Commit 5c313970 authored by Dan Williams's avatar Dan Williams

core: don't auto-activate user connections if the user lacks permissions

parent ae4b47ca
......@@ -241,6 +241,7 @@ enum {
CONNECTION_UPDATED,
CONNECTION_REMOVED,
CHECK_PERMISSIONS,
USER_PERMISSIONS_CHANGED,
LAST_SIGNAL
};
......@@ -1224,6 +1225,8 @@ static gboolean
user_settings_authorized (NMManager *self, NMAuthChain *chain)
{
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self);
NMAuthCallResult old_net_perm = priv->user_net_perm;
NMAuthCallResult old_con_perm = priv->user_con_perm;
/* If the user could potentially get authorization to use networking and/or
* to use user connections, the user settings service is authorized.
......@@ -1234,6 +1237,9 @@ user_settings_authorized (NMManager *self, NMAuthChain *chain)
nm_log_dbg (LOGD_USER_SET, "User connections permissions: net %d, con %d",
priv->user_net_perm, priv->user_con_perm);
if (old_net_perm != priv->user_net_perm || old_con_perm != priv->user_con_perm)
g_signal_emit (self, signals[USER_PERMISSIONS_CHANGED], 0);
/* If the user can't control the network they certainly aren't allowed
* to provide user connections.
*/
......@@ -3755,6 +3761,15 @@ impl_manager_set_logging (NMManager *manager,
/* Connections */
gboolean
nm_manager_auto_user_connections_allowed (NMManager *self)
{
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self);
return priv->user_net_perm == NM_AUTH_CALL_RESULT_YES
&& priv->user_con_perm == NM_AUTH_CALL_RESULT_YES;
}
static int
connection_sort (gconstpointer pa, gconstpointer pb)
{
......@@ -4388,6 +4403,14 @@ nm_manager_class_init (NMManagerClass *manager_class)
g_cclosure_marshal_VOID__VOID,
G_TYPE_NONE, 0);
signals[USER_PERMISSIONS_CHANGED] =
g_signal_new ("user-permissions-changed",
G_OBJECT_CLASS_TYPE (object_class),
G_SIGNAL_RUN_FIRST,
0, NULL, NULL,
g_cclosure_marshal_VOID__VOID,
G_TYPE_NONE, 0);
/* StateChange is DEPRECATED */
signals[STATE_CHANGE] =
g_signal_new ("state-change",
......
......@@ -111,6 +111,8 @@ NMState nm_manager_get_state (NMManager *manager);
GSList *nm_manager_get_connections (NMManager *manager, NMConnectionScope scope);
gboolean nm_manager_auto_user_connections_allowed (NMManager *manager);
NMConnection * nm_manager_get_connection_by_object_path (NMManager *manager,
NMConnectionScope scope,
const char *path);
......
......@@ -633,7 +633,8 @@ auto_activate_device (gpointer user_data)
/* System connections first, then user connections */
connections = nm_manager_get_connections (policy->manager, NM_CONNECTION_SCOPE_SYSTEM);
connections = g_slist_concat (connections, nm_manager_get_connections (policy->manager, NM_CONNECTION_SCOPE_USER));
if (nm_manager_auto_user_connections_allowed (policy->manager))
connections = g_slist_concat (connections, nm_manager_get_connections (policy->manager, NM_CONNECTION_SCOPE_USER));
/* Remove connections that are in the invalid list. */
iter = connections;
......@@ -652,13 +653,11 @@ auto_activate_device (gpointer user_data)
best_connection = nm_device_get_best_auto_connection (data->device, connections, &specific_object);
if (best_connection) {
GError *error = NULL;
const char *device_path;
device_path = nm_device_get_path (data->device);
if (!nm_manager_activate_connection (policy->manager,
best_connection,
specific_object,
device_path,
nm_device_get_path (data->device),
FALSE,
&error)) {
NMSettingConnection *s_con;
......@@ -1013,6 +1012,12 @@ connection_removed (NMManager *manager,
g_ptr_array_free (list, TRUE);
}
static void
manager_user_permissions_changed (NMManager *manager, NMPolicy *policy)
{
schedule_activate_all (policy);
}
NMPolicy *
nm_policy_new (NMManager *manager, NMVPNManager *vpn_manager)
{
......@@ -1088,6 +1093,10 @@ nm_policy_new (NMManager *manager, NMVPNManager *vpn_manager)
G_CALLBACK (connection_removed), policy);
policy->signal_ids = g_slist_append (policy->signal_ids, (gpointer) id);
id = g_signal_connect (manager, "user-permissions-changed",
G_CALLBACK (manager_user_permissions_changed), policy);
policy->signal_ids = g_slist_append (policy->signal_ids, (gpointer) id);
return policy;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment