From a01293861fa24201ffaeb84c07f1c71136c49759 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sun, 2 Jun 2024 03:59:54 +0000
Subject: [PATCH] polkit: add owner annotations to all actions

this allows one to (optionally) run NetworkManager as a user named
"networkmanager" instead of root without breaking NM-initiated polkit
queries. dbus interactions for an operation like
`nmcli device wifi rescan` look like this:

```
nmcli device wifi rescan
(sent from pid=1234, uid=1000)
  |
  v
org.freedesktop.NetworkManager.Device.Wireless.RequestScan { }
(fielded by NetworkManager.service)
  |
  v
org.freedesktop.PolicyKit1.Authority.CheckAuthorization {
  pid = 1234
  start-time = ...;
  uid = 1000;
  "org.freedesktop.NetworkManager.wifi.scan"
}
(fielded by polkit.service)
```

ordinarily, polkit will check the details of whoever invoked `nmcli`
against its database and tell NetworkManager whether the request is
authorized or not. however if NetworkManager isn't running as root then
polkit will instead reply with:

> ErrorName=org.freedesktop.PolicyKit1.Error.NotAuthorized
> "Only trusted callers (e.g. uid 0 or an action owner) can use
> CheckAuthorization() for subjects belonging to other identities"

to solve this we encode the action owner into the policy so that when
polkit sees the CheckAuthorization message, it knows the caller is
allowed to ask for that.

running NetworkManager as root is unaffected by this patch.
---
 .../org.freedesktop.NetworkManager.policy.in.in | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/data/org.freedesktop.NetworkManager.policy.in.in b/data/org.freedesktop.NetworkManager.policy.in.in
index 13a0a5b50..636b3c8aa 100644
--- a/data/org.freedesktop.NetworkManager.policy.in.in
+++ b/data/org.freedesktop.NetworkManager.policy.in.in
@@ -16,6 +16,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.reload">
@@ -26,6 +27,7 @@
       <allow_inactive>auth_admin_keep</allow_inactive>
       <allow_active>auth_admin_keep</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.sleep-wake">
@@ -35,6 +37,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>no</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.enable-disable-wifi">
@@ -44,6 +47,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.enable-disable-wwan">
@@ -53,6 +57,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.enable-disable-wimax">
@@ -62,6 +67,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.network-control">
@@ -72,6 +78,7 @@
       <allow_inactive>yes</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.wifi.scan">
@@ -82,6 +89,7 @@
       <allow_inactive>yes</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.wifi.share.protected">
@@ -91,6 +99,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.wifi.share.open">
@@ -100,6 +109,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.settings.modify.own">
@@ -110,6 +120,7 @@
       <allow_inactive>yes</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.settings.modify.system">
@@ -120,6 +131,7 @@
       <allow_inactive>@NM_MODIFY_SYSTEM_POLICY@</allow_inactive>
       <allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.settings.modify.hostname">
@@ -130,6 +142,7 @@
       <allow_inactive>auth_admin_keep</allow_inactive>
       <allow_active>auth_admin_keep</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.settings.modify.global-dns">
@@ -140,6 +153,7 @@
       <allow_inactive>auth_admin_keep</allow_inactive>
       <allow_active>auth_admin_keep</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.checkpoint-rollback">
@@ -150,6 +164,7 @@
       <allow_inactive>auth_admin_keep</allow_inactive>
       <allow_active>auth_admin_keep</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.enable-disable-statistics">
@@ -159,6 +174,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.enable-disable-connectivity-check">
@@ -168,6 +184,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
 </policyconfig>