Add new Reload D-Bus command to reload NetworkManager configuration.
For now, this is like sending SIGHUP to the process. There are several
advantages here:
- it is guarded via PolicyKit authentication while signals
can only be sent by root.
- the user can wait for the reload to be complete instead of sending
an asynchronous signal. For now, we operation completes after
nm_config_reload() returns, but later we could delay the response
further until specific parts are fully reloaded.
- SIGHUP reloads everything including re-reading configuration from
disk while SIGUSR1 reloads just certain parts such as writing out DNS
configuration anew.
Now, the Reload command has a flags argument which is more granular
in selecting parts which are to be reloaded. For example, via
signals the user can:
1) send SIGUSR1: this writes out the DNS configuration to
resolv.conf and possibly reloads other parts without
re-reading configuration and without restarting the DNS plugin.
2) send SIGHUP: this reloads configuration from disk,
writes out resolv.conf and restarts the DNS plugin.
There is no way, to only restart the DNS plugin without also reloading
everything else.
Polkit documentation suggests that <allow_any> applies to all
clients, but that's actually not the case. allow_any,
allow_inactive, and allow_active are evaluated individually based
on whether the user is local and active (allow_active), local and
inactive (allow_inactive), and not local (allow_any). Thus all
three allow options must be specified for any authorization other
than 'no'.
Add --enable-modify-system, to change the default for
org.freedesktop.NetworkManager.settings.modify.system to allow users
to edit system connections without needing to authenticate.
For now, until we figure out a better story here. We don't necessarily
want to require an admin password just to connect to a wifi network
after installing, but for now lets be secure-by-default while we figure
out the right solution.
This policy will allow users to modify their personal connections (ie
maybe VPN connections, etc) distinctly from system-wide connections that
affect more than just their user. It makes sense to be more lenient when
making changes to settings that don't affect other users.
Meaning stays the same, but this will allow us to differentiate
in the future between personal connections (ie, just visible to
one user) and system connections (visible to more than one user).
Moves the system settings permissions checking into the core service's
permissions checking, which at the same time enables 3-way permission
reporting (yes, no, auth) instead of the old yes/no that we had for
system settings permissions before. This allows UI to show a lock
icon or such when the user could authenticate to gain the permission.
It also moves the wifi-create permissions' namespace to the main
namespace (not .settings) since they really should be checked before
starting a shared wifi connection, rather than having anything to do
with the settings service.
Just for consistency, make settings related stuff live under the
org.freedesktop.NetworkManager namespace, rather than its own
org.freedesktop.NetworkManagerSettings namespace. Renames are done for
DBus interface names, DBus object paths, and polkit actions.
PK's "allow_inactive" actually means "allow inactive *local* users", so
we do want to allow inactive local users to provide user connections.
We don't want to allow non-local inactive users to provide user connections.
So make the use-user-connections privilege match for both active and
inactive so we get the behavior we want.
Default to 'not allowed', distros that need backwards compatibility
can flip this to 'yes' if they need to. At this point, only power
management scripts should call these functions.
Since the new PolicyKit does away with easy checking of authorizations,
we get to implement it by ourselves, but that's OK since we can actually
use it for a lot more stuff. So add the GetPermissions call which returns
the permissions the caller actually has, and a signal informing callers
that their permissions might have changed. Hook this all up to
PolicyKit so it's useful.