policy: add a "modify own" permission for single-user-visible connections

This policy will allow users to modify their personal connections (ie
maybe VPN connections, etc) distinctly from system-wide connections that
affect more than just their user.  It makes sense to be more lenient when
making changes to settings that don't affect other users.

libnm-glib/nm-client.c

@@ -336,6 +336,7 @@ register_for_property_changed (NMClient *client)
 #define NM_AUTH_PERMISSION_WIFI_SHARE_PROTECTED       "org.freedesktop.NetworkManager.wifi.share.protected"
 #define NM_AUTH_PERMISSION_WIFI_SHARE_OPEN            "org.freedesktop.NetworkManager.wifi.share.open"
 #define NM_AUTH_PERMISSION_SETTINGS_MODIFY_SYSTEM     "org.freedesktop.NetworkManager.settings.modify.system"
+#define NM_AUTH_PERMISSION_SETTINGS_MODIFY_OWN        "org.freedesktop.NetworkManager.settings.modify.own"
 #define NM_AUTH_PERMISSION_SETTINGS_HOSTNAME_MODIFY   "org.freedesktop.NetworkManager.settings.hostname.modify"
 
 static NMClientPermission
@@ -359,6 +360,8 @@ nm_permission_to_client (const char *nm)
 		return NM_CLIENT_PERMISSION_WIFI_SHARE_OPEN;
 	else if (!strcmp (nm, NM_AUTH_PERMISSION_SETTINGS_MODIFY_SYSTEM))
 		return NM_CLIENT_PERMISSION_SETTINGS_MODIFY_SYSTEM;
+	else if (!strcmp (nm, NM_AUTH_PERMISSION_SETTINGS_MODIFY_OWN))
+		return NM_CLIENT_PERMISSION_SETTINGS_MODIFY_OWN;
 	else if (!strcmp (nm, NM_AUTH_PERMISSION_SETTINGS_HOSTNAME_MODIFY))
 		return NM_CLIENT_PERMISSION_SETTINGS_HOSTNAME_MODIFY;
 

libnm-glib/nm-client.h

@@ -58,15 +58,16 @@ typedef enum {
 	NM_CLIENT_PERMISSION_ENABLE_DISABLE_NETWORK = 1,
 	NM_CLIENT_PERMISSION_ENABLE_DISABLE_WIFI = 2,
 	NM_CLIENT_PERMISSION_ENABLE_DISABLE_WWAN = 3,
-	NM_CLIENT_PERMISSION_SLEEP_WAKE = 4,
-	NM_CLIENT_PERMISSION_NETWORK_CONTROL = 5,
-	NM_CLIENT_PERMISSION_WIFI_SHARE_PROTECTED = 6,
-	NM_CLIENT_PERMISSION_WIFI_SHARE_OPEN = 7,
-	NM_CLIENT_PERMISSION_SETTINGS_MODIFY_SYSTEM = 8,
-	NM_CLIENT_PERMISSION_SETTINGS_HOSTNAME_MODIFY = 9,
-	NM_CLIENT_PERMISSION_ENABLE_DISABLE_WIMAX = 10,
+	NM_CLIENT_PERMISSION_ENABLE_DISABLE_WIMAX = 4,
+	NM_CLIENT_PERMISSION_SLEEP_WAKE = 5,
+	NM_CLIENT_PERMISSION_NETWORK_CONTROL = 6,
+	NM_CLIENT_PERMISSION_WIFI_SHARE_PROTECTED = 7,
+	NM_CLIENT_PERMISSION_WIFI_SHARE_OPEN = 8,
+	NM_CLIENT_PERMISSION_SETTINGS_MODIFY_SYSTEM = 9,
+	NM_CLIENT_PERMISSION_SETTINGS_MODIFY_OWN = 10,
+	NM_CLIENT_PERMISSION_SETTINGS_HOSTNAME_MODIFY = 11,
 
-	NM_CLIENT_PERMISSION_LAST = NM_CLIENT_PERMISSION_ENABLE_DISABLE_WIMAX
+	NM_CLIENT_PERMISSION_LAST = NM_CLIENT_PERMISSION_SETTINGS_HOSTNAME_MODIFY
 } NMClientPermission;
 
 typedef enum {

policy/org.freedesktop.NetworkManager.policy.in

@@ -81,6 +81,15 @@
     </defaults>
   </action>
 
+  <action id="org.freedesktop.NetworkManager.settings.modify.own">
+    <_description>Modify personal network connections</_description>
+    <_message>System policy prevents modification of personal network settings</_message>
+    <defaults>
+      <allow_inactive>no</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+  </action>
+
   <action id="org.freedesktop.NetworkManager.settings.modify.system">
     <_description>Modify network connections for all users</_description>
     <_message>System policy prevents modification of network settings for all users</_message>

src/nm-manager-auth.h

@@ -38,6 +38,7 @@
 #define NM_AUTH_PERMISSION_WIFI_SHARE_PROTECTED       "org.freedesktop.NetworkManager.wifi.share.protected"
 #define NM_AUTH_PERMISSION_WIFI_SHARE_OPEN            "org.freedesktop.NetworkManager.wifi.share.open"
 #define NM_AUTH_PERMISSION_SETTINGS_MODIFY_SYSTEM     "org.freedesktop.NetworkManager.settings.modify.system"
+#define NM_AUTH_PERMISSION_SETTINGS_MODIFY_OWN        "org.freedesktop.NetworkManager.settings.modify.own"
 #define NM_AUTH_PERMISSION_SETTINGS_HOSTNAME_MODIFY   "org.freedesktop.NetworkManager.settings.hostname.modify"
 
 

src/nm-manager.c

@@ -2731,6 +2731,7 @@ get_permissions_done_cb (NMAuthChain *chain,
 		get_perm_add_result (chain, results, NM_AUTH_PERMISSION_WIFI_SHARE_PROTECTED);
 		get_perm_add_result (chain, results, NM_AUTH_PERMISSION_WIFI_SHARE_OPEN);
 		get_perm_add_result (chain, results, NM_AUTH_PERMISSION_SETTINGS_MODIFY_SYSTEM);
+		get_perm_add_result (chain, results, NM_AUTH_PERMISSION_SETTINGS_MODIFY_OWN);
 		get_perm_add_result (chain, results, NM_AUTH_PERMISSION_SETTINGS_HOSTNAME_MODIFY);
 		dbus_g_method_return (context, results);
 		g_hash_table_destroy (results);
@@ -2762,6 +2763,7 @@ impl_manager_get_permissions (NMManager *self,
 	nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_WIFI_SHARE_PROTECTED, FALSE);
 	nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_WIFI_SHARE_OPEN, FALSE);
 	nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_SETTINGS_MODIFY_SYSTEM, FALSE);
+	nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_SETTINGS_MODIFY_OWN, FALSE);
 	nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_SETTINGS_HOSTNAME_MODIFY, FALSE);
 }