From 243af16c5b213b7722877d7e86281f4f6c921847 Mon Sep 17 00:00:00 2001
From: Jonathan Kang <jonathankang@gnome.org>
Date: Fri, 25 Jan 2019 14:33:11 +0800
Subject: [PATCH] Add polkit action for Wi-Fi scans

Previously, Wi-Fi scans uses polkit action
"org.freedesktop.NetworkManager.network-control". This is introduced
in commit 5e3e19d0. But in a system with restrict polkit rules, for
example "org.freedesktop.NetworkManager.network-control" was set as
auth_admin. When you open the network panel of GNOME Control Center, a
polkit dialog will keep showing up asking for admin password, as GNOME
Control Center scans the Wi-Fi list every 15 seconds.

Fix that by adding a new polkit action
"org.freedesktop.NetworkManager.wifi.scan" so that distributions can
add specific rule to allow Wi-Fi scans.

[thaller@redhat.com: fix macro in "shared/nm-common-macros.h"]

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/68
---
 clients/cli/general.c                            |  2 ++
 data/org.freedesktop.NetworkManager.policy.in.in | 10 ++++++++++
 libnm/nm-client.h                                |  4 +++-
 libnm/nm-manager.c                               |  2 ++
 shared/nm-common-macros.h                        |  1 +
 src/devices/wifi/nm-device-iwd.c                 |  2 +-
 src/devices/wifi/nm-device-wifi.c                |  2 +-
 7 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/clients/cli/general.c b/clients/cli/general.c
index d0cfc844aa..2c22bdc944 100644
--- a/clients/cli/general.c
+++ b/clients/cli/general.c
@@ -124,6 +124,8 @@ permission_to_string (NMClientPermission perm)
 		return NM_AUTH_PERMISSION_ENABLE_DISABLE_STATISTICS;
 	case NM_CLIENT_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK:
 		return NM_AUTH_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK;
+	case NM_CLIENT_PERMISSION_WIFI_SCAN:
+		return NM_AUTH_PERMISSION_WIFI_SCAN;
 	default:
 		return _("unknown");
 	}
diff --git a/data/org.freedesktop.NetworkManager.policy.in.in b/data/org.freedesktop.NetworkManager.policy.in.in
index d1460c2cc4..8b6ea5155e 100644
--- a/data/org.freedesktop.NetworkManager.policy.in.in
+++ b/data/org.freedesktop.NetworkManager.policy.in.in
@@ -74,6 +74,16 @@
     </defaults>
   </action>
 
+  <action id="org.freedesktop.NetworkManager.wifi.scan">
+    <_description>Allow control of Wi-Fi scans</_description>
+    <_message>System policy prevents Wi-Fi scans</_message>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>yes</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+  </action>
+
   <action id="org.freedesktop.NetworkManager.wifi.share.protected">
     <_description>Connection sharing via a protected Wi-Fi network</_description>
     <_message>System policy prevents sharing connections via a protected Wi-Fi network</_message>
diff --git a/libnm/nm-client.h b/libnm/nm-client.h
index 97363ef759..edb3ed7848 100644
--- a/libnm/nm-client.h
+++ b/libnm/nm-client.h
@@ -107,6 +107,7 @@ G_BEGIN_DECLS
  *  statistics can be globally enabled or disabled
  * @NM_CLIENT_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK: controls whether
  *  connectivity check can be enabled or disabled
+ * @NM_CLIENT_PERMISSION_WIFI_SCAN: controls whether wifi scans can be performed
  * @NM_CLIENT_PERMISSION_LAST: a reserved boundary value
  *
  * #NMClientPermission values indicate various permissions that NetworkManager
@@ -130,8 +131,9 @@ typedef enum {
 	NM_CLIENT_PERMISSION_CHECKPOINT_ROLLBACK = 14,
 	NM_CLIENT_PERMISSION_ENABLE_DISABLE_STATISTICS = 15,
 	NM_CLIENT_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK = 16,
+	NM_CLIENT_PERMISSION_WIFI_SCAN = 17,
 
-	NM_CLIENT_PERMISSION_LAST = 16,
+	NM_CLIENT_PERMISSION_LAST = 17,
 } NMClientPermission;
 
 /**
diff --git a/libnm/nm-manager.c b/libnm/nm-manager.c
index 0b47c6abeb..7b57c46ece 100644
--- a/libnm/nm-manager.c
+++ b/libnm/nm-manager.c
@@ -310,6 +310,8 @@ nm_permission_to_client (const char *nm)
 		return NM_CLIENT_PERMISSION_ENABLE_DISABLE_STATISTICS;
 	else if (!strcmp (nm, NM_AUTH_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK))
 		return NM_CLIENT_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK;
+	else if (!strcmp (nm, NM_AUTH_PERMISSION_WIFI_SCAN))
+		return NM_CLIENT_PERMISSION_WIFI_SCAN;
 
 	return NM_CLIENT_PERMISSION_NONE;
 }
diff --git a/shared/nm-common-macros.h b/shared/nm-common-macros.h
index 2edb97285b..f5aa3a1eaf 100644
--- a/shared/nm-common-macros.h
+++ b/shared/nm-common-macros.h
@@ -40,6 +40,7 @@
 #define NM_AUTH_PERMISSION_CHECKPOINT_ROLLBACK        "org.freedesktop.NetworkManager.checkpoint-rollback"
 #define NM_AUTH_PERMISSION_ENABLE_DISABLE_STATISTICS  "org.freedesktop.NetworkManager.enable-disable-statistics"
 #define NM_AUTH_PERMISSION_ENABLE_DISABLE_CONNECTIVITY_CHECK "org.freedesktop.NetworkManager.enable-disable-connectivity-check"
+#define NM_AUTH_PERMISSION_WIFI_SCAN                  "org.freedesktop.NetworkManager.wifi.scan"
 
 #define NM_CLONED_MAC_PRESERVE                          "preserve"
 #define NM_CLONED_MAC_PERMANENT                         "permanent"
diff --git a/src/devices/wifi/nm-device-iwd.c b/src/devices/wifi/nm-device-iwd.c
index 0420f8bcce..dcc161d28f 100644
--- a/src/devices/wifi/nm-device-iwd.c
+++ b/src/devices/wifi/nm-device-iwd.c
@@ -1130,7 +1130,7 @@ _nm_device_iwd_request_scan (NMDeviceIwd *self,
 	                       NM_DEVICE_AUTH_REQUEST,
 	                       invocation,
 	                       NULL,
-	                       NM_AUTH_PERMISSION_NETWORK_CONTROL,
+	                       NM_AUTH_PERMISSION_WIFI_SCAN,
 	                       TRUE,
 	                       dbus_request_scan_cb,
 	                       options ? g_variant_ref (options) : NULL);
diff --git a/src/devices/wifi/nm-device-wifi.c b/src/devices/wifi/nm-device-wifi.c
index 63eafe71bc..25f7b9f502 100644
--- a/src/devices/wifi/nm-device-wifi.c
+++ b/src/devices/wifi/nm-device-wifi.c
@@ -1202,7 +1202,7 @@ _nm_device_wifi_request_scan (NMDeviceWifi *self,
 	                       NM_DEVICE_AUTH_REQUEST,
 	                       invocation,
 	                       NULL,
-	                       NM_AUTH_PERMISSION_NETWORK_CONTROL,
+	                       NM_AUTH_PERMISSION_WIFI_SCAN,
 	                       TRUE,
 	                       dbus_request_scan_cb,
 	                       options ? g_variant_ref (options) : NULL);