colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: colin:main
Branches Tags
colin:main colin:dev-sane-1.48.0 colin:dev-sane-1.46.0 colin:dev-sane
...
pull from: colin:dev-sane-1.46.0
Branches Tags
colin:main colin:dev-sane-1.48.0 colin:dev-sane-1.46.0 colin:dev-sane

1 Commits
main ... dev-sane-1

Author SHA1 Message Date
Colin
e27ef70980 polkit: add owner annotations to all actions 
this allows one to (optionally) run NetworkManager as a user named
"networkmanager" instead of root without breaking NM-initiated polkit
queries. dbus interactions for an operation like
`nmcli device wifi rescan` look like this:

```
nmcli device wifi rescan
(sent from pid=1234, uid=1000)
  |
  v
org.freedesktop.NetworkManager.Device.Wireless.RequestScan { }
(fielded by NetworkManager.service)
  |
  v
org.freedesktop.PolicyKit1.Authority.CheckAuthorization {
  pid = 1234
  start-time = ...;
  uid = 1000;
  "org.freedesktop.NetworkManager.wifi.scan"
}
(fielded by polkit.service)
```

ordinarily, polkit will check the details of whoever invoked `nmcli`
against its database and tell NetworkManager whether the request is
authorized or not. however if NetworkManager isn't running as root then
polkit will instead reply with:

> ErrorName=org.freedesktop.PolicyKit1.Error.NotAuthorized
> "Only trusted callers (e.g. uid 0 or an action owner) can use
> CheckAuthorization() for subjects belonging to other identities"

to solve this we encode the action owner into the policy so that when
polkit sees the CheckAuthorization message, it knows the caller is
allowed to ask for that.

running NetworkManager as root is unaffected by this patch.
 2024-06-02 04:52:25 +00:00
1 changed files with 17 additions and 0 deletions
Expand all files Collapse all files

17
data/org.freedesktop.NetworkManager.policy.in.in
View File

@@ -16,6 +16,7 @@
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.reload">
@@ -26,6 +27,7 @@
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.sleep-wake">
@@ -35,6 +37,7 @@
<allow_inactive>no</allow_inactive>
<allow_active>no</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.enable-disable-wifi">
@@ -44,6 +47,7 @@
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.enable-disable-wwan">
@@ -53,6 +57,7 @@
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.enable-disable-wimax">
@@ -62,6 +67,7 @@
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.network-control">
@@ -72,6 +78,7 @@
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.wifi.scan">
@@ -82,6 +89,7 @@
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.wifi.share.protected">
@@ -91,6 +99,7 @@
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.wifi.share.open">
@@ -100,6 +109,7 @@
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.settings.modify.own">
@@ -110,6 +120,7 @@
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.settings.modify.system">
@@ -120,6 +131,7 @@
<allow_inactive>@NM_MODIFY_SYSTEM_POLICY@</allow_inactive>
<allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.settings.modify.hostname">
@@ -130,6 +142,7 @@
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.settings.modify.global-dns">
@@ -140,6 +153,7 @@
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.checkpoint-rollback">
@@ -150,6 +164,7 @@
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.enable-disable-statistics">
@@ -159,6 +174,7 @@
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.enable-disable-connectivity-check">
@@ -168,6 +184,7 @@
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
</policyconfig>