Add polkit action for Wi-Fi scans

Previously, Wi-Fi scans uses polkit action "org.freedesktop.NetworkManager.network-control". This is introduced in commit 5e3e19d0. But in a system with restrict polkit rules, for example "org.freedesktop.NetworkManager.network-control" was set as auth_admin. When you open the network panel of GNOME Control Center, a polkit dialog will keep showing up asking for admin password, as GNOME Control Center scans the Wi-Fi list every 15 seconds. Fix that by adding a new polkit action "org.freedesktop.NetworkManager.wifi.scan" so that distributions can add specific rule to allow Wi-Fi scans. [thaller@redhat.com: fix macro in "shared/nm-common-macros.h"] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/68
2024-07-08 19:55:47 +00:00 · 2019-01-25 14:33:11 +08:00 · 2019-01-25 14:33:11 +08:00 · 243af16c5b
commit 243af16c5b
parent 696cf38f45
7 changed files with 20 additions and 3 deletions
--- a/clients/cli/general.c
+++ b/clients/cli/general.c
@ -124,6 +124,8 @@ permission_to_string (NMClientPermission perm)
 		return NM_AUTH_PERMISSION_ENABLE_DISABLE_STATISTICS;
 	case NM_CLIENT_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK:
 		return NM_AUTH_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK;
+	case NM_CLIENT_PERMISSION_WIFI_SCAN:
+		return NM_AUTH_PERMISSION_WIFI_SCAN;
 	default:
 		return _("unknown");
 	}
--- a/data/org.freedesktop.NetworkManager.policy.in.in
+++ b/data/org.freedesktop.NetworkManager.policy.in.in
@ -74,6 +74,16 @@
    </defaults>
  </action>

+  <action id="org.freedesktop.NetworkManager.wifi.scan">
+    <_description>Allow control of Wi-Fi scans</_description>
+    <_message>System policy prevents Wi-Fi scans</_message>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>yes</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+  </action>
+
  <action id="org.freedesktop.NetworkManager.wifi.share.protected">
    <_description>Connection sharing via a protected Wi-Fi network</_description>
    <_message>System policy prevents sharing connections via a protected Wi-Fi network</_message>
--- a/libnm/nm-client.h
+++ b/libnm/nm-client.h
@ -107,6 +107,7 @@ G_BEGIN_DECLS
 *  statistics can be globally enabled or disabled
 * @NM_CLIENT_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK: controls whether
 *  connectivity check can be enabled or disabled
+ * @NM_CLIENT_PERMISSION_WIFI_SCAN: controls whether wifi scans can be performed
 * @NM_CLIENT_PERMISSION_LAST: a reserved boundary value
 *
 * #NMClientPermission values indicate various permissions that NetworkManager
@ -130,8 +131,9 @@ typedef enum {
 	NM_CLIENT_PERMISSION_CHECKPOINT_ROLLBACK = 14,
 	NM_CLIENT_PERMISSION_ENABLE_DISABLE_STATISTICS = 15,
 	NM_CLIENT_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK = 16,
+	NM_CLIENT_PERMISSION_WIFI_SCAN = 17,

-	NM_CLIENT_PERMISSION_LAST = 16,
+	NM_CLIENT_PERMISSION_LAST = 17,
 } NMClientPermission;

 /**
--- a/libnm/nm-manager.c
+++ b/libnm/nm-manager.c
@ -310,6 +310,8 @@ nm_permission_to_client (const char *nm)
 		return NM_CLIENT_PERMISSION_ENABLE_DISABLE_STATISTICS;
 	else if (!strcmp (nm, NM_AUTH_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK))
 		return NM_CLIENT_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK;
+	else if (!strcmp (nm, NM_AUTH_PERMISSION_WIFI_SCAN))
+		return NM_CLIENT_PERMISSION_WIFI_SCAN;

 	return NM_CLIENT_PERMISSION_NONE;
 }
--- a/shared/nm-common-macros.h
+++ b/shared/nm-common-macros.h
@ -40,6 +40,7 @@
 #define NM_AUTH_PERMISSION_CHECKPOINT_ROLLBACK        "org.freedesktop.NetworkManager.checkpoint-rollback"
 #define NM_AUTH_PERMISSION_ENABLE_DISABLE_STATISTICS  "org.freedesktop.NetworkManager.enable-disable-statistics"
 #define NM_AUTH_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK "org.freedesktop.NetworkManager.enable-disable-connectivity-check"
+#define NM_AUTH_PERMISSION_WIFI_SCAN                  "org.freedesktop.NetworkManager.wifi.scan"

 #define NM_CLONED_MAC_PRESERVE                          "preserve"
 #define NM_CLONED_MAC_PERMANENT                         "permanent"
--- a/src/devices/wifi/nm-device-iwd.c
+++ b/src/devices/wifi/nm-device-iwd.c
@ -1130,7 +1130,7 @@ _nm_device_iwd_request_scan (NMDeviceIwd *self,
 	                       NM_DEVICE_AUTH_REQUEST,
 	                       invocation,
 	                       NULL,
-	                       NM_AUTH_PERMISSION_NETWORK_CONTROL,
+	                       NM_AUTH_PERMISSION_WIFI_SCAN,
 	                       TRUE,
 	                       dbus_request_scan_cb,
 	                       options ? g_variant_ref (options) : NULL);
--- a/src/devices/wifi/nm-device-wifi.c
+++ b/src/devices/wifi/nm-device-wifi.c
@ -1202,7 +1202,7 @@ _nm_device_wifi_request_scan (NMDeviceWifi *self,
 	                       NM_DEVICE_AUTH_REQUEST,
 	                       invocation,
 	                       NULL,
-	                       NM_AUTH_PERMISSION_NETWORK_CONTROL,
+	                       NM_AUTH_PERMISSION_WIFI_SCAN,
 	                       TRUE,
 	                       dbus_request_scan_cb,
 	                       options ? g_variant_ref (options) : NULL);