auth: support disabling POLKIT authentication entirely at compile time

Let the user completly disable polkit authentication by
building NM with configure option  '--enable-polkit=disabled'.

In that case, configuring 'main.auth-polkit=yes' will fail all
authentication requests (except root-requests, which are always granted).

This reduces the size of the NetworkManager binary by some 26KB (16KB
stripped).

Signed-off-by: Thomas Haller <thaller@redhat.com>
This commit is contained in:
Thomas Haller
2014-08-19 18:56:23 +02:00
parent eabe7d856c
commit 53e244bef6
6 changed files with 58 additions and 5 deletions

View File

@@ -457,9 +457,14 @@ else
fi
AM_CONDITIONAL(WITH_TEAMDCTL, test "${enable_teamdctl}" = "yes")
AC_ARG_ENABLE(polkit, AS_HELP_STRING([--enable-polkit], [set default value for auth-polkit configuration option]),
# we usually compile with polkit support. --enable-polkit=yes|no only sets the
# default configuration for main.auth-polkit. User can always enable/disable polkit
# autorization via config. Only when specifying --enable-polkit=disabled, we do
# not compile support. In this case, the user cannot enable polkit authorization via
# configuration.
AC_ARG_ENABLE(polkit, AS_HELP_STRING([--enable-polkit=yes|no|disabled], [set default value for auth-polkit configuration option. This value can be overwritten by NM configuration. 'disabled' compiles NM without any support]),
[enable_polkit=${enableval}], [enable_polkit=yes])
if (test "${enable_polkit}" != "no"); then
if (test "${enable_polkit}" != "no" -a "${enable_polkit}" != "disabled"); then
enable_polkit=yes
AC_DEFINE(NM_CONFIG_DEFAULT_AUTH_POLKIT, TRUE, [The default value of the auth-polkit configuration option])
NM_CONFIG_DEFAULT_AUTH_POLKIT_TEXT='true'
@@ -467,6 +472,11 @@ else
AC_DEFINE(NM_CONFIG_DEFAULT_AUTH_POLKIT, FALSE, [The default value of the auth-polkit configuration option])
NM_CONFIG_DEFAULT_AUTH_POLKIT_TEXT='false'
fi
if (test "${enable_polkit}" != "disabled"); then
AC_DEFINE(WITH_POLKIT, 1, [whether to compile polkit support])
else
AC_DEFINE(WITH_POLKIT, 0, [whether to compile polkit support])
fi
AC_SUBST(NM_CONFIG_DEFAULT_AUTH_POLKIT_TEXT)
AC_ARG_ENABLE(modify-system,
@@ -961,11 +971,15 @@ echo
echo "Platform:"
echo " session tracking: $with_session_tracking"
echo " suspend/resume: $with_suspend_resume"
if test "${enable_polkit}" = "yes"; then
if test "${enable_modify_system}" = "yes"; then
echo " policykit: yes (permissive modify.system) (default=${enable_polkit})"
else
echo " policykit: yes (restrictive modify.system) (default=${enable_polkit})"
fi
else
echo " policykit: no"
fi
echo " selinux: $have_selinux"
echo

View File

@@ -66,10 +66,12 @@ static guint signals[LAST_SIGNAL] = {0};
typedef struct {
gboolean polkit_enabled;
#if WITH_POLKIT
guint call_id_counter;
GCancellable *new_proxy_cancellable;
GSList *queued_calls;
GDBusProxy *proxy;
#endif
} NMAuthManagerPrivate;
static NMAuthManager *_instance = NULL;
@@ -100,6 +102,8 @@ nm_auth_manager_get_polkit_enabled (NMAuthManager *self)
/*****************************************************************************/
#if WITH_POLKIT
typedef enum {
POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE = 0,
POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION = (1<<0),
@@ -477,6 +481,8 @@ _dbus_new_proxy_cb (GObject *source_object,
_emit_changed_signal (self);
}
#endif
/*****************************************************************************/
NMAuthManager *
@@ -548,6 +554,7 @@ constructed (GObject *object)
G_OBJECT_CLASS (nm_auth_manager_parent_class)->constructed (object);
#if WITH_POLKIT
_LOGD ("create auth-manager: polkit %s", priv->polkit_enabled ? "enabled" : "disabled");
if (priv->polkit_enabled) {
@@ -567,6 +574,12 @@ constructed (GObject *object)
_dbus_new_proxy_cb,
p_self);
}
#else
if (priv->polkit_enabled)
_LOGW ("create auth-manager: polkit disabled at compile time. All authentication requests will fail");
else
_LOGD ("create auth-manager: polkit disabled at compile time");
#endif
}
@@ -574,10 +587,13 @@ static void
dispose (GObject *object)
{
NMAuthManager* self = NM_AUTH_MANAGER (object);
#if WITH_POLKIT
NMAuthManagerPrivate *priv = NM_AUTH_MANAGER_GET_PRIVATE (self);
#endif
_LOGD ("dispose");
#if WITH_POLKIT
/* since we take a reference for each queued call, we don't expect to have any queued calls in dispose() */
g_assert (!priv->queued_calls);
@@ -591,6 +607,7 @@ dispose (GObject *object)
g_signal_handlers_disconnect_by_func (priv->proxy, _dbus_on_g_signal_cb, self);
g_clear_object (&priv->proxy);
}
#endif
G_OBJECT_CLASS (nm_auth_manager_parent_class)->dispose (object);
}

View File

@@ -62,6 +62,8 @@ NMAuthManager *nm_auth_manager_get (void);
gboolean nm_auth_manager_get_polkit_enabled (NMAuthManager *self);
#if WITH_POLKIT
void nm_auth_manager_polkit_authority_check_authorization (NMAuthManager *self,
NMAuthSubject *subject,
const char *action_id,
@@ -75,6 +77,7 @@ gboolean nm_auth_manager_polkit_authority_check_authorization_finish (NMAuthMana
gboolean *out_is_challenge,
GError **error);
#endif
G_END_DECLS

View File

@@ -150,6 +150,8 @@ nm_auth_subject_to_string (NMAuthSubject *self, char *buf, gsize buf_len)
return buf;
}
#if WITH_POLKIT
/* returns a floating variant */
GVariant *
nm_auth_subject_unix_process_to_polkit_gvariant (NMAuthSubject *self)
@@ -171,6 +173,8 @@ nm_auth_subject_unix_process_to_polkit_gvariant (NMAuthSubject *self)
return ret;
}
#endif
NMAuthSubjectType
nm_auth_subject_get_subject_type (NMAuthSubject *subject)
{

View File

@@ -82,6 +82,10 @@ gulong nm_auth_subject_get_unix_process_uid (NMAuthSubject *subject);
const char *nm_auth_subject_to_string (NMAuthSubject *self, char *buf, gsize buf_len);
#if WITH_POLKIT
GVariant * nm_auth_subject_unix_process_to_polkit_gvariant (NMAuthSubject *self);
#endif
#endif /* __NETWORKMANAGER_AUTH_SUBJECT_H__ */

View File

@@ -298,6 +298,7 @@ auth_call_cancel (gpointer user_data)
}
}
#if WITH_POLKIT
static void
pk_call_cb (GObject *object, GAsyncResult *result, gpointer user_data)
{
@@ -345,6 +346,7 @@ pk_call_cb (GObject *object, GAsyncResult *result, gpointer user_data)
auth_call_complete (call);
}
#endif
void
nm_auth_chain_add_call (NMAuthChain *self,
@@ -369,6 +371,7 @@ nm_auth_chain_add_call (NMAuthChain *self,
call->call_idle_id = g_idle_add ((GSourceFunc) auth_call_complete, call);
} else {
/* Non-root always gets authenticated when using polkit */
#if WITH_POLKIT
call->cancellable = g_cancellable_new ();
nm_auth_manager_polkit_authority_check_authorization (auth_manager,
self->subject,
@@ -377,6 +380,14 @@ nm_auth_chain_add_call (NMAuthChain *self,
call->cancellable,
pk_call_cb,
call);
#else
if (!call->chain->error) {
call->chain->error = g_error_new_literal (DBUS_GERROR,
DBUS_GERROR_FAILED,
"Polkit support is disabled at compile time");
}
call->call_idle_id = g_idle_add ((GSourceFunc) auth_call_complete, call);
#endif
}
}