colin/ModemManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

build: new strict & permissive polkit policies in '--with-polkit'

Browse Source 
The '--with-polkit' configure switch now supports more options than just yes
or no:

 * strict: Active user needs to explicitly authenticate when peforming an
   operation defined in the Device.Control, Messaging, Location or Contacts
   interfaces. Polkit policy is set to 'auth_self_keep'.

 * permissive: Active user doesn't need to explicitly authenticate when
   peforming an operation defined in the Device.Control, Messaging, Location or
   Contacts interfaces. Polkit policy is set to 'yes'.

 * none: don't use polkit.

If '--with-polkit' is not given, usage will be automatically decided based on
the presence of the Polkit headers in the system (if headers found, strict
policy will be applied, otherwise none).

Also:
 * '--with-polkit' is equivalent to '--with-polkit=strict'
 * '--with-polkit=yes' is equivalent to '--with-polkit=strict'
 * '--with-polkit=no' is equivalent to '--with-polkit=none'
 * '--without-polkit' is equivalent to '--with-polkit=none'

By default, ModemManager will always apply the strict policy, in order to
protect the user from unwanted operations in the modem (e.g. getting the PIN
locked forever after wrong PIN/PUK unlock attempts).

https://bugzilla.gnome.org/show_bug.cgi?id=701740
This commit is contained in:
Aleksander Morgado
2013-06-10 18:30:12 +02:00
parent dc81556914
commit 0c7265de29
6 changed files with 57 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -57,6 +57,7 @@ libwmc/tests/test-wmc
data/org.freedesktop.ModemManager1.conf data/org.freedesktop.ModemManager1.conf
data/org.freedesktop.ModemManager1.service data/org.freedesktop.ModemManager1.service
data/org.freedesktop.ModemManager1.policy data/org.freedesktop.ModemManager1.policy
data/org.freedesktop.ModemManager1.policy.in
data/ModemManager.service data/ModemManager.service
data/ModemManager.pc data/ModemManager.pc
data/mm-common.pc data/mm-common.pc

61
configure.ac
View File

@@ -99,22 +99,51 @@ fi
AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$SYSTEMD_UNIT_DIR" -a "$SYSTEMD_UNIT_DIR" != xno ]) AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$SYSTEMD_UNIT_DIR" -a "$SYSTEMD_UNIT_DIR" != xno ])
# PolicyKit # PolicyKit
AC_ARG_WITH(polkit, AS_HELP_STRING([--with-polkit], [Build with PolicyKit support])) PKG_CHECK_MODULES(POLKIT, [polkit-gobject-1 >= 0.97], [have_polkit=yes],[have_polkit=no])
AM_CONDITIONAL(WITH_POLKIT, test "x$with_polkit" = "xyes") AC_ARG_WITH(polkit,
case $with_polkit in AS_HELP_STRING([--with-polkit=(strict|permissive|none)],
yes) [Enable PolicyKit support [[default=auto]]]),,
with_polkit=yes [with_polkit=auto])
PKG_CHECK_MODULES(POLKIT, polkit-gobject-1 >= 0.97) # Handle 'auto' ('strict' if polkit found, 'none' otherwise),
AC_DEFINE(WITH_POLKIT, 1, [Define if you want to use PolicyKit]) # 'yes' ('strict') and 'no' ('none')
AC_SUBST(POLKIT_CFLAGS) if test "x$with_polkit" = "xauto"; then
AC_SUBST(POLKIT_LIBS) if test "x$have_polkit" = "xno"; then
with_polkit="none"
else
with_polkit="strict"
fi
elif test "x$with_polkit" = "xno"; then
with_polkit=none
elif test "x$with_polkit" = "xyes"; then
with_polkit=strict
fi
# Build policies context
if test "x$with_polkit" = "xnone"; then
AC_DEFINE(WITH_POLKIT, 0, [Define if you have PolicyKit support])
else
if test "x$have_polkit" = "xno"; then
AC_MSG_ERROR(PolicyKit development headers are required)
fi
AM_GLIB_GNU_GETTEXT case "x$with_polkit" in
;; "xpermissive")
*) MM_DEFAULT_USER_POLICY="yes"
with_polkit=no ;;
;; "xstrict")
esac MM_DEFAULT_USER_POLICY="auth_self_keep"
;;
*)
AC_MSG_ERROR([Wrong value for --with-polkit: $with_polkit])
;;
esac
AC_DEFINE(WITH_POLKIT, 1, [Define if you have PolicyKit support])
AC_SUBST(POLKIT_CFLAGS)
AC_SUBST(POLKIT_LIBS)
AC_SUBST(MM_DEFAULT_USER_POLICY)
fi
AM_CONDITIONAL(WITH_POLKIT, [test "x$with_polkit" != "xnone" ])
# PPPD # PPPD
AC_CHECK_HEADERS(pppd/pppd.h, have_pppd_headers="yes", have_pppd_headers="no") AC_CHECK_HEADERS(pppd/pppd.h, have_pppd_headers="yes", have_pppd_headers="no")
@@ -234,7 +263,7 @@ Makefile
data/Makefile data/Makefile
data/ModemManager.pc data/ModemManager.pc
data/mm-glib.pc data/mm-glib.pc
data/org.freedesktop.ModemManager1.policy data/org.freedesktop.ModemManager1.policy.in
include/Makefile include/Makefile
build-aux/Makefile build-aux/Makefile
libqcdm/Makefile libqcdm/Makefile

9
data/Makefile.am
View File

@@ -58,10 +58,10 @@ diagrams = \
# Polkit # Polkit
dist_polkit_policy_in_files = org.freedesktop.ModemManager1.policy.in polkit_policy_in_in_files = org.freedesktop.ModemManager1.policy.in.in
if WITH_POLKIT if WITH_POLKIT
polkit_policydir = $(datadir)/polkit-1/actions polkit_policydir = $(datadir)/polkit-1/actions
dist_polkit_policy_DATA = $(dist_polkit_policy_in_files:.policy.in=.policy) polkit_policy_DATA = $(polkit_policy_in_in_files:.policy.in.in=.policy)
@INTLTOOL_POLICY_RULE@ @INTLTOOL_POLICY_RULE@
endif endif
@@ -75,7 +75,8 @@ pkgconfig_DATA = \
DISTCLEANFILES = \ DISTCLEANFILES = \
$(dbusactivation_DATA) \ $(dbusactivation_DATA) \
$(dbusservice_DATA) $(dbusservice_DATA) \
$(polkit_policy_DATA)
if HAVE_SYSTEMD if HAVE_SYSTEMD
DISTCLEANFILES += $(systemdsystemunit_DATA) DISTCLEANFILES += $(systemdsystemunit_DATA)
@@ -88,6 +89,6 @@ EXTRA_DIST = \
$(dbusservice_file_polkit) \ $(dbusservice_file_polkit) \
$(dbusservice_file_nopolkit) \ $(dbusservice_file_nopolkit) \
$(icon_DATA) \ $(icon_DATA) \
$(dist_polkit_policy_in_files) \ $(polkit_policy_in_in_files) \
$(logos) \ $(logos) \
$(diagrams) $(diagrams)

8
data/org.freedesktop.ModemManager1.policy.in → data/org.freedesktop.ModemManager1.policy.in.in
View File

@@ -23,7 +23,7 @@
<_message>System policy prevents unlocking or controlling the mobile broadband device.</_message> <_message>System policy prevents unlocking or controlling the mobile broadband device.</_message>
<defaults> <defaults>
<allow_inactive>no</allow_inactive> <allow_inactive>no</allow_inactive>
<allow_active>auth_self_keep</allow_active> <allow_active>@MM_DEFAULT_USER_POLICY@</allow_active>
</defaults> </defaults>
</action> </action>
@@ -32,7 +32,7 @@
<_message>System policy prevents adding, modifying, or deleting this device's contacts.</_message> <_message>System policy prevents adding, modifying, or deleting this device's contacts.</_message>
<defaults> <defaults>
<allow_inactive>no</allow_inactive> <allow_inactive>no</allow_inactive>
<allow_active>auth_self_keep</allow_active> <allow_active>@MM_DEFAULT_USER_POLICY@</allow_active>
</defaults> </defaults>
</action> </action>
@@ -41,7 +41,7 @@
<_message>System policy prevents sending or maniuplating this device's text messages.</_message> <_message>System policy prevents sending or maniuplating this device's text messages.</_message>
<defaults> <defaults>
<allow_inactive>no</allow_inactive> <allow_inactive>no</allow_inactive>
<allow_active>auth_self_keep</allow_active> <allow_active>@MM_DEFAULT_USER_POLICY@</allow_active>
</defaults> </defaults>
</action> </action>
@@ -50,7 +50,7 @@
<_message>System policy prevents enabling or viewing geographic location information.</_message> <_message>System policy prevents enabling or viewing geographic location information.</_message>
<defaults> <defaults>
<allow_inactive>no</allow_inactive> <allow_inactive>no</allow_inactive>
<allow_active>auth_self_keep</allow_active> <allow_active>@MM_DEFAULT_USER_POLICY@</allow_active>
</defaults> </defaults>
</action> </action>

2
po/POTFILES.in
View File

@@ -1,4 +1,4 @@
[encoding: UTF-8] [encoding: UTF-8]
# List of source files containing translatable strings. # List of source files containing translatable strings.
# Please keep this file sorted alphabetically. # Please keep this file sorted alphabetically.
data/org.freedesktop.ModemManager1.policy.in data/org.freedesktop.ModemManager1.policy.in.in

1
po/POTFILES.skip Normal file
View File

@@ -0,0 +1 @@
data/org.freedesktop.ModemManager1.policy.in