auth: support disabling POLKIT authentication entirely at compile time

Let the user completly disable polkit authentication by
building NM with configure option  '--enable-polkit=disabled'.

In that case, configuring 'main.auth-polkit=yes' will fail all
authentication requests (except root-requests, which are always granted).

This reduces the size of the NetworkManager binary by some 26KB (16KB
stripped).

Signed-off-by: Thomas Haller <thaller@redhat.com>

configure.ac

@@ -457,9 +457,14 @@ else
 fi
 AM_CONDITIONAL(WITH_TEAMDCTL, test "${enable_teamdctl}" = "yes")
 
-AC_ARG_ENABLE(polkit, AS_HELP_STRING([--enable-polkit], [set default value for auth-polkit configuration option]),
+# we usually compile with polkit support. --enable-polkit=yes|no only sets the
+# default configuration for main.auth-polkit. User can always enable/disable polkit
+# autorization via config. Only when specifying --enable-polkit=disabled, we do
+# not compile support. In this case, the user cannot enable polkit authorization via
+# configuration.
+AC_ARG_ENABLE(polkit, AS_HELP_STRING([--enable-polkit=yes|no|disabled], [set default value for auth-polkit configuration option. This value can be overwritten by NM configuration. 'disabled' compiles NM without any support]),
                      [enable_polkit=${enableval}], [enable_polkit=yes])
-if (test "${enable_polkit}" != "no"); then
+if (test "${enable_polkit}" != "no" -a "${enable_polkit}" != "disabled"); then
 	enable_polkit=yes
 	AC_DEFINE(NM_CONFIG_DEFAULT_AUTH_POLKIT, TRUE, [The default value of the auth-polkit configuration option])
 	NM_CONFIG_DEFAULT_AUTH_POLKIT_TEXT='true'
@@ -467,6 +472,11 @@ else
 	AC_DEFINE(NM_CONFIG_DEFAULT_AUTH_POLKIT, FALSE, [The default value of the auth-polkit configuration option])
 	NM_CONFIG_DEFAULT_AUTH_POLKIT_TEXT='false'
 fi
+if (test "${enable_polkit}" != "disabled"); then
+	AC_DEFINE(WITH_POLKIT, 1, [whether to compile polkit support])
+else
+	AC_DEFINE(WITH_POLKIT, 0, [whether to compile polkit support])
+fi
 AC_SUBST(NM_CONFIG_DEFAULT_AUTH_POLKIT_TEXT)
 
 AC_ARG_ENABLE(modify-system,
@@ -961,10 +971,14 @@ echo
 echo "Platform:"
 echo "  session tracking: $with_session_tracking"
 echo "  suspend/resume: $with_suspend_resume"
-if test "${enable_modify_system}" = "yes"; then
-	echo "  policykit: yes (permissive modify.system) (default=${enable_polkit})"
+if test "${enable_polkit}" = "yes"; then
+	if test "${enable_modify_system}" = "yes"; then
+		echo "  policykit: yes (permissive modify.system) (default=${enable_polkit})"
+	else
+		echo "  policykit: yes (restrictive modify.system) (default=${enable_polkit})"
+	fi
 else
-	echo "  policykit: yes (restrictive modify.system) (default=${enable_polkit})"
+	echo  "  policykit: no"
 fi
 echo "  selinux: $have_selinux"
 echo

src/nm-auth-manager.c

@@ -66,10 +66,12 @@ static guint signals[LAST_SIGNAL] = {0};
 
 typedef struct {
 	gboolean polkit_enabled;
+#if WITH_POLKIT
 	guint call_id_counter;
 	GCancellable *new_proxy_cancellable;
 	GSList *queued_calls;
 	GDBusProxy *proxy;
+#endif
 } NMAuthManagerPrivate;
 
 static NMAuthManager *_instance = NULL;
@@ -100,6 +102,8 @@ nm_auth_manager_get_polkit_enabled (NMAuthManager *self)
 
 /*****************************************************************************/
 
+#if WITH_POLKIT
+
 typedef enum {
 	POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE                   = 0,
 	POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION = (1<<0),
@@ -477,6 +481,8 @@ _dbus_new_proxy_cb (GObject *source_object,
 	_emit_changed_signal (self);
 }
 
+#endif
+
 /*****************************************************************************/
 
 NMAuthManager *
@@ -548,6 +554,7 @@ constructed (GObject *object)
 
 	G_OBJECT_CLASS (nm_auth_manager_parent_class)->constructed (object);
 
+#if WITH_POLKIT
 	_LOGD ("create auth-manager: polkit %s", priv->polkit_enabled ? "enabled" : "disabled");
 
 	if (priv->polkit_enabled) {
@@ -567,6 +574,12 @@ constructed (GObject *object)
 		                          _dbus_new_proxy_cb,
 		                          p_self);
 	}
+#else
+	if (priv->polkit_enabled)
+		_LOGW ("create auth-manager: polkit disabled at compile time. All authentication requests will fail");
+	else
+		_LOGD ("create auth-manager: polkit disabled at compile time");
+#endif
 }
 
 
@@ -574,10 +587,13 @@ static void
 dispose (GObject *object)
 {
 	NMAuthManager* self = NM_AUTH_MANAGER (object);
+#if WITH_POLKIT
 	NMAuthManagerPrivate *priv = NM_AUTH_MANAGER_GET_PRIVATE (self);
+#endif
 
 	_LOGD ("dispose");
 
+#if WITH_POLKIT
 	/* since we take a reference for each queued call, we don't expect to have any queued calls in dispose() */
 	g_assert (!priv->queued_calls);
 
@@ -591,6 +607,7 @@ dispose (GObject *object)
 		g_signal_handlers_disconnect_by_func (priv->proxy, _dbus_on_g_signal_cb, self);
 		g_clear_object (&priv->proxy);
 	}
+#endif
 
 	G_OBJECT_CLASS (nm_auth_manager_parent_class)->dispose (object);
 }

src/nm-auth-manager.h

@@ -62,6 +62,8 @@ NMAuthManager *nm_auth_manager_get (void);
 
 gboolean nm_auth_manager_get_polkit_enabled (NMAuthManager *self);
 
+#if WITH_POLKIT
+
 void nm_auth_manager_polkit_authority_check_authorization (NMAuthManager *self,
                                                            NMAuthSubject *subject,
                                                            const char *action_id,
@@ -75,6 +77,7 @@ gboolean nm_auth_manager_polkit_authority_check_authorization_finish (NMAuthMana
                                                                       gboolean *out_is_challenge,
                                                                       GError **error);
 
+#endif
 
 G_END_DECLS
 

src/nm-auth-subject.c

@@ -150,6 +150,8 @@ nm_auth_subject_to_string (NMAuthSubject *self, char *buf, gsize buf_len)
 	return buf;
 }
 
+#if WITH_POLKIT
+
 /* returns a floating variant */
 GVariant *
 nm_auth_subject_unix_process_to_polkit_gvariant (NMAuthSubject *self)
@@ -171,6 +173,8 @@ nm_auth_subject_unix_process_to_polkit_gvariant (NMAuthSubject *self)
 	return ret;
 }
 
+#endif
+
 NMAuthSubjectType
 nm_auth_subject_get_subject_type (NMAuthSubject *subject)
 {

src/nm-auth-subject.h

@@ -82,6 +82,10 @@ gulong nm_auth_subject_get_unix_process_uid (NMAuthSubject *subject);
 
 const char *nm_auth_subject_to_string (NMAuthSubject *self, char *buf, gsize buf_len);
 
+#if WITH_POLKIT
+
 GVariant *  nm_auth_subject_unix_process_to_polkit_gvariant (NMAuthSubject *self);
 
+#endif
+
 #endif /* __NETWORKMANAGER_AUTH_SUBJECT_H__ */

src/nm-auth-utils.c

@@ -298,6 +298,7 @@ auth_call_cancel (gpointer user_data)
 	}
 }
 
+#if WITH_POLKIT
 static void
 pk_call_cb (GObject *object, GAsyncResult *result, gpointer user_data)
 {
@@ -345,6 +346,7 @@ pk_call_cb (GObject *object, GAsyncResult *result, gpointer user_data)
 
 	auth_call_complete (call);
 }
+#endif
 
 void
 nm_auth_chain_add_call (NMAuthChain *self,
@@ -369,6 +371,7 @@ nm_auth_chain_add_call (NMAuthChain *self,
 		call->call_idle_id = g_idle_add ((GSourceFunc) auth_call_complete, call);
 	} else {
 		/* Non-root always gets authenticated when using polkit */
+#if WITH_POLKIT
 		call->cancellable = g_cancellable_new ();
 		nm_auth_manager_polkit_authority_check_authorization (auth_manager,
 		                                                      self->subject,
@@ -377,6 +380,14 @@ nm_auth_chain_add_call (NMAuthChain *self,
 		                                                      call->cancellable,
 		                                                      pk_call_cb,
 		                                                      call);
+#else
+		if (!call->chain->error) {
+			call->chain->error = g_error_new_literal (DBUS_GERROR,
+			                                          DBUS_GERROR_FAILED,
+			                                          "Polkit support is disabled at compile time");
+		}
+		call->call_idle_id = g_idle_add ((GSourceFunc) auth_call_complete, call);
+#endif
 	}
 }