm_auth_subject_class_init (NMAuthSubjectClass *config_class)
G_PARAM_CONSTRUCT_ONLY |
G_PARAM_STATIC_STRINGS));
g_object_class_install_property
(object_class, PROP_UNIX_SESSION_ID,
g_param_spec_string (NM_AUTH_SUBJECT_UNIX_SESSION_ID, "", "",
NULL,
G_PARAM_READWRITE |
G_PARAM_CONSTRUCT_ONLY |
G_PARAM_STATIC_STRINGS));
}

25
src/nm-auth-subject.h → shared/nm-libnm-core-intern/nm-auth-subject.h
View file

@ -17,37 +17,40 @@ typedef enum {
NM_AUTH_SUBJECT_TYPE_INVALID = 0,
NM_AUTH_SUBJECT_TYPE_INTERNAL = 1,
NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS = 2,
NM_AUTH_SUBJECT_TYPE_UNIX_SESSION = 4,
} NMAuthSubjectType;
#define NM_AUTH_SUBJECT_SUBJECT_TYPE "subject-type"
#define NM_AUTH_SUBJECT_UNIX_PROCESS_DBUS_SENDER "unix-process-dbus-sender"
#define NM_AUTH_SUBJECT_UNIX_PROCESS_PID "unix-process-pid"
#define NM_AUTH_SUBJECT_UNIX_PROCESS_UID "unix-process-uid"
#define NM_AUTH_SUBJECT_SUBJECT_TYPE "subject-type"
#define NM_AUTH_SUBJECT_UNIX_PROCESS_DBUS_SENDER "unix-process-dbus-sender"
#define NM_AUTH_SUBJECT_UNIX_PROCESS_PID "unix-process-pid"
#define NM_AUTH_SUBJECT_UNIX_PROCESS_UID "unix-process-uid"
#define NM_AUTH_SUBJECT_UNIX_SESSION_ID "unix-session-id"
typedef struct _NMAuthSubjectClass NMAuthSubjectClass;
typedef struct _NMAuthSubject NMAuthSubject;
GType nm_auth_subject_get_type (void);
NMAuthSubject *nm_auth_subject_new_internal (void);
NMAuthSubject *nm_auth_subject_new_unix_process_from_context (GDBusMethodInvocation *context);
NMAuthSubject *nm_auth_subject_new_unix_session (const char *session_id);
NMAuthSubject *nm_auth_subject_new_unix_process_from_message (GDBusConnection *connection, GDBusMessage *message);
NMAuthSubject *nm_auth_subject_new_unix_process (const char *dbus_sender, gulong pid, gulong uid);
NMAuthSubject *nm_auth_subject_new_unix_process_self (void);
NMAuthSubjectType nm_auth_subject_get_subject_type (NMAuthSubject *subject);
gboolean nm_auth_subject_is_internal (NMAuthSubject *subject);
gboolean nm_auth_subject_is_unix_process (NMAuthSubject *subject);
gulong nm_auth_subject_get_unix_process_pid (NMAuthSubject *subject);
const char *nm_auth_subject_get_unix_process_dbus_sender (NMAuthSubject *subject);
gulong nm_auth_subject_get_unix_process_uid (NMAuthSubject *subject);
const char *nm_auth_subject_get_unix_session_id (NMAuthSubject *subject);
const char *nm_auth_subject_to_string (NMAuthSubject *self, char *buf, gsize buf_len);
GVariant * nm_auth_subject_unix_process_to_polkit_gvariant (NMAuthSubject *self);
GVariant *nm_auth_subject_unix_to_polkit_gvariant (NMAuthSubject *self);
#endif /* __NETWORKMANAGER_AUTH_SUBJECT_H__ */

1
src/meson.build
View file

@ -125,7 +125,6 @@ sources = files(
'nm-act-request.c',
'nm-audit-manager.c',
'nm-auth-manager.c',
'nm-auth-subject.c',
'nm-auth-utils.c',
'nm-dbus-manager.c',
'nm-checkpoint.c',

2
src/nm-act-request.c
View file

@ -19,7 +19,7 @@
#include "devices/nm-device.h"
#include "nm-active-connection.h"
#include "settings/nm-settings-connection.h"
#include "nm-auth-subject.h"
#include "nm-libnm-core-intern/nm-auth-subject.h"
typedef struct {
char *table;

6
src/nm-active-connection.c
View file

@ -14,7 +14,7 @@
#include "nm-simple-connection.h"
#include "nm-auth-utils.h"
#include "nm-auth-manager.h"
#include "nm-auth-subject.h"
#include "nm-libnm-core-intern/nm-auth-subject.h"
#include "nm-keep-alive.h"
#include "NetworkManagerUtils.h"
#include "nm-core-internal.h"
@ -598,7 +598,9 @@ nm_active_connection_get_user_requested (NMActiveConnection *self)
{
g_return_val_if_fail (NM_IS_ACTIVE_CONNECTION (self), FALSE);
return nm_auth_subject_is_unix_process (NM_ACTIVE_CONNECTION_GET_PRIVATE (self)->subject);
return nm_auth_subject_get_subject_type (
NM_ACTIVE_CONNECTION_GET_PRIVATE (self)->subject
) == NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS;
}
NMDevice *

8
src/nm-audit-manager.c
View file

@ -11,8 +11,9 @@
#include <libaudit.h>
#endif
#include "nm-auth-subject.h"
#include "nm-libnm-core-intern/nm-auth-subject.h"
#include "nm-config.h"
#include "nm-dbus-manager.h"
#include "settings/nm-settings-connection.h"
/*****************************************************************************/
@ -195,11 +196,12 @@ _audit_log_helper (NMAuditManager *self,
else if (G_IS_DBUS_METHOD_INVOCATION (subject_context)) {
GDBusMethodInvocation *context = subject_context;
subject = subject_free = nm_auth_subject_new_unix_process_from_context (context);
subject = subject_free = nm_dbus_manager_new_auth_subject_from_context (context);
} else
g_warn_if_reached ();
}
if (subject && nm_auth_subject_is_unix_process (subject)) {
if (subject &&
nm_auth_subject_get_subject_type (subject) == NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS) {
pid = nm_auth_subject_get_unix_process_pid (subject);
uid = nm_auth_subject_get_unix_process_uid (subject);
if (pid != G_MAXULONG) {

4
src/nm-auth-manager.c
View file

@ -322,7 +322,7 @@ nm_auth_manager_check_authorization (NMAuthManager *self,
};
c_list_link_tail (&priv->calls_lst_head, &call_id->calls_lst);
if (nm_auth_subject_is_internal (subject)) {
if (nm_auth_subject_get_subject_type (subject) == NM_AUTH_SUBJECT_TYPE_INTERNAL) {
_LOG2T (call_id, "CheckAuthorization(%s), subject=%s (succeeding for internal request)", action_id, nm_auth_subject_to_string (subject, subject_buf, sizeof (subject_buf)));
call_id->idle_id = g_idle_add (_call_on_idle, call_id);
} else if (nm_auth_subject_get_unix_process_uid (subject) == 0) {
@ -339,7 +339,7 @@ nm_auth_manager_check_authorization (NMAuthManager *self,
GVariant *subject_value;
GVariant *details_value;
subject_value = nm_auth_subject_unix_process_to_polkit_gvariant (subject);
subject_value = nm_auth_subject_unix_to_polkit_gvariant (subject);
nm_assert (g_variant_is_floating (subject_value));
/* ((PolkitDetails *)NULL) */

2
src/nm-auth-manager.h
View file

@ -6,7 +6,7 @@
#ifndef NM_AUTH_MANAGER_H
#define NM_AUTH_MANAGER_H
#include "nm-auth-subject.h"
#include "nm-libnm-core-intern/nm-auth-subject.h"
#include "nm-config-data.h"
/*****************************************************************************/

25
src/nm-auth-utils.c
View file

@ -9,9 +9,10 @@
#include "nm-glib-aux/nm-c-list.h"
#include "nm-setting-connection.h"
#include "nm-auth-subject.h"
#include "nm-libnm-core-intern/nm-auth-subject.h"
#include "nm-auth-manager.h"
#include "nm-session-monitor.h"
#include "nm-dbus-manager.h"
/*****************************************************************************/
@ -341,8 +342,10 @@ nm_auth_chain_add_call_unsafe (NMAuthChain *self,
g_return_if_fail (!self->is_finishing);
g_return_if_fail (!self->is_destroyed);
g_return_if_fail (permission && *permission);
nm_assert ( nm_auth_subject_is_unix_process (self->subject)
|| nm_auth_subject_is_internal (self->subject));
nm_assert ( nm_auth_subject_get_subject_type (self->subject)
== NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS
|| nm_auth_subject_get_subject_type (self->subject)
== NM_AUTH_SUBJECT_TYPE_INTERNAL);
/* duplicate permissions are not supported, also because nm_auth_chain_get_result()
* can only return one-permission. */
@ -395,7 +398,7 @@ nm_auth_chain_new_context (GDBusMethodInvocation *context,
g_return_val_if_fail (context, NULL);
nm_assert (done_func);
subject = nm_auth_subject_new_unix_process_from_context (context);
subject = nm_dbus_manager_new_auth_subject_from_context (context);
if (!subject)
return NULL;
@ -416,8 +419,10 @@ nm_auth_chain_new_subject (NMAuthSubject *subject,
NMAuthChain *self;
g_return_val_if_fail (NM_IS_AUTH_SUBJECT (subject), NULL);
nm_assert ( nm_auth_subject_is_unix_process (subject)
|| nm_auth_subject_is_internal (subject));
nm_assert ( nm_auth_subject_get_subject_type (subject)
== NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS
|| nm_auth_subject_get_subject_type (subject)
== NM_AUTH_SUBJECT_TYPE_INTERNAL);
nm_assert (done_func);
self = g_slice_new (NMAuthChain);
@ -504,10 +509,12 @@ nm_auth_is_subject_in_acl (NMConnection *connection,
g_return_val_if_fail (connection, FALSE);
g_return_val_if_fail (NM_IS_AUTH_SUBJECT (subject), FALSE);
nm_assert ( nm_auth_subject_is_internal (subject)
|| nm_auth_subject_is_unix_process (subject));
nm_assert ( nm_auth_subject_get_subject_type (subject)
== NM_AUTH_SUBJECT_TYPE_INTERNAL
|| nm_auth_subject_get_subject_type (subject)
== NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS);
if (nm_auth_subject_is_internal (subject))
if (nm_auth_subject_get_subject_type (subject) == NM_AUTH_SUBJECT_TYPE_INTERNAL)
return TRUE;
uid = nm_auth_subject_get_unix_process_uid (subject);

2
src/nm-checkpoint.c
View file

@ -9,7 +9,7 @@
#include "nm-active-connection.h"
#include "nm-act-request.h"
#include "nm-auth-subject.h"
#include "nm-libnm-core-intern/nm-auth-subject.h"
#include "nm-core-utils.h"
#include "nm-dbus-interface.h"
#include "devices/nm-device.h"

64
src/nm-dbus-manager.c
View file

@ -19,6 +19,7 @@
#include "nm-std-aux/nm-dbus-compat.h"
#include "nm-dbus-object.h"
#include "NetworkManagerUtils.h"
#include "nm-libnm-core-intern/nm-auth-subject.h"
/* The base path for our GDBusObjectManagerServers. They do not contain
* "NetworkManager" because GDBusObjectManagerServer requires that all
@ -1669,3 +1670,66 @@ nm_dbus_manager_class_init (NMDBusManagerClass *klass)
0, NULL, NULL, NULL,
G_TYPE_NONE, 1, G_TYPE_POINTER);
}
static NMAuthSubject *
_new_unix_process (GDBusMethodInvocation *context,
GDBusConnection *connection,
GDBusMessage *message)
{
NMAuthSubject *self;
const char *dbus_sender = NULL;
gulong uid = 0;
gulong pid = 0;
gboolean success;
g_return_val_if_fail (context || (connection && message), NULL);
if (context) {
success = nm_dbus_manager_get_caller_info (nm_dbus_manager_get (),
context,
&dbus_sender,
&uid,
&pid);
} else {
nm_assert (message);
success = nm_dbus_manager_get_caller_info_from_message (nm_dbus_manager_get (),
connection,
message,
&dbus_sender,
&uid,
&pid);
}
if (!success)
return NULL;
g_return_val_if_fail (dbus_sender && *dbus_sender, NULL);
/* polkit glib library stores uid and pid as int. There might be some
* pitfalls if the id ever happens to be larger then that. Just assert against
* it here. */
g_return_val_if_fail (uid <= MIN (G_MAXINT, G_MAXINT32), NULL);
g_return_val_if_fail (pid > 0 && pid <= MIN (G_MAXINT, G_MAXINT32), NULL);
self = nm_auth_subject_new_unix_process (dbus_sender, pid, uid);
if (nm_auth_subject_get_subject_type (self) != NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS) {
/* this most likely happened because the process is gone (start_time==0).
* Either that is not assert-worthy, or constructed() already asserted.
* Just return NULL. */
g_clear_object (&self);
}
return self;
}
NMAuthSubject *
nm_dbus_manager_new_auth_subject_from_context (GDBusMethodInvocation *context)
{
return _new_unix_process (context, NULL, NULL);
}
NMAuthSubject *
nm_dbus_manager_new_auth_subject_from_message (GDBusConnection *connection,
GDBusMessage *message)
{
return _new_unix_process (NULL, connection, message);
}

5
src/nm-dbus-manager.h
View file

@ -88,4 +88,9 @@ void nm_dbus_manager_private_server_register (NMDBusManager *self,
const char *path,
const char *tag);
NMAuthSubject *nm_dbus_manager_new_auth_subject_from_context (GDBusMethodInvocation *context);
NMAuthSubject *nm_dbus_manager_new_auth_subject_from_message (GDBusConnection *connection,
GDBusMessage *message);
#endif /* __NM_DBUS_MANAGER_H__ */

18
src/nm-manager.c
View file

@ -2437,7 +2437,7 @@ device_auth_request_cb (NMDevice *device,
char *permission_dup;
/* Validate the caller */
subject = nm_auth_subject_new_unix_process_from_context (context);
subject = nm_dbus_manager_new_auth_subject_from_context (context);
if (!subject) {
error = g_error_new_literal (NM_MANAGER_ERROR,
NM_MANAGER_ERROR_PERMISSION_DENIED,
@ -4514,7 +4514,7 @@ unmanaged_to_disconnected (NMDevice *device)
static NMActivationStateFlags
_activation_bind_lifetime_to_profile_visibility (NMAuthSubject *subject)
{
if ( nm_auth_subject_is_internal (subject)
if ( nm_auth_subject_get_subject_type (subject) == NM_AUTH_SUBJECT_TYPE_INTERNAL
|| nm_auth_subject_get_unix_process_uid (subject) == 0) {
/* internal requests and requests from root are always unbound. */
return NM_ACTIVATION_STATE_FLAG_NONE;
@ -5098,8 +5098,10 @@ nm_manager_activate_connection (NMManager *self,
if ( sett_conn == nm_active_connection_get_settings_connection (active)
&& nm_streq0 (nm_active_connection_get_specific_object (active), specific_object)
&& (!device || nm_active_connection_get_device (active) == device)
&& nm_auth_subject_is_internal (nm_active_connection_get_subject (active))
&& nm_auth_subject_is_internal (subject)
&& nm_auth_subject_get_subject_type (nm_active_connection_get_subject (active))
== NM_AUTH_SUBJECT_TYPE_INTERNAL
&& nm_auth_subject_get_subject_type (subject)
== NM_AUTH_SUBJECT_TYPE_INTERNAL
&& nm_active_connection_get_activation_reason (active) == activation_reason)
return active;
}
@ -5174,7 +5176,7 @@ validate_activation_request (NMManager *self,
connection = nm_settings_connection_get_connection (sett_conn);
/* Validate the caller */
subject = nm_auth_subject_new_unix_process_from_context (context);
subject = nm_dbus_manager_new_auth_subject_from_context (context);
if (!subject) {
g_set_error_literal (error,
NM_MANAGER_ERROR,
@ -5824,7 +5826,7 @@ impl_manager_deactivate_connection (NMDBusObject *obj,
}
/* Validate the caller */
subject = nm_auth_subject_new_unix_process_from_context (invocation);
subject = nm_dbus_manager_new_auth_subject_from_context (invocation);
if (!subject) {
error = g_error_new_literal (NM_MANAGER_ERROR,
NM_MANAGER_ERROR_PERMISSION_DENIED,
@ -6108,7 +6110,7 @@ impl_manager_sleep (NMDBusObject *obj,
g_variant_get (parameters, "(b)", &do_sleep);
subject = nm_auth_subject_new_unix_process_from_context (invocation);
subject = nm_dbus_manager_new_auth_subject_from_context (invocation);
if (priv->sleeping == do_sleep) {
error = g_error_new (NM_MANAGER_ERROR,
@ -6935,7 +6937,7 @@ nm_manager_dbus_set_property_handle (NMDBusObject *obj,
gs_unref_object NMAuthSubject *subject = NULL;
DBusSetPropertyHandle *handle_data;
subject = nm_auth_subject_new_unix_process_from_context (invocation);
subject = nm_dbus_manager_new_auth_subject_from_context (invocation);
if (!subject) {
error_message = NM_UTILS_ERROR_MSG_REQ_UID_UKNOWN;
goto err;

3
src/nm-policy.c
View file

@ -1633,7 +1633,8 @@ activate_slave_connections (NMPolicy *self, NMDevice *device)
}
subject = nm_active_connection_get_subject (NM_ACTIVE_CONNECTION (req));
internal_activation = subject && nm_auth_subject_is_internal (subject);
internal_activation = subject
&& (nm_auth_subject_get_subject_type (subject) == NM_AUTH_SUBJECT_TYPE_INTERNAL);
}
changed = FALSE;

10
src/settings/nm-agent-manager.c
View file

@ -374,7 +374,7 @@ agent_manager_register_with_capabilities (NMAgentManager *self,
NMSecretAgent *agent;
NMAuthChain *chain;
subject = nm_auth_subject_new_unix_process_from_context (context);
subject = nm_dbus_manager_new_auth_subject_from_context (context);
if (!subject) {
error = g_error_new_literal (NM_AGENT_MANAGER_ERROR,
NM_AGENT_MANAGER_ERROR_PERMISSION_DENIED,
@ -626,7 +626,7 @@ agent_compare_func (gconstpointer aa, gconstpointer bb, gpointer user_data)
b_pid = nm_secret_agent_get_pid (b);
/* Prefer agents in the process the request came from */
if (nm_auth_subject_is_unix_process (req->subject)) {
if (nm_auth_subject_get_subject_type (req->subject) == NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS) {
requester = nm_auth_subject_get_unix_process_pid (req->subject);
if (a_pid != b_pid) {
@ -682,7 +682,7 @@ request_add_agent (Request *req, NMSecretAgent *agent)
}
/* If the request should filter agents by UID, do that now */
if (nm_auth_subject_is_unix_process (req->subject)) {
if (nm_auth_subject_get_subject_type (req->subject) == NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS) {
uid_t agent_uid, subject_uid;
agent_uid = nm_secret_agent_get_owner_uid (agent);
@ -1409,8 +1409,8 @@ nm_agent_manager_all_agents_have_capability (NMAgentManager *manager,
NMAgentManagerPrivate *priv = NM_AGENT_MANAGER_GET_PRIVATE (manager);
GHashTableIter iter;
NMSecretAgent *agent;
gboolean subject_is_unix_process = nm_auth_subject_is_unix_process (subject);
gulong subject_uid = subject_is_unix_process ? nm_auth_subject_get_unix_process_uid (subject) : 0;
gboolean subject_is_unix_process = (nm_auth_subject_get_subject_type (subject) == NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS);
gulong subject_uid = subject_is_unix_process ? nm_auth_subject_get_unix_process_uid (subject) : 0u;
g_hash_table_iter_init (&iter, priv->agents);
while (g_hash_table_iter_next (&iter, NULL, (gpointer) &agent)) {

5
src/settings/nm-secret-agent.c
View file

@ -14,7 +14,7 @@
#include "nm-glib-aux/nm-dbus-aux.h"
#include "nm-dbus-interface.h"
#include "nm-core-internal.h"
#include "nm-auth-subject.h"
#include "nm-libnm-core-intern/nm-auth-subject.h"
#include "nm-simple-connection.h"
#include "NetworkManagerUtils.h"
#include "c-list/src/c-list.h"
@ -709,7 +709,8 @@ nm_secret_agent_new (GDBusMethodInvocation *context,
g_return_val_if_fail (context != NULL, NULL);
g_return_val_if_fail (NM_IS_AUTH_SUBJECT (subject), NULL);
g_return_val_if_fail (nm_auth_subject_is_unix_process (subject), NULL);
g_return_val_if_fail (nm_auth_subject_get_subject_type (subject)
== NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS, NULL);
g_return_val_if_fail (identifier != NULL, NULL);
dbus_connection = g_dbus_method_invocation_get_connection (context);

4
src/settings/nm-settings-connection.c
View file

@ -18,12 +18,12 @@
#include "nm-session-monitor.h"
#include "nm-auth-manager.h"
#include "nm-auth-utils.h"
#include "nm-auth-subject.h"
#include "nm-agent-manager.h"
#include "NetworkManagerUtils.h"
#include "nm-core-internal.h"
#include "nm-audit-manager.h"
#include "nm-settings.h"
#include "nm-dbus-manager.h"
#include "settings/plugins/keyfile/nms-keyfile-storage.h"
#define AUTOCONNECT_RETRIES_UNSET -2
@ -1249,7 +1249,7 @@ _new_auth_subject (GDBusMethodInvocation *context, GError **error)
{
NMAuthSubject *subject;
subject = nm_auth_subject_new_unix_process_from_context (context);
subject = nm_dbus_manager_new_auth_subject_from_context (context);
if (!subject) {
g_set_error_literal (error,
NM_SETTINGS_ERROR,

6
src/settings/nm-settings.c
View file

@ -54,7 +54,7 @@
#include "nm-settings-plugin.h"
#include "nm-dbus-manager.h"
#include "nm-auth-utils.h"
#include "nm-auth-subject.h"
#include "nm-libnm-core-intern/nm-auth-subject.h"
#include "nm-session-monitor.h"
#include "plugins/keyfile/nms-keyfile-plugin.h"
#include "plugins/keyfile/nms-keyfile-storage.h"
@ -2574,7 +2574,7 @@ settings_add_connection_helper (NMSettings *self,
return;
}
subject = nm_auth_subject_new_unix_process_from_context (context);
subject = nm_dbus_manager_new_auth_subject_from_context (context);
if (!subject) {
g_dbus_method_invocation_return_error_literal (context,
NM_SETTINGS_ERROR,
@ -2918,7 +2918,7 @@ impl_settings_get_connection_by_uuid (NMDBusObject *obj,
goto error;
}
subject = nm_auth_subject_new_unix_process_from_context (invocation);
subject = nm_dbus_manager_new_auth_subject_from_context (invocation);
if (!subject) {
error = g_error_new_literal (NM_SETTINGS_ERROR,
NM_SETTINGS_ERROR_PERMISSION_DENIED,

2
src/supplicant/nm-supplicant-config.c
View file

@ -14,7 +14,7 @@
#include "nm-supplicant-settings-verify.h"
#include "nm-setting.h"
#include "nm-auth-subject.h"
#include "nm-libnm-core-intern/nm-auth-subject.h"
#include "NetworkManagerUtils.h"
#include "nm-utils.h"
#include "nm-setting-ip4-config.h"

2
src/vpn/nm-vpn-connection.h
View file

@ -9,7 +9,7 @@
#include "nm-vpn-dbus-interface.h"
#include "devices/nm-device.h"
#include "nm-auth-subject.h"
#include "nm-libnm-core-intern/nm-auth-subject.h"
#include "nm-active-connection.h"
#include "nm-vpn-plugin-info.h"