colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e27ef709803f416698295422b1e614a3cf93df50
NetworkManager/data/org.freedesktop.NetworkManager.policy.in.in
Colin e27ef70980 polkit: add owner annotations to all actions 
this allows one to (optionally) run NetworkManager as a user named
"networkmanager" instead of root without breaking NM-initiated polkit
queries. dbus interactions for an operation like
`nmcli device wifi rescan` look like this:

```
nmcli device wifi rescan
(sent from pid=1234, uid=1000)
  |
  v
org.freedesktop.NetworkManager.Device.Wireless.RequestScan { }
(fielded by NetworkManager.service)
  |
  v
org.freedesktop.PolicyKit1.Authority.CheckAuthorization {
  pid = 1234
  start-time = ...;
  uid = 1000;
  "org.freedesktop.NetworkManager.wifi.scan"
}
(fielded by polkit.service)
```

ordinarily, polkit will check the details of whoever invoked `nmcli`
against its database and tell NetworkManager whether the request is
authorized or not. however if NetworkManager isn't running as root then
polkit will instead reply with:

> ErrorName=org.freedesktop.PolicyKit1.Error.NotAuthorized
> "Only trusted callers (e.g. uid 0 or an action owner) can use
> CheckAuthorization() for subjects belonging to other identities"

to solve this we encode the action owner into the policy so that when
polkit sees the CheckAuthorization message, it knows the caller is
allowed to ask for that.

running NetworkManager as root is unaffected by this patch.
2024-06-02 04:52:25 +00:00

192 lines
8.2 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
<vendor>NetworkManager</vendor>
<vendor_url>https://networkmanager.dev/</vendor_url>
<icon_name>nm-icon</icon_name>
<action id="org.freedesktop.NetworkManager.enable-disable-network">
<description>Enable or disable system networking</description>
<message>System policy prevents enabling or disabling system networking</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.reload">
<description>Reload NetworkManager configuration</description>
<message>System policy prevents reloading NetworkManager</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.sleep-wake">
<description>Put NetworkManager to sleep or wake it up (should only be used by system power management)</description>
<message>System policy prevents putting NetworkManager to sleep or waking it up</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>no</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.enable-disable-wifi">
<description>Enable or disable Wi-Fi devices</description>
<message>System policy prevents enabling or disabling Wi-Fi devices</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.enable-disable-wwan">
<description>Enable or disable mobile broadband devices</description>
<message>System policy prevents enabling or disabling mobile broadband devices</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.enable-disable-wimax">
<description>Enable or disable WiMAX mobile broadband devices</description>
<message>System policy prevents enabling or disabling WiMAX mobile broadband devices</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.network-control">
<description>Allow control of network connections</description>
<message>System policy prevents control of network connections</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.wifi.scan">
<description>Allow control of Wi-Fi scans</description>
<message>System policy prevents Wi-Fi scans</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.wifi.share.protected">
<description>Connection sharing via a protected Wi-Fi network</description>
<message>System policy prevents sharing connections via a protected Wi-Fi network</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.wifi.share.open">
<description>Connection sharing via an open Wi-Fi network</description>
<message>System policy prevents sharing connections via an open Wi-Fi network</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.settings.modify.own">
<description>Modify personal network connections</description>
<message>System policy prevents modification of personal network settings</message>
<defaults>
<allow_any>auth_self_keep</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.settings.modify.system">
<description>Modify network connections for all users</description>
<message>System policy prevents modification of network settings for all users</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>@NM_MODIFY_SYSTEM_POLICY@</allow_inactive>
<allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.settings.modify.hostname">
<description>Modify persistent system hostname</description>
<message>System policy prevents modification of the persistent system hostname</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.settings.modify.global-dns">
<description>Modify persistent global DNS configuration</description>
<message>System policy prevents modification of the persistent global DNS configuration</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.checkpoint-rollback">
<description>Perform a checkpoint or rollback of interfaces configuration</description>
<message>System policy prevents the creation of a checkpoint or its rollback</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.enable-disable-statistics">
<description>Enable or disable device statistics</description>
<message>System policy prevents enabling or disabling device statistics</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
<action id="org.freedesktop.NetworkManager.enable-disable-connectivity-check">
<description>Enable or disable connectivity checking</description>
<message>System policy prevents enabling or disabling connectivity checking</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
</action>
</policyconfig>
Reference in New Issue View Git Blame Copy Permalink