sudo: introduce nm-sudo D-Bus service

NetworkManager runs as root and has lots of capabilities. We want to reduce the attach surface by dropping capabilities, but there is a genuine need to do certain things. For example, we currently require dac_override capability, to open the unix socket of ovsdb. Most users wouldn't use OVS, so we should find a way to not require that dac_override capability. The solution is to have a separate, D-Bus activate service (nm-sudo), which has the capability to open and provide the file descriptor. For authentication, we only rely on D-Bus. We watch the name owner of NetworkManager, and only accept requests from that service. We trust D-Bus to get it right a request from that name owner is really coming from NetworkManager. If we couldn't trust that, how could PolicyKit or any authentication via D-Bus work? For testing, the user can set NM_SUDO_NO_AUTH_FOR_TESTING=1. https://bugzilla.redhat.com/show_bug.cgi?id=1921826
author: Thomas Haller <thaller@redhat.com> 2021-07-18 08:53:43 +0200
committer: Thomas Haller <thaller@redhat.com> 2021-07-26 15:31:46 +0200
commit: f137b32d31174e5226f4ab7d3657c90851e50000 (patch)
tree: f1e4cd3c0db0bebc8567afb156772f0d804de162 /Makefile.am
parent: 684f2acffea3ed5704330bff05b87acbf371ccdd (diff)
download: NetworkManager-f137b32d31174e5226f4ab7d3657c90851e50000.tar.gz
1 files changed, 61 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am
index af327de094..7a6f56199a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -504,6 +504,8 @@ src_libnm_base_libnm_base_la_SOURCES = \
 	src/libnm-base/nm-ethtool-utils-base.h \
 	src/libnm-base/nm-net-aux.c \
 	src/libnm-base/nm-net-aux.h \
+	src/libnm-base/nm-sudo-utils.c \
+	src/libnm-base/nm-sudo-utils.h \
 	$(NULL)
 
 src_libnm_base_libnm_base_la_LDFLAGS = \
@@ -2584,8 +2586,10 @@ src_core_libNetworkManager_la_SOURCES = \
 	src/core/nm-policy.h \
 	src/core/nm-rfkill-manager.c \
 	src/core/nm-rfkill-manager.h \
-	src/core/nm-session-monitor.h \
 	src/core/nm-session-monitor.c \
+	src/core/nm-session-monitor.h \
+	src/core/nm-sudo-call.c \
+	src/core/nm-sudo-call.h \
 	src/core/nm-keep-alive.c \
 	src/core/nm-keep-alive.h \
 	src/core/nm-sleep-monitor.c \
@@ -4618,6 +4622,56 @@ EXTRA_DIST += \
 	$(NULL)
 
 ###############################################################################
+# src/nm-sudo
+###############################################################################
+
+libexec_PROGRAMS += src/nm-sudo/nm-sudo
+
+src_nm_sudo_nm_sudo_SOURCES = \
+	src/nm-sudo/nm-sudo.c \
+	$(NULL)
+
+src_nm_sudo_nm_sudo_CPPFLAGS = \
+	$(dflt_cppflags) \
+	-I$(builddir)/src/libnm-core-public \
+	-I$(srcdir)/src/libnm-core-public \
+	-I$(builddir)/src/libnm-client-public \
+	-I$(srcdir)/src/libnm-client-public \
+	-I$(srcdir)/src \
+	-I$(builddir)/src \
+	$(GLIB_CFLAGS) \
+	$(NULL)
+
+src_nm_sudo_nm_sudo_LDFLAGS = \
+	-Wl,--version-script="$(srcdir)/linker-script-binary.ver" \
+	$(SANITIZER_EXEC_LDFLAGS) \
+	$(NULL)
+
+src_nm_sudo_nm_sudo_LDADD = \
+	src/libnm-base/libnm-base.la \
+	src/libnm-glib-aux/libnm-glib-aux.la \
+	src/libnm-std-aux/libnm-std-aux.la \
+	src/c-siphash/libc-siphash.la \
+	$(GLIB_LIBS) \
+	$(NULL)
+
+src/nm-sudo/org.freedesktop.nm.sudo.service: $(srcdir)/src/nm-sudo/org.freedesktop.nm.sudo.service.in
+	@sed \
+	-e 's|@libexecdir[@]|$(libexecdir)|g' \
+	$< >$@
+
+dbusactivation_DATA += src/nm-sudo/org.freedesktop.nm.sudo.service
+CLEANFILES += src/nm-sudo/org.freedesktop.nm.sudo.service
+
+dbusservice_DATA += src/nm-sudo/nm-sudo.conf
+
+EXTRA_DIST += \
+	src/nm-sudo/nm-sudo.conf \
+	src/nm-sudo/org.freedesktop.nm.sudo.service.in \
+	src/nm-sudo/meson.build \
+	$(NULL)
+
+###############################################################################
 # src/nm-daemon-helper
 ###############################################################################
 
@@ -5299,6 +5353,7 @@ systemdsystemunit_DATA += \
 	data/NetworkManager.service \
 	data/NetworkManager-wait-online.service \
 	data/NetworkManager-dispatcher.service \
+	data/nm-sudo.service \
 	$(NULL)
 
 data/NetworkManager.service: $(srcdir)/data/NetworkManager.service.in
@@ -5315,6 +5370,9 @@ endif
 data/NetworkManager-dispatcher.service: $(srcdir)/data/NetworkManager-dispatcher.service.in
 	$(AM_V_GEN) $(data_edit) $< >$@
 
+data/nm-sudo.service: $(srcdir)/data/nm-sudo.service.in
+	$(AM_V_GEN) $(data_edit) $< >$@
+
 endif
 
 examples_DATA += data/server.conf
@@ -5344,6 +5402,7 @@ EXTRA_DIST += \
 	data/NetworkManager-wait-online-systemd-pre200.service.in \
 	data/NetworkManager-wait-online.service.in \
 	data/NetworkManager.service.in \
+	data/nm-sudo.service.in \
 	data/meson.build \
 	data/nm-shared.xml \
 	data/server.conf.in \
@@ -5353,6 +5412,7 @@ CLEANFILES += \
 	data/NetworkManager-dispatcher.service \
 	data/NetworkManager-wait-online.service \
 	data/NetworkManager.service \
+	data/nm-sudo.service \
 	data/server.conf \
 	$(NULL)
author	Thomas Haller <thaller@redhat.com>	2021-07-18 08:53:43 +0200
committer	Thomas Haller <thaller@redhat.com>	2021-07-26 15:31:46 +0200
commit	f137b32d31174e5226f4ab7d3657c90851e50000 (patch)
tree	f1e4cd3c0db0bebc8567afb156772f0d804de162 /Makefile.am
parent	684f2acffea3ed5704330bff05b87acbf371ccdd (diff)
download	NetworkManager-f137b32d31174e5226f4ab7d3657c90851e50000.tar.gz