diff options
author | Dan Williams <dcbw@redhat.com> | 2014-01-23 16:49:05 -0600 |
---|---|---|
committer | Dan Williams <dcbw@redhat.com> | 2014-01-23 16:49:05 -0600 |
commit | 4b39267b9df394f8fb802073206899004cc84c69 (patch) | |
tree | ce92593c4af1a6c4f8c2462a5b7a8e19f18a7634 | |
parent | 32a001f526c182fa70ede92ffc360112eb7fe9c6 (diff) | |
parent | d000d1223fe33141d3df6dc49d9880ed0f29f729 (diff) | |
download | NetworkManager-4b39267b9df394f8fb802073206899004cc84c69.tar.gz |
merge: remove at_console from D-Bus permissions (bgo #707983) (rh #979416)
Remove at_console, ensuring that all necessary calls are protected by
PolicyKit authorization (which at_console is redundant with). Allows
sessions that are not necessarily local (like SSH or remote desktop)
to talk to NetworkManager, subject to administrator PolicyKit rules.
-rw-r--r-- | introspection/nm-ip4-config.xml | 8 | ||||
-rw-r--r-- | introspection/nm-ip6-config.xml | 8 | ||||
-rw-r--r-- | introspection/nm-manager.xml | 1 | ||||
-rw-r--r-- | introspection/nm-settings.xml | 1 | ||||
-rw-r--r-- | policy/org.freedesktop.NetworkManager.policy.in.in | 9 | ||||
-rw-r--r-- | src/nm-ip4-config.c | 4 | ||||
-rw-r--r-- | src/nm-ip6-config.c | 5 | ||||
-rw-r--r-- | src/nm-manager.c | 39 | ||||
-rw-r--r-- | src/nm-session-monitor-systemd.c | 22 | ||||
-rw-r--r-- | src/org.freedesktop.NetworkManager.conf | 114 | ||||
-rw-r--r-- | src/settings/nm-settings.c | 56 |
11 files changed, 171 insertions, 96 deletions
diff --git a/introspection/nm-ip4-config.xml b/introspection/nm-ip4-config.xml index f21a2e4a0e..6a8750b7f6 100644 --- a/introspection/nm-ip4-config.xml +++ b/introspection/nm-ip4-config.xml @@ -30,6 +30,14 @@ <property name="WinsServers" type="au" access="read"> <tp:docstring>The Windows Internet Name Service servers associated with the connection. Each address is in network byte order.</tp:docstring> </property> + + <signal name="PropertiesChanged"> + <arg name="properties" type="a{sv}" tp:type="String_Variant_Map"> + <tp:docstring> + A dictionary mapping property names to variant boxed values + </tp:docstring> + </arg> + </signal> </interface> </node> diff --git a/introspection/nm-ip6-config.xml b/introspection/nm-ip6-config.xml index dcec871391..55c519e701 100644 --- a/introspection/nm-ip6-config.xml +++ b/introspection/nm-ip6-config.xml @@ -20,6 +20,14 @@ <property name="Searches" type="as" access="read"> <tp:docstring>A list of dns searches.</tp:docstring> </property> + + <signal name="PropertiesChanged"> + <arg name="properties" type="a{sv}" tp:type="String_Variant_Map"> + <tp:docstring> + A dictionary mapping property names to variant boxed values + </tp:docstring> + </arg> + </signal> </interface> </node> diff --git a/introspection/nm-manager.xml b/introspection/nm-manager.xml index 2d4cbf8269..27610cfc9b 100644 --- a/introspection/nm-manager.xml +++ b/introspection/nm-manager.xml @@ -209,6 +209,7 @@ <method name="SetLogging"> <annotation name="org.freedesktop.DBus.GLib.CSymbol" value="impl_manager_set_logging"/> + <annotation name="org.freedesktop.DBus.GLib.Async" value=""/> <tp:docstring> Set logging verbosity and which operations are logged. </tp:docstring> diff --git a/introspection/nm-settings.xml b/introspection/nm-settings.xml index 7e02db7216..e36f206db9 100644 --- a/introspection/nm-settings.xml +++ b/introspection/nm-settings.xml @@ -23,6 +23,7 @@ Retrieve the object path of a connection, given that connection's UUID. </tp:docstring> <annotation name="org.freedesktop.DBus.GLib.CSymbol" value="impl_settings_get_connection_by_uuid"/> + <annotation name="org.freedesktop.DBus.GLib.Async" value=""/> <arg name="uuid" type="s" direction="in"> <tp:docstring> The UUID to find the connection object path for. diff --git a/policy/org.freedesktop.NetworkManager.policy.in.in b/policy/org.freedesktop.NetworkManager.policy.in.in index ea3777a470..2de066c1e0 100644 --- a/policy/org.freedesktop.NetworkManager.policy.in.in +++ b/policy/org.freedesktop.NetworkManager.policy.in.in @@ -85,8 +85,7 @@ <_description>Modify personal network connections</_description> <_message>System policy prevents modification of personal network settings</_message> <defaults> - <allow_inactive>no</allow_inactive> - <allow_active>yes</allow_active> + <allow_any>yes</allow_any> </defaults> </action> @@ -94,8 +93,7 @@ <_description>Modify network connections for all users</_description> <_message>System policy prevents modification of network settings for all users</_message> <defaults> - <allow_inactive>no</allow_inactive> - <allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active> + <allow_any>@NM_MODIFY_SYSTEM_POLICY@</allow_any> </defaults> </action> @@ -103,8 +101,7 @@ <_description>Modify persistent system hostname</_description> <_message>System policy prevents modification of the persistent system hostname</_message> <defaults> - <allow_inactive>no</allow_inactive> - <allow_active>auth_admin_keep</allow_active> + <allow_any>auth_admin_keep</allow_any> </defaults> </action> diff --git a/src/nm-ip4-config.c b/src/nm-ip4-config.c index c7c00a41d7..b9ce0cbadb 100644 --- a/src/nm-ip4-config.c +++ b/src/nm-ip4-config.c @@ -1688,5 +1688,7 @@ nm_ip4_config_class_init (NMIP4ConfigClass *config_class) g_object_class_install_properties (object_class, LAST_PROP, obj_properties); - dbus_g_object_type_install_info (G_TYPE_FROM_CLASS (config_class), &dbus_glib_nm_ip4_config_object_info); + nm_dbus_manager_register_exported_type (nm_dbus_manager_get (), + G_TYPE_FROM_CLASS (config_class), + &dbus_glib_nm_ip4_config_object_info); } diff --git a/src/nm-ip6-config.c b/src/nm-ip6-config.c index 6e9f1f2558..178f0b51b1 100644 --- a/src/nm-ip6-config.c +++ b/src/nm-ip6-config.c @@ -1509,6 +1509,7 @@ nm_ip6_config_class_init (NMIP6ConfigClass *config_class) g_object_class_install_properties (object_class, LAST_PROP, obj_properties); - dbus_g_object_type_install_info (G_TYPE_FROM_CLASS (config_class), - &dbus_glib_nm_ip6_config_object_info); + nm_dbus_manager_register_exported_type (nm_dbus_manager_get (), + G_TYPE_FROM_CLASS (config_class), + &dbus_glib_nm_ip6_config_object_info); } diff --git a/src/nm-manager.c b/src/nm-manager.c index 4fa1991225..e5a9702966 100644 --- a/src/nm-manager.c +++ b/src/nm-manager.c @@ -123,10 +123,10 @@ static gboolean impl_manager_get_state (NMManager *manager, guint32 *state, GError **error); -static gboolean impl_manager_set_logging (NMManager *manager, - const char *level, - const char *domains, - GError **error); +static void impl_manager_set_logging (NMManager *manager, + const char *level, + const char *domains, + DBusGMethodInvocation *context); static void impl_manager_get_logging (NMManager *manager, char **level, @@ -4002,13 +4002,31 @@ impl_manager_get_state (NMManager *manager, guint32 *state, GError **error) return TRUE; } -static gboolean +static void impl_manager_set_logging (NMManager *manager, const char *level, const char *domains, - GError **error) + DBusGMethodInvocation *context) { - if (nm_logging_setup (level, domains, NULL, error)) { + NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (manager); + GError *error = NULL; + gulong caller_uid = G_MAXULONG; + + if (!nm_dbus_manager_get_caller_info (priv->dbus_mgr, context, NULL, &caller_uid, NULL)) { + error = g_error_new_literal (NM_MANAGER_ERROR, + NM_MANAGER_ERROR_PERMISSION_DENIED, + "Failed to get request UID."); + goto done; + } + + if (0 != caller_uid) { + error = g_error_new_literal (NM_MANAGER_ERROR, + NM_MANAGER_ERROR_PERMISSION_DENIED, + "Permission denied"); + goto done; + } + + if (nm_logging_setup (level, domains, NULL, &error)) { char *new_level = nm_logging_level_to_string (); char *new_domains = nm_logging_domains_to_string (); @@ -4016,9 +4034,12 @@ impl_manager_set_logging (NMManager *manager, new_level, new_domains); g_free (new_level); g_free (new_domains); - return TRUE; } - return FALSE; + +done: + if (error) + dbus_g_method_return_error (context, error); + g_clear_error (&error); } static void diff --git a/src/nm-session-monitor-systemd.c b/src/nm-session-monitor-systemd.c index 4d8edab2d2..f195c1e775 100644 --- a/src/nm-session-monitor-systemd.c +++ b/src/nm-session-monitor-systemd.c @@ -234,18 +234,19 @@ nm_session_monitor_uid_has_session (NMSessionMonitor *monitor, const char **out_user, GError **error) { - int ret; + int num_sessions; if (!nm_session_uid_to_user (uid, out_user, error)) return FALSE; - ret = sd_uid_get_sessions (uid, FALSE, NULL) > 0; - if (ret < 0) { + /* Get all sessions (including inactive ones) for the user */ + num_sessions = sd_uid_get_sessions (uid, 0, NULL); + if (num_sessions < 0) { nm_log_warn (LOGD_CORE, "Failed to get systemd sessions for uid %d: %d", - uid, ret); + uid, num_sessions); return FALSE; } - return ret > 0 ? TRUE : FALSE; + return num_sessions > 0; } gboolean @@ -253,13 +254,14 @@ nm_session_monitor_uid_active (NMSessionMonitor *monitor, uid_t uid, GError **error) { - int ret; + int num_sessions; - ret = sd_uid_get_sessions (uid, TRUE, NULL) > 0; - if (ret < 0) { + /* Get active sessions for the user */ + num_sessions = sd_uid_get_sessions (uid, 1, NULL); + if (num_sessions < 0) { nm_log_warn (LOGD_CORE, "Failed to get active systemd sessions for uid %d: %d", - uid, ret); + uid, num_sessions); return FALSE; } - return ret > 0 ? TRUE : FALSE; + return num_sessions > 0; } diff --git a/src/org.freedesktop.NetworkManager.conf b/src/org.freedesktop.NetworkManager.conf index db68374cc8..bdfe3e6773 100644 --- a/src/org.freedesktop.NetworkManager.conf +++ b/src/org.freedesktop.NetworkManager.conf @@ -26,93 +26,99 @@ <allow send_destination="org.freedesktop.NetworkManager.ssh"/> <allow send_destination="org.freedesktop.NetworkManager.iodine"/> </policy> - <policy at_console="true"> - <allow send_destination="org.freedesktop.NetworkManager"/> + <policy context="default"> + <deny own="org.freedesktop.NetworkManager"/> + <deny send_destination="org.freedesktop.NetworkManager"/> + + <!-- Basic D-Bus API stuff --> <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.DBus.Introspectable"/> - <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.DBus.Properties"/> + <!-- Devices (read-only properties, no methods) --> <allow send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager"/> - + send_interface="org.freedesktop.NetworkManager.Device.Adsl"/> <allow send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager.AccessPoint"/> - + send_interface="org.freedesktop.NetworkManager.Device.Bond"/> <allow send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager.Connection.Active"/> - + send_interface="org.freedesktop.NetworkManager.Device.Bridge"/> <allow send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager.Device.Modem"/> - + send_interface="org.freedesktop.NetworkManager.Device.Bluetooth"/> <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Wired"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.Device.Generic"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.Device.Gre"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.Device.Infiniband"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.Device.Macvlan"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.Device.Modem"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.Device.OlpcMesh"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.Device.Team"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.Device.Tun"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.Device.Veth"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.Device.Vlan"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.WiMax.Nsp"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.AccessPoint"/> + <!-- Devices (read-only, no security required) --> <allow send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager.Device.Serial"/> + send_interface="org.freedesktop.NetworkManager.Device.WiMax"/> + <!-- Devices (read/write, secured with PolicyKit) --> <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device.Wireless"/> - <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device"/> + <!-- Core stuff (read-only properties, no methods) --> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.Connection.Active"/> <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.DHCP4Config"/> - + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.DHCP6Config"/> <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.IP4Config"/> - + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.IP6Config"/> <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.VPN.Connection"/> + <!-- Core stuff (read/write, secured with PolicyKit) --> <allow send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager.AgentManager"/> - - <deny send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager" - send_member="SetLogging"/> - - <deny send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager" - send_member="Sleep"/> - - <deny send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager" - send_member="sleep"/> - - <deny send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager" - send_member="wake"/> - </policy> - <policy context="default"> - <deny own="org.freedesktop.NetworkManager"/> - - <deny send_destination="org.freedesktop.NetworkManager"/> - + send_interface="org.freedesktop.NetworkManager"/> <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Settings"/> + <allow send_destination="org.freedesktop.NetworkManager" + send_interface="org.freedesktop.NetworkManager.Settings.Connection"/> + <!-- Agents; secured with PolicyKit. Any process can talk to + the AgentManager API, but only NetworkManager can talk + to the agents themselves. --> <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.AgentManager"/> - - <deny send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager" - send_member="SetLogging"/> - - <deny send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager" - send_member="Sleep"/> - - <deny send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager" - send_member="sleep"/> - - <deny send_destination="org.freedesktop.NetworkManager" - send_interface="org.freedesktop.NetworkManager" - send_member="wake"/> + <deny send_interface="org.freedesktop.NetworkManager.SecretAgent"/> + + <!-- Root-only functions --> + <deny send_interface="org.freedesktop.NetworkManager" send_member="SetLogging"/> + <deny send_interface="org.freedesktop.NetworkManager" send_member="Sleep"/> + <deny send_interface="org.freedesktop.NetworkManager.Settings" send_member="LoadConnections"/> + <deny send_interface="org.freedesktop.NetworkManager.Settings" send_member="ReloadConnections"/> + <deny send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/> + <deny send_interface="org.freedesktop.NetworkManager.PPP"/> </policy> </busconfig> diff --git a/src/settings/nm-settings.c b/src/settings/nm-settings.c index 42c8b95f68..a9bb90599a 100644 --- a/src/settings/nm-settings.c +++ b/src/settings/nm-settings.c @@ -91,10 +91,10 @@ static gboolean impl_settings_list_connections (NMSettings *self, GPtrArray **connections, GError **error); -static gboolean impl_settings_get_connection_by_uuid (NMSettings *self, - const char *uuid, - char **out_object_path, - GError **error); +static void impl_settings_get_connection_by_uuid (NMSettings *self, + const char *uuid, + char **out_object_path, + DBusGMethodInvocation *context); static void impl_settings_add_connection (NMSettings *self, GHashTable *settings, @@ -268,25 +268,53 @@ nm_settings_get_connection_by_uuid (NMSettings *self, const char *uuid) return NULL; } -static gboolean +static void impl_settings_get_connection_by_uuid (NMSettings *self, const char *uuid, char **out_object_path, - GError **error) + DBusGMethodInvocation *context) { NMSettingsConnection *connection = NULL; + NMAuthSubject *subject; + GError *error = NULL; + char *error_desc = NULL; connection = nm_settings_get_connection_by_uuid (self, uuid); - if (connection) - *out_object_path = g_strdup (nm_connection_get_path (NM_CONNECTION (connection))); - else { - g_set_error_literal (error, - NM_SETTINGS_ERROR, - NM_SETTINGS_ERROR_INVALID_CONNECTION, - "No connection with the UUID was found."); + if (!connection) { + error = g_error_new_literal (NM_SETTINGS_ERROR, + NM_SETTINGS_ERROR_INVALID_CONNECTION, + "No connection with the UUID was found."); + goto error; } - return !!connection; + subject = nm_auth_subject_new_from_context (context); + if (!subject) { + error = g_error_new_literal (NM_SETTINGS_ERROR, + NM_SETTINGS_ERROR_PERMISSION_DENIED, + "Unable to determine UID of request."); + goto error; + } + + if (!nm_auth_uid_in_acl (NM_CONNECTION (connection), + nm_session_monitor_get (), + nm_auth_subject_get_uid (subject), + &error_desc)) { + error = g_error_new_literal (NM_SETTINGS_ERROR, + NM_SETTINGS_ERROR_PERMISSION_DENIED, + error_desc); + g_free (error_desc); + goto error; + } + + g_clear_object (&subject); + dbus_g_method_return (context, nm_connection_get_path (NM_CONNECTION (connection))); + return; + +error: + g_assert (error); + dbus_g_method_return_error (context, error); + g_error_free (error); + g_clear_object (&subject); } static int |