The error case was as follows. When using 'ifupdown,keyfile' plugins
and 'eth0' present in /etc/network/interfaces on a Debian-based system,
'ifupdown' plugin, in unmanaged mode, load_connections() prematurely
and thus effectively blocked reading connections from 'keyfile' plugin.
Patch by Dan and tested by me.
The errors weren't registered with dbus-glib yet for some reason, so
errors returned when adding invalid connections or updating or whatever
weren't meaningful at all. We register them in the system settings
service (and not libnm-util) becuase libnm-util doesn't really have
anything to do wtih D-Bus, so we put the error registration with the
code that exports the connections over the bus.
Having the original hostname checks in the settings-service code
didn't allow the policy enough granularity to differentiate between
a plugin-provided hostname and the original hostname. We want to
fall back to the original hostname if there isn't a persistent
hostname (from a plugin) and if there isn't a DHCP-provided
hostname. Moving the original hostname checks to the policy
makes that possible. Clarify the precedence order at the same
time, and minimally validate the DHCP hostname as well.
3rd patch in a series with:
0bbdc6b0fcb135fa3265
With NM 0.8 the system settings service was integrated into NM and
thus nm_connection_clear_secrets() acts directly on the system
settings plugins' NMConnection objects. So when NM cleared secrets
(for example after determining that they might be bad in a device's
stage2 handler), we completely lost the secrets forever.
With this commit, the secrets are now cached and updated whenever
the connection is updated, and thus are again available to send to
NetworkManager when needed.
nm_connection_replace_settings() replaces the connection's settings
but doesn't allow interception of the new settings. Plugins would then
send out the update signal, but secrets are scrubbed out of them to
ensure secrets aren't leaked out into D-Bus signals.
With NM 0.8 the system settings service was integrated into NM and
thus nm_connection_clear_secrets() acts directly on the system
settings plugins' NMConnection objects. So when NM cleared secrets
(for example after determining that they might be bad in a device's
stage2 handler), we completely lost the secrets forever.
Adding this function allows the system settings service to hook into
the connection updates when the plugin connection's backing storage
(like config files or whatever) changes and cache the secrets for
use in NMSettingsConnectionInterface get_secrets() requestes.
It's a singleton, but PolicyKit didn't increment the reference count
when returning from polkit_authority_get() like we expected (which has
since been fixed upstream). So for now, just don't unref the authority
at all.
Since we don't do that, there's a chance that some PolicyKit calls could
be outstanding when either the NMSysconfigSettings object or one of the
NMSysconfigConnection objects are around, so we make sure we cancel any
PolicyKit calls when the object gets disposed. This is tricky, because
canceling them from the dispose may mean that the callback gets called
after the object is actually destroyed, so we have to be careful not to
access any private object data from the callbacks in that situation.
The error object passed to the plugin's add-connection handler wasn't
getting properly cleared if an earlier plugin had failed to write
the connection and fell back to the current plugin.
Fix up refcounting, plus it turns out that we already have the MAC address
lying around as a GObject data item, so we don't need to go grab it
from the connection itself.
Since the new PolicyKit does away with easy checking of authorizations,
we get to implement it by ourselves, but that's OK since we can actually
use it for a lot more stuff. So add the GetPermissions call which returns
the permissions the caller actually has, and a signal informing callers
that their permissions might have changed. Hook this all up to
PolicyKit so it's useful.
instead of an NMSettingsConnectionInterface, because we won't always have an
object that implements NMSettingsConnectionInterface. Plus, since NMConnection
is a prerequisite of NMSettingsConnectionInterface, the NMConnection will
always be there anyway.
Make NMSettingsService implement most of the NMSettingsInterface
API to make subclasses simpler, and consolidate exporting of
NMExportedConnection subclasses in NMSettingsService instead of
in 3 places. Make NMSysconfigSettings a subclass of
NMSettingsService and save a ton of code.
The old NMExportedConnection was used for both client and server-side classes,
which was a mistake and made the code very complicated to follow. Additionally,
all PolicyKit operations were synchronous, and PK operations can block for a
long time (ie for user input) before returning, so they need to be async. But
NMExportedConnection and NMSysconfigConnection didn't allow for async PK ops
at all.
Use this opportunity to clean up the mess and create GInterfaces that both
server and client objects implement, so that the connection editor and applet
can operate on generic objects like they did before (using the interfaces) but
can perform specific operations (like async PK verification of callers) depending
on whether they are local or remote or whatever.
PK < 1.0 doesn't work with UID 0 processes that aren't spawned via a
session-manager, and thus don't have the XDG_SESSION_COOKIE in their
environment (which ConsoleKit uses to figure out what session the
caller is in). But since root could just scribble over the config
files anyway, bypassing PK for UID 0 doesn't meaningfully decrease
security.
The only thing that doesn't work yet is the system-settings service's
"auto eth" connections for ethernet devices that don't have an existing
connection. Might also have issues with unmanaged devices that can't
provide a MAC address until they are brought up, but we'll see.
