diff options
author | Thomas Haller <thaller@redhat.com> | 2019-12-05 13:54:27 +0100 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2019-12-10 07:53:25 +0100 |
commit | 50a12ce2d57b7bcd7f7c8a5bb9ad0f4b77a3ec71 (patch) | |
tree | 312437d1d36c9e93c297e60e532492f2ead00f5f /clients | |
parent | b650d1d181a2993108d669beb22b035043c08398 (diff) | |
download | NetworkManager-50a12ce2d57b7bcd7f7c8a5bb9ad0f4b77a3ec71.tar.gz |
core: also return unknown permission check result
For example with
mount -o remount,rw,hidepid=1 /proc/
all permission checks will fail with an error. Internally, we map the
failure to NM_AUTH_CALL_RESULT_UNKNOWN.
<trace> [1575645672.5958] auth: call[1069]: CheckAuthorization(org.freedesktop.NetworkManager.enable-disable-connectivity-check), subject=unix-process[pid=468316, uid=1000, start=1912881]
<trace> [1575645672.6295] auth: call[1069]: completed: failed: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file “/proc/468316/status”: No such file or directory
<debug> [1575645672.6296] manager: unknown auth chain result 0
First of all, we should not log a debug message about that (we already log the
result of permission checks separately).
Also, we should include the unknown result in the response. The permission was
checked, and omitting it from GetPermissions() result seems wrong (even if we
failed to get the result).
Note that "unknown" is now a new possible return value on D-Bus. But
see how nm_permission_result_to_client() would map such a value to
"unknown" as well. So, it's probably a fine extension of the D-Bus API.
Note that NMClient API is currently quite limited. The user won't know
whether permissions were received (and if they were received, they
could not distinguish between UNKNOWN and absent). Hence, returning
all permissions as unknown (or not at all) causes `nmcli general permissions`
to hang. The solution here is to improve NMClient API to allow the user
to know when the permissions are received. But this patch doesn't
fix the hanging of nmcli nor the limitation of NMClient's API.
Diffstat (limited to 'clients')
-rw-r--r-- | clients/cli/general.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/clients/cli/general.c b/clients/cli/general.c index 123cc5b4fc..8d9e1b3929 100644 --- a/clients/cli/general.c +++ b/clients/cli/general.c @@ -582,7 +582,10 @@ got_permissions (NmCli *nmc) NMClientPermission perm; /* The server returns all the permissions at once, so if at least one is there - * we already received the reply. */ + * we already received the reply. + * + * FIXME: this is wrong, because all permissions could be unknown. We should instead + * have a signal in NMClient to indicate when permissions are received. */ for (perm = NM_CLIENT_PERMISSION_NONE + 1; perm <= NM_CLIENT_PERMISSION_LAST; perm++) { if (nm_client_get_permission_result (nmc->client, perm) != NM_CLIENT_PERMISSION_RESULT_UNKNOWN) return TRUE; |