mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git
synced 2025-12-28 00:30:09 +01:00
7e0f94f0f5
at_console permissions as implemented by D-Bus have some problems: 1) it is now fully redundant with PolicyKit and session tracking via systemd/ConsoleKit 2) it uses a different mechanism than PolicyKit or systemd to determine sessions and whether the user is on local or not (pam_console) 3) it was never widely implemented across so removing it harmonizes D-Bus permissions on all supported distros To that end, remove the at_console section of the D-Bus permissions, and rely on session-tracking and PolicyKit to ensure operations are locked down. No changes are being made to PolicyKit or session-tracking, so any operations denied by those mechanisms are still denied, and no permissions are being relaxed. Instead, this should allow remote users who log in via remote desktop or SSH to inspect network state, change connection parameters, and start/stop interfaces. Obviously if you are remote, you should not touch the interface which your connection is using, but that concern shouldn't prevent all the other nice stuff that you can do with NM. https://bugzilla.gnome.org/show_bug.cgi?id=707983 https://bugzilla.redhat.com/show_bug.cgi?id=979416
124 lines
7.9 KiB
Text
124 lines
7.9 KiB
Text
<!DOCTYPE busconfig PUBLIC
|
|
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
|
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
|
<busconfig>
|
|
<policy user="root">
|
|
<allow own="org.freedesktop.NetworkManager"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"/>
|
|
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.PPP"/>
|
|
|
|
<allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
|
|
|
|
<!-- Allow NM to talk to known VPN plugins; due to a bug in
|
|
the D-Bus daemon, when a plugin is installed and the user
|
|
immediately tries to use it, the VPN plugin's rules aren't
|
|
always loaded into dbus-daemon. Those rules allow NM to
|
|
talk to the plugin. Oops. Work around that by explicitly
|
|
allowing NM to talk to VPN plugins here.
|
|
-->
|
|
<allow send_destination="org.freedesktop.NetworkManager.openconnect"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager.openswan"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager.openvpn"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager.pptp"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager.vpnc"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager.ssh"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager.iodine"/>
|
|
</policy>
|
|
<policy context="default">
|
|
<deny own="org.freedesktop.NetworkManager"/>
|
|
|
|
<deny send_destination="org.freedesktop.NetworkManager"/>
|
|
|
|
<!-- Basic D-Bus API stuff -->
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.DBus.Introspectable"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.DBus.Properties"/>
|
|
|
|
<!-- Devices (read-only properties, no methods) -->
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Adsl"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Bond"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Bridge"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Bluetooth"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Wired"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Generic"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Gre"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Infiniband"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Macvlan"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Modem"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.OlpcMesh"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Team"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Tun"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Veth"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Vlan"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.WiMax.Nsp"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.AccessPoint"/>
|
|
|
|
<!-- Devices (read-only, no security required) -->
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.WiMax"/>
|
|
|
|
<!-- Devices (read/write, secured with PolicyKit) -->
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device.Wireless"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Device"/>
|
|
|
|
<!-- Core stuff (read-only properties, no methods) -->
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.DHCP4Config"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.DHCP6Config"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.IP4Config"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.IP6Config"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.VPN.Connection"/>
|
|
|
|
<!-- Core stuff (read/write, secured with PolicyKit) -->
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Settings"/>
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.Settings.Connection"/>
|
|
|
|
<!-- Agents; secured with PolicyKit. Any process can talk to
|
|
the AgentManager API, but only NetworkManager can talk
|
|
to the agents themselves. -->
|
|
<allow send_destination="org.freedesktop.NetworkManager"
|
|
send_interface="org.freedesktop.NetworkManager.AgentManager"/>
|
|
<deny send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
|
|
|
|
<!-- Root-only functions -->
|
|
<deny send_interface="org.freedesktop.NetworkManager" send_member="SetLogging"/>
|
|
<deny send_interface="org.freedesktop.NetworkManager" send_member="Sleep"/>
|
|
<deny send_interface="org.freedesktop.NetworkManager.Settings" send_member="LoadConnections"/>
|
|
<deny send_interface="org.freedesktop.NetworkManager.Settings" send_member="ReloadConnections"/>
|
|
<deny send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
|
|
<deny send_interface="org.freedesktop.NetworkManager.PPP"/>
|
|
</policy>
|
|
</busconfig>
|
|
|