mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager
synced 2024-09-15 22:29:58 +00:00
f137b32d31
NetworkManager runs as root and has lots of capabilities. We want to reduce the attach surface by dropping capabilities, but there is a genuine need to do certain things. For example, we currently require dac_override capability, to open the unix socket of ovsdb. Most users wouldn't use OVS, so we should find a way to not require that dac_override capability. The solution is to have a separate, D-Bus activate service (nm-sudo), which has the capability to open and provide the file descriptor. For authentication, we only rely on D-Bus. We watch the name owner of NetworkManager, and only accept requests from that service. We trust D-Bus to get it right a request from that name owner is really coming from NetworkManager. If we couldn't trust that, how could PolicyKit or any authentication via D-Bus work? For testing, the user can set NM_SUDO_NO_AUTH_FOR_TESTING=1. https://bugzilla.redhat.com/show_bug.cgi?id=1921826 |
||
|---|---|---|
| .. | ||
| 00-server.conf | ||
| 20-connectivity-fedora.conf | ||
| 20-connectivity-redhat.conf | ||
| 70-nm-connectivity.conf | ||
| build.sh | ||
| build_clean.sh | ||
| mockbuild.sh | ||
| NetworkManager.conf | ||
| NetworkManager.spec | ||
| README | ||
| release.sh | ||
# To build RPM packages for Fedora derivates directly from git, just do: # # preparation: # git clone https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git cd NetworkManager git checkout $WHATEVER ./contrib/fedora/REQUIRED_PACKAGES # # build the packages. Pass --help for usage help. # ./contrib/fedora/rpm/build_clean.sh # # install # sudo dnf install ./contrib/fedora/rpm/latest/RPMS/x86_64/*rpm # To generate a clean build from git using mock, run: ./contrib/fedora/rpm/mockbuild.sh