mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager
synced 2024-10-14 20:18:39 +00:00
nm-sudo: rename to nm-priv-helper
The name "nm-sudo" reminds of the "sudo" tool, and this is a bit confusing because it's not related. Rename the service to "nm-priv-helper", which stands for "NM privileged helper". https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/938
This commit is contained in:
parent
9f3d2a09ea
commit
d68ab6b8f0
7
.gitignore
vendored
7
.gitignore
vendored
|
@ -71,8 +71,8 @@ test-*.trs
|
|||
/src/nm-dispatcher/org.freedesktop.nm_dispatcher.service
|
||||
/src/nm-dispatcher/tests/test-dispatcher-envp
|
||||
|
||||
/src/nm-sudo/nm-sudo
|
||||
/src/nm-sudo/org.freedesktop.nm.sudo.service
|
||||
/src/nm-priv-helper/nm-priv-helper
|
||||
/src/nm-priv-helper/org.freedesktop.nm-priv-helper.service
|
||||
|
||||
/data/NetworkManager.service
|
||||
/data/NetworkManager-wait-online.service
|
||||
|
@ -82,6 +82,7 @@ test-*.trs
|
|||
/data/org.freedesktop.NetworkManager.policy
|
||||
/data/org.freedesktop.NetworkManager.policy.in
|
||||
/data/nm-sudo.service
|
||||
/data/nm-priv-helper.service
|
||||
|
||||
/docs/api/version.xml
|
||||
/docs/api/settings-spec.html
|
||||
|
@ -436,6 +437,8 @@ test-*.trs
|
|||
/src/ndisc/tests/test-ndisc-linux
|
||||
/src/nm-daemon-helper/nm-daemon-helper
|
||||
/src/nm-iface-helper
|
||||
/src/nm-sudo/nm-sudo
|
||||
/src/nm-sudo/org.freedesktop.nm.sudo.service
|
||||
/src/platform/tests/dump
|
||||
/src/platform/tests/monitor
|
||||
/src/platform/tests/platform
|
||||
|
|
44
Makefile.am
44
Makefile.am
|
@ -506,8 +506,8 @@ src_libnm_base_libnm_base_la_SOURCES = \
|
|||
src/libnm-base/nm-ethtool-utils-base.h \
|
||||
src/libnm-base/nm-net-aux.c \
|
||||
src/libnm-base/nm-net-aux.h \
|
||||
src/libnm-base/nm-sudo-utils.c \
|
||||
src/libnm-base/nm-sudo-utils.h \
|
||||
src/libnm-base/nm-priv-helper-utils.c \
|
||||
src/libnm-base/nm-priv-helper-utils.h \
|
||||
$(NULL)
|
||||
|
||||
src_libnm_base_libnm_base_la_LDFLAGS = \
|
||||
|
@ -2590,8 +2590,8 @@ src_core_libNetworkManager_la_SOURCES = \
|
|||
src/core/nm-rfkill-manager.h \
|
||||
src/core/nm-session-monitor.c \
|
||||
src/core/nm-session-monitor.h \
|
||||
src/core/nm-sudo-call.c \
|
||||
src/core/nm-sudo-call.h \
|
||||
src/core/nm-priv-helper-call.c \
|
||||
src/core/nm-priv-helper-call.h \
|
||||
src/core/nm-keep-alive.c \
|
||||
src/core/nm-keep-alive.h \
|
||||
src/core/nm-sleep-monitor.c \
|
||||
|
@ -4555,16 +4555,16 @@ EXTRA_DIST += \
|
|||
$(NULL)
|
||||
|
||||
###############################################################################
|
||||
# src/nm-sudo
|
||||
# src/nm-priv-helper
|
||||
###############################################################################
|
||||
|
||||
libexec_PROGRAMS += src/nm-sudo/nm-sudo
|
||||
libexec_PROGRAMS += src/nm-priv-helper/nm-priv-helper
|
||||
|
||||
src_nm_sudo_nm_sudo_SOURCES = \
|
||||
src/nm-sudo/nm-sudo.c \
|
||||
src_nm_priv_helper_nm_priv_helper_SOURCES = \
|
||||
src/nm-priv-helper/nm-priv-helper.c \
|
||||
$(NULL)
|
||||
|
||||
src_nm_sudo_nm_sudo_CPPFLAGS = \
|
||||
src_nm_priv_helper_nm_priv_helper_CPPFLAGS = \
|
||||
$(dflt_cppflags) \
|
||||
-I$(builddir)/src/libnm-core-public \
|
||||
-I$(srcdir)/src/libnm-core-public \
|
||||
|
@ -4575,12 +4575,12 @@ src_nm_sudo_nm_sudo_CPPFLAGS = \
|
|||
$(GLIB_CFLAGS) \
|
||||
$(NULL)
|
||||
|
||||
src_nm_sudo_nm_sudo_LDFLAGS = \
|
||||
src_nm_priv_helper_nm_priv_helper_LDFLAGS = \
|
||||
-Wl,--version-script="$(srcdir)/linker-script-binary.ver" \
|
||||
$(SANITIZER_EXEC_LDFLAGS) \
|
||||
$(NULL)
|
||||
|
||||
src_nm_sudo_nm_sudo_LDADD = \
|
||||
src_nm_priv_helper_nm_priv_helper_LDADD = \
|
||||
src/libnm-base/libnm-base.la \
|
||||
src/libnm-glib-aux/libnm-glib-aux.la \
|
||||
src/libnm-std-aux/libnm-std-aux.la \
|
||||
|
@ -4588,20 +4588,20 @@ src_nm_sudo_nm_sudo_LDADD = \
|
|||
$(GLIB_LIBS) \
|
||||
$(NULL)
|
||||
|
||||
src/nm-sudo/org.freedesktop.nm.sudo.service: $(srcdir)/src/nm-sudo/org.freedesktop.nm.sudo.service.in
|
||||
src/nm-priv-helper/org.freedesktop.nm-priv-helper.service: $(srcdir)/src/nm-priv-helper/org.freedesktop.nm-priv-helper.service.in
|
||||
@sed \
|
||||
-e 's|@libexecdir[@]|$(libexecdir)|g' \
|
||||
$< >$@
|
||||
|
||||
dbusactivation_DATA += src/nm-sudo/org.freedesktop.nm.sudo.service
|
||||
CLEANFILES += src/nm-sudo/org.freedesktop.nm.sudo.service
|
||||
dbusactivation_DATA += src/nm-priv-helper/org.freedesktop.nm-priv-helper.service
|
||||
CLEANFILES += src/nm-priv-helper/org.freedesktop.nm-priv-helper.service
|
||||
|
||||
dbusservice_DATA += src/nm-sudo/nm-sudo.conf
|
||||
dbusservice_DATA += src/nm-priv-helper/nm-priv-helper.conf
|
||||
|
||||
EXTRA_DIST += \
|
||||
src/nm-sudo/nm-sudo.conf \
|
||||
src/nm-sudo/org.freedesktop.nm.sudo.service.in \
|
||||
src/nm-sudo/meson.build \
|
||||
src/nm-priv-helper/nm-priv-helper.conf \
|
||||
src/nm-priv-helper/org.freedesktop.nm-priv-helper.service.in \
|
||||
src/nm-priv-helper/meson.build \
|
||||
$(NULL)
|
||||
|
||||
###############################################################################
|
||||
|
@ -5294,7 +5294,7 @@ systemdsystemunit_DATA += \
|
|||
data/NetworkManager.service \
|
||||
data/NetworkManager-wait-online.service \
|
||||
data/NetworkManager-dispatcher.service \
|
||||
data/nm-sudo.service \
|
||||
data/nm-priv-helper.service \
|
||||
$(NULL)
|
||||
|
||||
data/NetworkManager.service: $(srcdir)/data/NetworkManager.service.in
|
||||
|
@ -5311,7 +5311,7 @@ endif
|
|||
data/NetworkManager-dispatcher.service: $(srcdir)/data/NetworkManager-dispatcher.service.in
|
||||
$(AM_V_GEN) $(data_edit) $< >$@
|
||||
|
||||
data/nm-sudo.service: $(srcdir)/data/nm-sudo.service.in
|
||||
data/nm-priv-helper.service: $(srcdir)/data/nm-priv-helper.service.in
|
||||
$(AM_V_GEN) $(data_edit) $< >$@
|
||||
|
||||
endif
|
||||
|
@ -5343,7 +5343,7 @@ EXTRA_DIST += \
|
|||
data/NetworkManager-wait-online-systemd-pre200.service.in \
|
||||
data/NetworkManager-wait-online.service.in \
|
||||
data/NetworkManager.service.in \
|
||||
data/nm-sudo.service.in \
|
||||
data/nm-priv-helper.service.in \
|
||||
data/meson.build \
|
||||
data/nm-shared.xml \
|
||||
data/server.conf.in \
|
||||
|
@ -5353,7 +5353,7 @@ CLEANFILES += \
|
|||
data/NetworkManager-dispatcher.service \
|
||||
data/NetworkManager-wait-online.service \
|
||||
data/NetworkManager.service \
|
||||
data/nm-sudo.service \
|
||||
data/nm-priv-helper.service \
|
||||
data/server.conf \
|
||||
$(NULL)
|
||||
|
||||
|
|
4
NEWS
4
NEWS
|
@ -30,8 +30,8 @@ Overview of changes since NetworkManager-1.32
|
|||
Adjust the "dns-priority" to your liking after import yourself.
|
||||
* NetworkManager no longer listens for netlink events for traffic
|
||||
control objects (qdiscs and filters).
|
||||
* core: add internal nm-sudo service for separating privileges and have
|
||||
a way to drop capabilities from NetworkManager daemon.
|
||||
* core: add internal nm-priv-helper service for separating privileges
|
||||
and have a way to drop capabilities from NetworkManager daemon.
|
||||
* bond: add support for setting queue-id of bond port.
|
||||
* dns: support configuring DNS over TLS (DoT) with systemd-resolved.
|
||||
* nmtui: add support for WireGuard profiles.
|
||||
|
|
|
@ -40,7 +40,7 @@
|
|||
|
||||
%global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[0-9][0-9]*\\)\\.[0-9][0-9]*$/\\1/p')
|
||||
|
||||
%global systemd_units NetworkManager.service NetworkManager-wait-online.service NetworkManager-dispatcher.service nm-sudo.service
|
||||
%global systemd_units NetworkManager.service NetworkManager-wait-online.service NetworkManager-dispatcher.service nm-priv-helper.service
|
||||
|
||||
%global systemd_units_cloud_setup nm-cloud-setup.service nm-cloud-setup.timer
|
||||
|
||||
|
@ -943,7 +943,7 @@ if [ $1 -eq 0 ]; then
|
|||
|
||||
/usr/sbin/update-alternatives --remove ifup %{_libexecdir}/nm-ifup >/dev/null 2>&1 || :
|
||||
fi
|
||||
%systemd_preun NetworkManager-wait-online.service NetworkManager-dispatcher.service nm-sudo.service
|
||||
%systemd_preun NetworkManager-wait-online.service NetworkManager-dispatcher.service nm-priv-helper.service
|
||||
|
||||
|
||||
%if %{with nm_cloud_setup}
|
||||
|
@ -977,7 +977,7 @@ fi
|
|||
%files
|
||||
%{dbus_sys_dir}/org.freedesktop.NetworkManager.conf
|
||||
%{dbus_sys_dir}/nm-dispatcher.conf
|
||||
%{dbus_sys_dir}/nm-sudo.conf
|
||||
%{dbus_sys_dir}/nm-priv-helper.conf
|
||||
%{dbus_sys_dir}/nm-ifcfg-rh.conf
|
||||
%{_sbindir}/%{name}
|
||||
%{_bindir}/nmcli
|
||||
|
@ -1002,7 +1002,7 @@ fi
|
|||
%{_libexecdir}/nm-dispatcher
|
||||
%{_libexecdir}/nm-initrd-generator
|
||||
%{_libexecdir}/nm-daemon-helper
|
||||
%{_libexecdir}/nm-sudo
|
||||
%{_libexecdir}/nm-priv-helper
|
||||
%dir %{_libdir}/%{name}
|
||||
%dir %{nmplugindir}
|
||||
%{nmplugindir}/libnm-settings-plugin*.so
|
||||
|
@ -1026,7 +1026,7 @@ fi
|
|||
%dir %{_localstatedir}/lib/NetworkManager
|
||||
%dir %{_sysconfdir}/sysconfig/network-scripts
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.nm_dispatcher.service
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.nm.sudo.service
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.nm-priv-helper.service
|
||||
%{_datadir}/polkit-1/actions/*.policy
|
||||
%{_prefix}/lib/udev/rules.d/*.rules
|
||||
%if %{with firewalld_zone}
|
||||
|
@ -1036,7 +1036,7 @@ fi
|
|||
%{systemd_dir}/NetworkManager.service
|
||||
%{systemd_dir}/NetworkManager-wait-online.service
|
||||
%{systemd_dir}/NetworkManager-dispatcher.service
|
||||
%{systemd_dir}/nm-sudo.service
|
||||
%{systemd_dir}/nm-priv-helper.service
|
||||
%dir %{_datadir}/doc/NetworkManager/examples
|
||||
%{_datadir}/doc/NetworkManager/examples/server.conf
|
||||
%doc NEWS AUTHORS README CONTRIBUTING.md TODO
|
||||
|
|
|
@ -11,7 +11,7 @@ if install_systemdunitdir
|
|||
services = [
|
||||
'NetworkManager-dispatcher.service.in',
|
||||
'NetworkManager.service.in',
|
||||
'nm-sudo.service.in',
|
||||
'nm-priv-helper.service.in',
|
||||
]
|
||||
|
||||
if have_systemd_200
|
||||
|
|
79
data/nm-priv-helper.service.in
Normal file
79
data/nm-priv-helper.service.in
Normal file
|
@ -0,0 +1,79 @@
|
|||
[Unit]
|
||||
Description=NetworkManager Privileged Helper
|
||||
|
||||
#
|
||||
# nm-priv-helper exists for privilege separation. It allows to run
|
||||
# NetworkManager without certain capabilities, and ask nm-priv-helper
|
||||
# for special operations where more privileges are required.
|
||||
#
|
||||
|
||||
# While nm-priv-helper has privileges that NetworkManager has not, it
|
||||
# does not mean that itself should run totally unconstrained. On the
|
||||
# contrary, it also should only have permissions it requires.
|
||||
#
|
||||
# nm-priv-helper rejects all requests that come from any other than the
|
||||
# name owner of "org.freedesktop.NetworkManager" (that is,
|
||||
# NetworkManager process itself). It is thus only an implementation
|
||||
# detail and provides no public API to the user.
|
||||
|
||||
[Service]
|
||||
Type=dbus
|
||||
BusName=org.freedesktop.nm-priv-helper
|
||||
ExecStart=@libexecdir@/nm-priv-helper
|
||||
NotifyAccess=main
|
||||
|
||||
# Extra configuration options. Set via `systemctl edit
|
||||
# nm-priv-helper.service`:
|
||||
#
|
||||
# FOR TESTING ONLY: disable authentication to allow requests from
|
||||
# everybody. Don't set this outside of testing!
|
||||
#Environment=NM_PRIV_HELPER_NO_AUTH_FOR_TESTING=1
|
||||
#
|
||||
# The logging level for debug messages (to stdout).
|
||||
#Environment=NM_PRIV_HELPER_LOG=TRACE
|
||||
#
|
||||
# nm-priv-helper will exit on idle after timeout. Set timeout here or
|
||||
# set to 2147483647 for infinity.
|
||||
|
||||
#Environment=NM_PRIV_HELPER_IDLE_TIMEOUT_MSEC=10000
|
||||
|
||||
|
||||
# Restrict:
|
||||
AmbientCapabilities=
|
||||
CapabilityBoundingSet=
|
||||
PrivateDevices=true
|
||||
PrivateMounts=true
|
||||
PrivateNetwork=true
|
||||
PrivateTmp=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=strict
|
||||
RestrictAddressFamilies=
|
||||
RestrictNamespaces=true
|
||||
SystemCallFilter=~@clock
|
||||
SystemCallFilter=~@cpu-emulation
|
||||
SystemCallFilter=~@debug
|
||||
SystemCallFilter=~@module
|
||||
SystemCallFilter=~@mount
|
||||
SystemCallFilter=~@obsolete
|
||||
SystemCallFilter=~@privileged
|
||||
SystemCallFilter=~@raw-io
|
||||
SystemCallFilter=~@reboot
|
||||
SystemCallFilter=~@swap
|
||||
NoNewPrivileges=true
|
||||
SupplementaryGroups=
|
||||
|
||||
# Grant:
|
||||
CapabilityBoundingSet=CAP_DAC_OVERRIDE
|
||||
PrivateUsers=no
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
SystemCallFilter=@resources
|
||||
|
||||
|
||||
[Install]
|
||||
Alias=dbus-org.freedesktop.nm-priv-helper.service
|
|
@ -1,75 +0,0 @@
|
|||
[Unit]
|
||||
Description=NetworkManager Sudo Helper
|
||||
#
|
||||
# nm-sudo exists for privilege separation. It allows to run NetworkManager
|
||||
# without certain capabilities, and ask nm-sudo for special operations
|
||||
# where more privileges are required.
|
||||
#
|
||||
# While nm-sudo has privileges that NetworkManager has not, it does not
|
||||
# mean that itself should run totally unconstrained. On the contrary, it
|
||||
# also should only have permissions it requires.
|
||||
#
|
||||
# nm-sudo rejects all requests that come from any other than the name
|
||||
# owner of "org.freedesktop.NetworkManager" (that is, NetworkManager process
|
||||
# itself). It is thus only an implementation detail and provides no public
|
||||
# API to the user.
|
||||
|
||||
[Service]
|
||||
Type=dbus
|
||||
BusName=org.freedesktop.nm.sudo
|
||||
ExecStart=@libexecdir@/nm-sudo
|
||||
NotifyAccess=main
|
||||
|
||||
# Extra configuration options. Set via `systemctl edit nm-sudo.service`:
|
||||
#
|
||||
# FOR TESTING ONLY: disable authentication to allow requests from
|
||||
# everybody. Don't set this outside of testing!
|
||||
#Environment=NM_SUDO_NO_AUTH_FOR_TESTING=1
|
||||
#
|
||||
# The logging level for debug messages (to stdout).
|
||||
#Environment=NM_SUDO_LOG=TRACE
|
||||
#
|
||||
# nm-sudo will exit on idle after timeout. Set timeout here
|
||||
# or set to 2147483647 for infinity.
|
||||
#Environment=NM_SUDO_IDLE_TIMEOUT_MSEC=10000
|
||||
|
||||
|
||||
# Restrict:
|
||||
AmbientCapabilities=
|
||||
CapabilityBoundingSet=
|
||||
PrivateDevices=true
|
||||
PrivateMounts=true
|
||||
PrivateNetwork=true
|
||||
PrivateTmp=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=strict
|
||||
RestrictAddressFamilies=
|
||||
RestrictNamespaces=true
|
||||
SystemCallFilter=~@clock
|
||||
SystemCallFilter=~@cpu-emulation
|
||||
SystemCallFilter=~@debug
|
||||
SystemCallFilter=~@module
|
||||
SystemCallFilter=~@mount
|
||||
SystemCallFilter=~@obsolete
|
||||
SystemCallFilter=~@privileged
|
||||
SystemCallFilter=~@raw-io
|
||||
SystemCallFilter=~@reboot
|
||||
SystemCallFilter=~@swap
|
||||
NoNewPrivileges=true
|
||||
SupplementaryGroups=
|
||||
|
||||
# Grant:
|
||||
CapabilityBoundingSet=CAP_DAC_OVERRIDE
|
||||
PrivateUsers=no
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
SystemCallFilter=@resources
|
||||
|
||||
|
||||
[Install]
|
||||
Alias=dbus-org.freedesktop.nm.sudo.service
|
|
@ -2,7 +2,7 @@ contrib/fedora/rpm/
|
|||
data/NetworkManager-dispatcher.service.in
|
||||
data/NetworkManager-wait-online.service.in
|
||||
data/NetworkManager.service.in
|
||||
data/nm-sudo.service.in
|
||||
data/nm-priv-helper.service.in
|
||||
data/org.freedesktop.NetworkManager.policy.in
|
||||
examples/python/NetworkManager.py
|
||||
examples/python/systray/eggtrayicon.c
|
||||
|
|
|
@ -27,7 +27,7 @@ Read the individual README.md files in the subdirectories for details:
|
|||
| [nm-initrd-generator/](nm-initrd-generator/) | generates NetworkManager configuration by parsing kernel command line options for dracut/initrd |
|
||||
| [nm-dispatcher/](nm-dispatcher/) | NetworkManager-dispatcher service to run user scripts |
|
||||
| [nm-online/](nm-online/) | application which checks whether NetworkManager is done, for implementing NetworkManager-wait-online.service |
|
||||
| [nm-sudo/](nm-sudo/) | internal service for privileged operations |
|
||||
| [nm-priv-helper/](nm-priv-helper/) | internal service for privileged operations |
|
||||
| [nm-daemon-helper/](nm-daemon-helper/) | internal helper binary spawned by NetworkManager |
|
||||
| | |
|
||||
| [libnm-std-aux/](libnm-std-aux/) | internal helper library for standard C |
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
#include "devices/nm-device.h"
|
||||
#include "nm-manager.h"
|
||||
#include "nm-setting-ovs-external-ids.h"
|
||||
#include "nm-sudo-call.h"
|
||||
#include "nm-priv-helper-call.h"
|
||||
|
||||
/*****************************************************************************/
|
||||
|
||||
|
@ -2384,7 +2384,7 @@ _ovsdb_connect_complete_with_fd(NMOvsdb *self, int fd_take)
|
|||
}
|
||||
|
||||
static void
|
||||
_ovsdb_connect_sudo_cb(int fd_take, GError *error, gpointer user_data)
|
||||
_ovsdb_connect_priv_helper_cb(int fd_take, GError *error, gpointer user_data)
|
||||
{
|
||||
nm_auto_close int fd = fd_take;
|
||||
NMOvsdb *self;
|
||||
|
@ -2395,12 +2395,12 @@ _ovsdb_connect_sudo_cb(int fd_take, GError *error, gpointer user_data)
|
|||
self = user_data;
|
||||
|
||||
if (error) {
|
||||
_LOGT("connect: failure to get FD from nm-sudo: %s", error->message);
|
||||
_LOGT("connect: failure to get FD from nm-priv-helper: %s", error->message);
|
||||
ovsdb_disconnect(self, FALSE, FALSE);
|
||||
return;
|
||||
}
|
||||
|
||||
_LOGT("connect: connected successfully with FD from nm-sudo");
|
||||
_LOGT("connect: connected successfully with FD from nm-priv-helper");
|
||||
_ovsdb_connect_complete_with_fd(self, nm_steal_fd(&fd));
|
||||
}
|
||||
|
||||
|
@ -2418,19 +2418,19 @@ _ovsdb_connect_idle(gpointer user_data, GCancellable *cancellable)
|
|||
self = user_data;
|
||||
priv = NM_OVSDB_GET_PRIVATE(self);
|
||||
|
||||
fd = nm_sudo_utils_open_fd(NM_SUDO_GET_FD_TYPE_OVSDB_SOCKET, &error);
|
||||
fd = nm_priv_helper_utils_open_fd(NM_PRIV_HELPER_GET_FD_TYPE_OVSDB_SOCKET, &error);
|
||||
if (fd == -ENOENT) {
|
||||
_LOGT("connect: opening %s failed (\"%s\")", NM_OVSDB_SOCKET, error->message);
|
||||
ovsdb_disconnect(self, FALSE, FALSE);
|
||||
return;
|
||||
}
|
||||
if (fd < 0) {
|
||||
_LOGT("connect: opening %s failed (\"%s\"). Retry with nm-sudo",
|
||||
_LOGT("connect: opening %s failed (\"%s\"). Retry with nm-priv-helper",
|
||||
NM_OVSDB_SOCKET,
|
||||
error->message);
|
||||
nm_sudo_call_get_fd(NM_SUDO_GET_FD_TYPE_OVSDB_SOCKET,
|
||||
nm_priv_helper_call_get_fd(NM_PRIV_HELPER_GET_FD_TYPE_OVSDB_SOCKET,
|
||||
priv->conn_cancellable,
|
||||
_ovsdb_connect_sudo_cb,
|
||||
_ovsdb_connect_priv_helper_cb,
|
||||
self);
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -170,7 +170,7 @@ libNetworkManager = static_library(
|
|||
'nm-rfkill-manager.c',
|
||||
'nm-session-monitor.c',
|
||||
'nm-sleep-monitor.c',
|
||||
'nm-sudo-call.c',
|
||||
'nm-priv-helper-call.c',
|
||||
),
|
||||
dependencies: nm_deps,
|
||||
link_with: [
|
||||
|
|
|
@ -41,10 +41,10 @@
|
|||
#include "nm-hostname-manager.h"
|
||||
#include "nm-keep-alive.h"
|
||||
#include "nm-policy.h"
|
||||
#include "nm-priv-helper-call.h"
|
||||
#include "nm-rfkill-manager.h"
|
||||
#include "nm-session-monitor.h"
|
||||
#include "nm-sleep-monitor.h"
|
||||
#include "nm-sudo-call.h"
|
||||
#include "settings/nm-settings-connection.h"
|
||||
#include "settings/nm-settings.h"
|
||||
#include "vpn/nm-vpn-manager.h"
|
||||
|
@ -216,8 +216,8 @@ typedef struct {
|
|||
|
||||
#if WITH_OPENVSWITCH
|
||||
/* these fields only serve the purpose to use the symbols.*/
|
||||
void (*_use_symbol_nm_sudo_call_get_fd)(void);
|
||||
void (*_use_symbol_nm_sudo_utils_open_fd)(void);
|
||||
void (*_use_symbol_nm_priv_helper_call_get_fd)(void);
|
||||
void (*_use_symbol_nm_priv_helper_utils_open_fd)(void);
|
||||
#endif
|
||||
|
||||
} NMManagerClass;
|
||||
|
@ -8532,8 +8532,10 @@ nm_manager_class_init(NMManagerClass *manager_class)
|
|||
/* Use the symbols. These symbols are in NetworkManager binary but will be
|
||||
* used by the OVS device plugin. If we don't use the symbol here, it will
|
||||
* be wrongly dropped. */
|
||||
manager_class->_use_symbol_nm_sudo_call_get_fd = (void (*)(void)) nm_sudo_call_get_fd;
|
||||
manager_class->_use_symbol_nm_sudo_utils_open_fd = (void (*)(void)) nm_sudo_utils_open_fd;
|
||||
manager_class->_use_symbol_nm_priv_helper_call_get_fd =
|
||||
(void (*)(void)) nm_priv_helper_call_get_fd;
|
||||
manager_class->_use_symbol_nm_priv_helper_utils_open_fd =
|
||||
(void (*)(void)) nm_priv_helper_utils_open_fd;
|
||||
#endif
|
||||
|
||||
dbus_object_class->export_path = NM_DBUS_EXPORT_PATH_STATIC(NM_DBUS_PATH);
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
#include "src/core/nm-default-daemon.h"
|
||||
|
||||
#include "nm-sudo-call.h"
|
||||
#include "nm-priv-helper-call.h"
|
||||
|
||||
#include <gio/gunixfdlist.h>
|
||||
|
||||
|
@ -11,9 +11,9 @@
|
|||
/*****************************************************************************/
|
||||
|
||||
static void
|
||||
_nm_sudo_call_get_fd_cb(GObject *source, GAsyncResult *res, gpointer user_data)
|
||||
_nm_priv_helper_call_get_fd_cb(GObject *source, GAsyncResult *res, gpointer user_data)
|
||||
{
|
||||
NMSudoCallGetFDCallback callback;
|
||||
NMPrivHelperCallGetFDCallback callback;
|
||||
gpointer callback_data;
|
||||
gs_unref_variant GVariant *ret = NULL;
|
||||
gs_free_error GError *error = NULL;
|
||||
|
@ -35,7 +35,7 @@ _nm_sudo_call_get_fd_cb(GObject *source, GAsyncResult *res, gpointer user_data)
|
|||
if (!fd_list || g_unix_fd_list_get_length(fd_list) != 1) {
|
||||
nm_utils_error_set(&error,
|
||||
NM_UTILS_ERROR_UNKNOWN,
|
||||
"Unexpectedly not one FD is returned by nm-sudo GetFD()");
|
||||
"Unexpectedly not one FD is returned by nm-priv-helper GetFD()");
|
||||
callback(-1, error, callback_data);
|
||||
return;
|
||||
}
|
||||
|
@ -47,46 +47,48 @@ _nm_sudo_call_get_fd_cb(GObject *source, GAsyncResult *res, gpointer user_data)
|
|||
}
|
||||
|
||||
static gboolean
|
||||
_nm_sudo_call_get_fd_fail_on_idle(gpointer user_data)
|
||||
_nm_priv_helper_call_get_fd_fail_on_idle(gpointer user_data)
|
||||
{
|
||||
gs_unref_object GCancellable *cancellable = NULL;
|
||||
NMSudoCallGetFDCallback callback;
|
||||
NMPrivHelperCallGetFDCallback callback;
|
||||
gpointer callback_data;
|
||||
gs_free_error GError *error = NULL;
|
||||
|
||||
nm_utils_user_data_unpack(user_data, &cancellable, &callback, &callback_data);
|
||||
|
||||
if (!g_cancellable_set_error_if_cancelled(cancellable, &error))
|
||||
nm_utils_error_set(&error, NM_UTILS_ERROR_UNKNOWN, "Cannot talk to nm-sudo without D-Bus");
|
||||
nm_utils_error_set(&error,
|
||||
NM_UTILS_ERROR_UNKNOWN,
|
||||
"Cannot talk to nm-priv-helper without D-Bus");
|
||||
|
||||
callback(-1, error, callback_data);
|
||||
return G_SOURCE_REMOVE;
|
||||
}
|
||||
|
||||
void
|
||||
nm_sudo_call_get_fd(NMSudoGetFDType fd_type,
|
||||
nm_priv_helper_call_get_fd(NMPrivHelperGetFDType fd_type,
|
||||
GCancellable *cancellable,
|
||||
NMSudoCallGetFDCallback callback,
|
||||
NMPrivHelperCallGetFDCallback callback,
|
||||
gpointer user_data)
|
||||
{
|
||||
GDBusConnection *dbus_connection;
|
||||
|
||||
nm_assert(NM_IN_SET(fd_type, NM_SUDO_GET_FD_TYPE_OVSDB_SOCKET));
|
||||
nm_assert(NM_IN_SET(fd_type, NM_PRIV_HELPER_GET_FD_TYPE_OVSDB_SOCKET));
|
||||
nm_assert(!cancellable || G_IS_CANCELLABLE(cancellable));
|
||||
nm_assert(callback);
|
||||
|
||||
dbus_connection = NM_MAIN_DBUS_CONNECTION_GET;
|
||||
|
||||
if (!dbus_connection) {
|
||||
nm_g_idle_add(_nm_sudo_call_get_fd_fail_on_idle,
|
||||
nm_g_idle_add(_nm_priv_helper_call_get_fd_fail_on_idle,
|
||||
nm_utils_user_data_pack(g_object_ref(cancellable), callback, user_data));
|
||||
return;
|
||||
}
|
||||
|
||||
g_dbus_connection_call_with_unix_fd_list(dbus_connection,
|
||||
NM_SUDO_DBUS_BUS_NAME,
|
||||
NM_SUDO_DBUS_OBJECT_PATH,
|
||||
NM_SUDO_DBUS_IFACE_NAME,
|
||||
NM_PRIV_HELPER_DBUS_BUS_NAME,
|
||||
NM_PRIV_HELPER_DBUS_OBJECT_PATH,
|
||||
NM_PRIV_HELPER_DBUS_IFACE_NAME,
|
||||
"GetFD",
|
||||
g_variant_new("(u)", fd_type),
|
||||
G_VARIANT_TYPE("()"),
|
||||
|
@ -94,6 +96,6 @@ nm_sudo_call_get_fd(NMSudoGetFDType fd_type,
|
|||
10000,
|
||||
NULL,
|
||||
cancellable,
|
||||
_nm_sudo_call_get_fd_cb,
|
||||
_nm_priv_helper_call_get_fd_cb,
|
||||
nm_utils_user_data_pack(callback, user_data));
|
||||
}
|
15
src/core/nm-priv-helper-call.h
Normal file
15
src/core/nm-priv-helper-call.h
Normal file
|
@ -0,0 +1,15 @@
|
|||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#ifndef __NM_PRIV_HELPER_CALL_H__
|
||||
#define __NM_PRIV_HELPER_CALL_H__
|
||||
|
||||
#include "../libnm-base/nm-priv-helper-utils.h"
|
||||
|
||||
typedef void (*NMPrivHelperCallGetFDCallback)(int fd_take, GError *error, gpointer user_data);
|
||||
|
||||
void nm_priv_helper_call_get_fd(NMPrivHelperGetFDType fd_type,
|
||||
GCancellable *cancellable,
|
||||
NMPrivHelperCallGetFDCallback callback,
|
||||
gpointer user_data);
|
||||
|
||||
#endif /* __NM_PRIV_HELPER_CALL_H__ */
|
|
@ -1,15 +0,0 @@
|
|||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#ifndef __NM_SUDO_CALL_H__
|
||||
#define __NM_SUDO_CALL_H__
|
||||
|
||||
#include "libnm-base/nm-sudo-utils.h"
|
||||
|
||||
typedef void (*NMSudoCallGetFDCallback)(int fd_take, GError *error, gpointer user_data);
|
||||
|
||||
void nm_sudo_call_get_fd(NMSudoGetFDType fd_type,
|
||||
GCancellable *cancellable,
|
||||
NMSudoCallGetFDCallback callback,
|
||||
gpointer user_data);
|
||||
|
||||
#endif /* __NM_SUDO_CALL_H__ */
|
|
@ -5,7 +5,7 @@ libnm_base = static_library(
|
|||
sources: files(
|
||||
'nm-ethtool-base.c',
|
||||
'nm-net-aux.c',
|
||||
'nm-sudo-utils.c',
|
||||
'nm-priv-helper-utils.c',
|
||||
),
|
||||
include_directories: [
|
||||
src_inc,
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
#include "libnm-glib-aux/nm-default-glib-i18n-lib.h"
|
||||
|
||||
#include "nm-sudo-utils.h"
|
||||
#include "nm-priv-helper-utils.h"
|
||||
|
||||
#include <sys/socket.h>
|
||||
#include <sys/un.h>
|
||||
|
@ -12,14 +12,14 @@
|
|||
/*****************************************************************************/
|
||||
|
||||
int
|
||||
nm_sudo_utils_open_fd(NMSudoGetFDType fd_type, GError **error)
|
||||
nm_priv_helper_utils_open_fd(NMPrivHelperGetFDType fd_type, GError **error)
|
||||
{
|
||||
nm_auto_close int fd = -1;
|
||||
int r;
|
||||
int errsv;
|
||||
|
||||
switch (fd_type) {
|
||||
case NM_SUDO_GET_FD_TYPE_OVSDB_SOCKET:
|
||||
case NM_PRIV_HELPER_GET_FD_TYPE_OVSDB_SOCKET:
|
||||
{
|
||||
struct sockaddr_un sock;
|
||||
int sock_len;
|
||||
|
@ -48,7 +48,7 @@ nm_sudo_utils_open_fd(NMSudoGetFDType fd_type, GError **error)
|
|||
|
||||
return nm_steal_fd(&fd);
|
||||
}
|
||||
case NM_SUDO_GET_FD_TYPE_NONE:
|
||||
case NM_PRIV_HELPER_GET_FD_TYPE_NONE:
|
||||
default:
|
||||
nm_utils_error_set(error, NM_UTILS_ERROR_UNKNOWN, "invalid fd_type");
|
||||
return -EINVAL;
|
23
src/libnm-base/nm-priv-helper-utils.h
Normal file
23
src/libnm-base/nm-priv-helper-utils.h
Normal file
|
@ -0,0 +1,23 @@
|
|||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#ifndef __NM_PRIV_HELPER_UTILS_H__
|
||||
#define __NM_PRIV_HELPER_UTILS_H__
|
||||
|
||||
/*****************************************************************************/
|
||||
|
||||
#define NM_PRIV_HELPER_DBUS_BUS_NAME "org.freedesktop.nm-priv-helper"
|
||||
#define NM_PRIV_HELPER_DBUS_OBJECT_PATH "/org/freedesktop/nm-priv-helper"
|
||||
#define NM_PRIV_HELPER_DBUS_IFACE_NAME "org.freedesktop.nm-priv-helper"
|
||||
|
||||
/*****************************************************************************/
|
||||
|
||||
#define NM_OVSDB_SOCKET RUNSTATEDIR "/openvswitch/db.sock"
|
||||
|
||||
typedef enum {
|
||||
NM_PRIV_HELPER_GET_FD_TYPE_NONE = 0,
|
||||
NM_PRIV_HELPER_GET_FD_TYPE_OVSDB_SOCKET = 1,
|
||||
} NMPrivHelperGetFDType;
|
||||
|
||||
int nm_priv_helper_utils_open_fd(NMPrivHelperGetFDType fd_type, GError **error);
|
||||
|
||||
#endif /* __NM_PRIV_HELPER_UTILS_H__ */
|
|
@ -1,23 +0,0 @@
|
|||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#ifndef __NM_SUDO_UTILS_H__
|
||||
#define __NM_SUDO_UTILS_H__
|
||||
|
||||
/*****************************************************************************/
|
||||
|
||||
#define NM_SUDO_DBUS_BUS_NAME "org.freedesktop.nm.sudo"
|
||||
#define NM_SUDO_DBUS_OBJECT_PATH "/org/freedesktop/nm/sudo"
|
||||
#define NM_SUDO_DBUS_IFACE_NAME "org.freedesktop.nm.sudo"
|
||||
|
||||
/*****************************************************************************/
|
||||
|
||||
#define NM_OVSDB_SOCKET RUNSTATEDIR "/openvswitch/db.sock"
|
||||
|
||||
typedef enum {
|
||||
NM_SUDO_GET_FD_TYPE_NONE = 0,
|
||||
NM_SUDO_GET_FD_TYPE_OVSDB_SOCKET = 1,
|
||||
} NMSudoGetFDType;
|
||||
|
||||
int nm_sudo_utils_open_fd(NMSudoGetFDType fd_type, GError **error);
|
||||
|
||||
#endif /* __NM_SUDO_UTILS_H__ */
|
|
@ -93,7 +93,7 @@ if enable_nmtui
|
|||
endif
|
||||
subdir('nmcli')
|
||||
subdir('nm-dispatcher')
|
||||
subdir('nm-sudo')
|
||||
subdir('nm-priv-helper')
|
||||
subdir('nm-daemon-helper')
|
||||
subdir('nm-online')
|
||||
if enable_nmtui
|
||||
|
|
24
src/nm-priv-helper/README.md
Normal file
24
src/nm-priv-helper/README.md
Normal file
|
@ -0,0 +1,24 @@
|
|||
nm-priv-helper
|
||||
==============
|
||||
|
||||
This is a D-Bus activatable, exit-on-idle service, which
|
||||
provides an internal API to NetworkManager daemon.
|
||||
|
||||
This has no purpose for the user, it is an implementation detail
|
||||
of the daemon.
|
||||
|
||||
The purpose is that `nm-priv-helper` can execute certain
|
||||
privileged operations which NetworkManager process is not
|
||||
allowed to. We want to sandbox NetworkManager as much as
|
||||
possible, and nm-priv-helper provides a controlled way to
|
||||
perform some very specific operations.
|
||||
|
||||
As such, nm-priv-helper should still be sandboxed too to only
|
||||
being able to execute the operations that are necessary for
|
||||
NetworkManager.
|
||||
|
||||
nm-priv-helper will reject all D-Bus requests that are not
|
||||
originating from the current name owner of
|
||||
"org.freedesktop.NetworkManager". That is, it is supposed to
|
||||
only reply to NetworkManager daemon and as such is not useful to
|
||||
the user directly.
|
|
@ -1,20 +1,20 @@
|
|||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
configure_file(
|
||||
input: 'org.freedesktop.nm.sudo.service.in',
|
||||
input: 'org.freedesktop.nm-priv-helper.service.in',
|
||||
output: '@BASENAME@',
|
||||
install_dir: dbus_system_bus_services_dir,
|
||||
configuration: data_conf,
|
||||
)
|
||||
|
||||
install_data(
|
||||
'nm-sudo.conf',
|
||||
'nm-priv-helper.conf',
|
||||
install_dir: dbus_conf_dir,
|
||||
)
|
||||
|
||||
executable(
|
||||
'nm-sudo',
|
||||
'nm-sudo.c',
|
||||
'nm-priv-helper',
|
||||
'nm-priv-helper.c',
|
||||
include_directories : [
|
||||
src_inc,
|
||||
top_inc,
|
|
@ -5,15 +5,15 @@
|
|||
#include <gio/gunixfdlist.h>
|
||||
|
||||
#include "c-list/src/c-list.h"
|
||||
#include "libnm-base/nm-sudo-utils.h"
|
||||
#include "libnm-base/nm-priv-helper-utils.h"
|
||||
#include "libnm-glib-aux/nm-dbus-aux.h"
|
||||
#include "libnm-glib-aux/nm-io-utils.h"
|
||||
#include "libnm-glib-aux/nm-logging-base.h"
|
||||
#include "libnm-glib-aux/nm-shared-utils.h"
|
||||
#include "libnm-glib-aux/nm-time-utils.h"
|
||||
|
||||
/* nm-sudo doesn't link with libnm-core nor libnm-base, but these headers
|
||||
* can be used independently. */
|
||||
/* nm-priv-helper doesn't link with libnm-core nor libnm-base, but these
|
||||
* headers can be used independently. */
|
||||
#include "libnm-core-public/nm-dbus-interface.h"
|
||||
|
||||
/*****************************************************************************/
|
||||
|
@ -57,7 +57,7 @@ struct _GlobalData {
|
|||
|
||||
bool name_owner_initialized;
|
||||
|
||||
/* This is controlled by $NM_SUDO_NO_AUTH_FOR_TESTING. It disables authentication
|
||||
/* This is controlled by $NM_PRIV_HELPER_NO_AUTH_FOR_TESTING. It disables authentication
|
||||
* of the request, so it is ONLY for testing. */
|
||||
bool no_auth_for_testing;
|
||||
|
||||
|
@ -116,10 +116,10 @@ _handle_get_fd(GlobalData *gl, GDBusMethodInvocation *invocation, guint32 fd_typ
|
|||
gs_unref_object GUnixFDList *fd_list = NULL;
|
||||
gs_free_error GError *error = NULL;
|
||||
|
||||
if (fd_type != (NMSudoGetFDType) fd_type)
|
||||
fd_type = NM_SUDO_GET_FD_TYPE_NONE;
|
||||
if (fd_type != (NMPrivHelperGetFDType) fd_type)
|
||||
fd_type = NM_PRIV_HELPER_GET_FD_TYPE_NONE;
|
||||
|
||||
fd = nm_sudo_utils_open_fd(fd_type, &error);
|
||||
fd = nm_priv_helper_utils_open_fd(fd_type, &error);
|
||||
if (fd < 0) {
|
||||
g_dbus_method_invocation_take_error(invocation, g_steal_pointer(&error));
|
||||
return;
|
||||
|
@ -275,8 +275,8 @@ _bus_method_call(GDBusConnection *connection,
|
|||
const char *arg_s;
|
||||
guint32 arg_u;
|
||||
|
||||
nm_assert(nm_streq(object_path, NM_SUDO_DBUS_OBJECT_PATH));
|
||||
nm_assert(nm_streq(interface_name, NM_SUDO_DBUS_IFACE_NAME));
|
||||
nm_assert(nm_streq(object_path, NM_PRIV_HELPER_DBUS_OBJECT_PATH));
|
||||
nm_assert(nm_streq(interface_name, NM_PRIV_HELPER_DBUS_IFACE_NAME));
|
||||
|
||||
if (!gl->no_auth_for_testing && !nm_streq0(sender, gl->name_owner)) {
|
||||
_LOGT("dbus: request sender=%s, %s%s, ACCESS DENIED",
|
||||
|
@ -312,7 +312,7 @@ _bus_method_call(GDBusConnection *connection,
|
|||
method_name,
|
||||
g_variant_get_type_string(parameters));
|
||||
|
||||
if (!nm_streq(interface_name, NM_SUDO_DBUS_IFACE_NAME))
|
||||
if (!nm_streq(interface_name, NM_PRIV_HELPER_DBUS_IFACE_NAME))
|
||||
goto out_unknown_method;
|
||||
|
||||
if (nm_streq(method_name, "GetFD")) {
|
||||
|
@ -335,7 +335,7 @@ out_unknown_method:
|
|||
}
|
||||
|
||||
static GDBusInterfaceInfo *const interface_info = NM_DEFINE_GDBUS_INTERFACE_INFO(
|
||||
NM_SUDO_DBUS_IFACE_NAME,
|
||||
NM_PRIV_HELPER_DBUS_IFACE_NAME,
|
||||
.methods = NM_DEFINE_GDBUS_METHOD_INFOS(
|
||||
NM_DEFINE_GDBUS_METHOD_INFO(
|
||||
"Ping",
|
||||
|
@ -360,25 +360,27 @@ _bus_register_service(GlobalData *gl)
|
|||
|
||||
gl->service_regist_id =
|
||||
g_dbus_connection_register_object(gl->dbus_connection,
|
||||
NM_SUDO_DBUS_OBJECT_PATH,
|
||||
NM_PRIV_HELPER_DBUS_OBJECT_PATH,
|
||||
interface_info,
|
||||
NM_UNCONST_PTR(GDBusInterfaceVTable, &interface_vtable),
|
||||
gl,
|
||||
NULL,
|
||||
&error);
|
||||
if (gl->service_regist_id == 0) {
|
||||
_LOGE("dbus: error registering object %s: %s", NM_SUDO_DBUS_OBJECT_PATH, error->message);
|
||||
_LOGE("dbus: error registering object %s: %s",
|
||||
NM_PRIV_HELPER_DBUS_OBJECT_PATH,
|
||||
error->message);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
_LOGD("dbus: object %s registered", NM_SUDO_DBUS_OBJECT_PATH);
|
||||
_LOGD("dbus: object %s registered", NM_PRIV_HELPER_DBUS_OBJECT_PATH);
|
||||
|
||||
/* regardless whether the request is successful, after we start calling
|
||||
* RequestName, we remember that we need to ReleaseName it. */
|
||||
gl->name_requested = TRUE;
|
||||
|
||||
nm_dbus_connection_call_request_name(gl->dbus_connection,
|
||||
NM_SUDO_DBUS_BUS_NAME,
|
||||
NM_PRIV_HELPER_DBUS_BUS_NAME,
|
||||
DBUS_NAME_FLAG_ALLOW_REPLACEMENT
|
||||
| DBUS_NAME_FLAG_REPLACE_EXISTING,
|
||||
10000,
|
||||
|
@ -396,7 +398,7 @@ _bus_register_service(GlobalData *gl)
|
|||
return FALSE;
|
||||
|
||||
if (error) {
|
||||
_LOGE("d-bus: failed to request name %s: %s", NM_SUDO_DBUS_BUS_NAME, error->message);
|
||||
_LOGE("d-bus: failed to request name %s: %s", NM_PRIV_HELPER_DBUS_BUS_NAME, error->message);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
@ -404,12 +406,12 @@ _bus_register_service(GlobalData *gl)
|
|||
|
||||
if (ret_val != DBUS_REQUEST_NAME_REPLY_PRIMARY_OWNER) {
|
||||
_LOGW("dbus: request name for %s failed to take name (response %u)",
|
||||
NM_SUDO_DBUS_BUS_NAME,
|
||||
NM_PRIV_HELPER_DBUS_BUS_NAME,
|
||||
ret_val);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
_LOGD("dbus: request name for %s succeeded", NM_SUDO_DBUS_BUS_NAME);
|
||||
_LOGD("dbus: request name for %s succeeded", NM_PRIV_HELPER_DBUS_BUS_NAME);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
@ -538,7 +540,7 @@ _bus_release_name(GlobalData *gl)
|
|||
DBUS_PATH_DBUS,
|
||||
DBUS_INTERFACE_DBUS,
|
||||
"ReleaseName",
|
||||
g_variant_new("(s)", NM_SUDO_DBUS_BUS_NAME),
|
||||
g_variant_new("(s)", NM_PRIV_HELPER_DBUS_BUS_NAME),
|
||||
G_VARIANT_TYPE("(u)"),
|
||||
G_DBUS_CALL_FLAGS_NONE,
|
||||
10000,
|
||||
|
@ -554,8 +556,13 @@ static void
|
|||
_initial_setup(GlobalData *gl)
|
||||
{
|
||||
gl->no_auth_for_testing =
|
||||
_nm_utils_ascii_str_to_int64(g_getenv(_ENV("NM_SUDO_NO_AUTH_FOR_TESTING")), 0, 0, 1, 0);
|
||||
gl->timeout_msec = _nm_utils_ascii_str_to_int64(g_getenv(_ENV("NM_SUDO_IDLE_TIMEOUT_MSEC")),
|
||||
_nm_utils_ascii_str_to_int64(g_getenv(_ENV("NM_PRIV_HELPER_NO_AUTH_FOR_TESTING")),
|
||||
0,
|
||||
0,
|
||||
1,
|
||||
0);
|
||||
gl->timeout_msec =
|
||||
_nm_utils_ascii_str_to_int64(g_getenv(_ENV("NM_PRIV_HELPER_IDLE_TIMEOUT_MSEC")),
|
||||
0,
|
||||
0,
|
||||
G_MAXINT32,
|
||||
|
@ -580,17 +587,17 @@ main(int argc, char **argv)
|
|||
int exit_code;
|
||||
int r = 0;
|
||||
|
||||
_nm_logging_enabled_init(g_getenv(_ENV("NM_SUDO_LOG")));
|
||||
_nm_logging_enabled_init(g_getenv(_ENV("NM_PRIV_HELPER_LOG")));
|
||||
|
||||
gl->start_timestamp_msec = nm_utils_clock_gettime_msec(CLOCK_BOOTTIME);
|
||||
|
||||
_LOGD("starting nm-sudo (%s)", NM_DIST_VERSION);
|
||||
_LOGD("starting nm-priv-helper (%s)", NM_DIST_VERSION);
|
||||
|
||||
_initial_setup(gl);
|
||||
|
||||
if (gl->no_auth_for_testing) {
|
||||
_LOGW("WARNING: running in debug mode without authentication "
|
||||
"(NM_SUDO_NO_AUTH_FOR_TESTING). ");
|
||||
"(NM_PRIV_HELPER_NO_AUTH_FOR_TESTING). ");
|
||||
}
|
||||
|
||||
if (gl->timeout_msec != IDLE_TIMEOUT_INFINITY)
|
|
@ -3,11 +3,11 @@
|
|||
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
||||
<busconfig>
|
||||
<policy user="root">
|
||||
<allow own="org.freedesktop.nm.sudo"/>
|
||||
<allow send_destination="org.freedesktop.nm.sudo"/>
|
||||
<allow own="org.freedesktop.nm.priv-helper"/>
|
||||
<allow send_destination="org.freedesktop.nm.priv-helper"/>
|
||||
</policy>
|
||||
<policy context="default">
|
||||
<deny own="org.freedesktop.nm.sudo"/>
|
||||
<deny send_destination="org.freedesktop.nm.sudo"/>
|
||||
<deny own="org.freedesktop.nm.priv-helper"/>
|
||||
<deny send_destination="org.freedesktop.nm.priv-helper"/>
|
||||
</policy>
|
||||
</busconfig>
|
|
@ -0,0 +1,5 @@
|
|||
[D-BUS Service]
|
||||
Name=org.freedesktop.nm-priv-helper
|
||||
Exec=@libexecdir@/nm-priv-helper
|
||||
User=root
|
||||
SystemdService=dbus-org.freedesktop.nm-priv-helper.service
|
|
@ -1,21 +0,0 @@
|
|||
nm-sudo
|
||||
=======
|
||||
|
||||
This is a D-Bus activatable, exit-on-idle service, which
|
||||
provides an internal API to NetworkManager daemon.
|
||||
|
||||
This has no purpose for the user, it is an implementation detail
|
||||
of the daemon.
|
||||
|
||||
The purpose is that `nm-sudo` can execute certain operations,
|
||||
which NetworkManager process is not allowed to. We want to
|
||||
sandbox NetworkManager as much as possible, and nm-sudo provides
|
||||
a controlled way to perform some very specific operations.
|
||||
|
||||
As such, nm-sudo should still be sandboxed too to only being
|
||||
able to execute the operations that are necessary for NetworkManager.
|
||||
|
||||
nm-sudo will reject all D-Bus requests that are not originating
|
||||
from the current name owner of "org.freedesktop.NetworkManager".
|
||||
That is, it is supposed to only reply to NetworkManager daemon
|
||||
and as such is not useful to the user directly.
|
|
@ -1,5 +0,0 @@
|
|||
[D-BUS Service]
|
||||
Name=org.freedesktop.nm.sudo
|
||||
Exec=@libexecdir@/nm-sudo
|
||||
User=root
|
||||
SystemdService=dbus-org.freedesktop.nm.sudo.service
|
Loading…
Reference in a new issue