diff options
author | Thomas Haller <thaller@redhat.com> | 2014-08-19 18:56:23 +0200 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2014-09-29 13:51:11 +0200 |
commit | 53e244bef637c3e4004961651d4ed23eda7393b5 (patch) | |
tree | fcc07fb0b3fe5ecab3b2b5c00587a9075a3d8ee7 | |
parent | eabe7d856c243673bbaba3295ce74d72e188596d (diff) |
auth: support disabling POLKIT authentication entirely at compile time
Let the user completly disable polkit authentication by
building NM with configure option '--enable-polkit=disabled'.
In that case, configuring 'main.auth-polkit=yes' will fail all
authentication requests (except root-requests, which are always granted).
This reduces the size of the NetworkManager binary by some 26KB (16KB
stripped).
Signed-off-by: Thomas Haller <thaller@redhat.com>
-rw-r--r-- | configure.ac | 24 | ||||
-rw-r--r-- | src/nm-auth-manager.c | 17 | ||||
-rw-r--r-- | src/nm-auth-manager.h | 3 | ||||
-rw-r--r-- | src/nm-auth-subject.c | 4 | ||||
-rw-r--r-- | src/nm-auth-subject.h | 4 | ||||
-rw-r--r-- | src/nm-auth-utils.c | 11 |
6 files changed, 58 insertions, 5 deletions
diff --git a/configure.ac b/configure.ac index 93fc135265..13bd82d203 100644 --- a/configure.ac +++ b/configure.ac @@ -457,9 +457,14 @@ else fi AM_CONDITIONAL(WITH_TEAMDCTL, test "${enable_teamdctl}" = "yes") -AC_ARG_ENABLE(polkit, AS_HELP_STRING([--enable-polkit], [set default value for auth-polkit configuration option]), +# we usually compile with polkit support. --enable-polkit=yes|no only sets the +# default configuration for main.auth-polkit. User can always enable/disable polkit +# autorization via config. Only when specifying --enable-polkit=disabled, we do +# not compile support. In this case, the user cannot enable polkit authorization via +# configuration. +AC_ARG_ENABLE(polkit, AS_HELP_STRING([--enable-polkit=yes|no|disabled], [set default value for auth-polkit configuration option. This value can be overwritten by NM configuration. 'disabled' compiles NM without any support]), [enable_polkit=${enableval}], [enable_polkit=yes]) -if (test "${enable_polkit}" != "no"); then +if (test "${enable_polkit}" != "no" -a "${enable_polkit}" != "disabled"); then enable_polkit=yes AC_DEFINE(NM_CONFIG_DEFAULT_AUTH_POLKIT, TRUE, [The default value of the auth-polkit configuration option]) NM_CONFIG_DEFAULT_AUTH_POLKIT_TEXT='true' @@ -467,6 +472,11 @@ else AC_DEFINE(NM_CONFIG_DEFAULT_AUTH_POLKIT, FALSE, [The default value of the auth-polkit configuration option]) NM_CONFIG_DEFAULT_AUTH_POLKIT_TEXT='false' fi +if (test "${enable_polkit}" != "disabled"); then + AC_DEFINE(WITH_POLKIT, 1, [whether to compile polkit support]) +else + AC_DEFINE(WITH_POLKIT, 0, [whether to compile polkit support]) +fi AC_SUBST(NM_CONFIG_DEFAULT_AUTH_POLKIT_TEXT) AC_ARG_ENABLE(modify-system, @@ -961,10 +971,14 @@ echo echo "Platform:" echo " session tracking: $with_session_tracking" echo " suspend/resume: $with_suspend_resume" -if test "${enable_modify_system}" = "yes"; then - echo " policykit: yes (permissive modify.system) (default=${enable_polkit})" +if test "${enable_polkit}" = "yes"; then + if test "${enable_modify_system}" = "yes"; then + echo " policykit: yes (permissive modify.system) (default=${enable_polkit})" + else + echo " policykit: yes (restrictive modify.system) (default=${enable_polkit})" + fi else - echo " policykit: yes (restrictive modify.system) (default=${enable_polkit})" + echo " policykit: no" fi echo " selinux: $have_selinux" echo diff --git a/src/nm-auth-manager.c b/src/nm-auth-manager.c index 092248fa5f..07996709d5 100644 --- a/src/nm-auth-manager.c +++ b/src/nm-auth-manager.c @@ -66,10 +66,12 @@ static guint signals[LAST_SIGNAL] = {0}; typedef struct { gboolean polkit_enabled; +#if WITH_POLKIT guint call_id_counter; GCancellable *new_proxy_cancellable; GSList *queued_calls; GDBusProxy *proxy; +#endif } NMAuthManagerPrivate; static NMAuthManager *_instance = NULL; @@ -100,6 +102,8 @@ nm_auth_manager_get_polkit_enabled (NMAuthManager *self) /*****************************************************************************/ +#if WITH_POLKIT + typedef enum { POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE = 0, POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION = (1<<0), @@ -477,6 +481,8 @@ _dbus_new_proxy_cb (GObject *source_object, _emit_changed_signal (self); } +#endif + /*****************************************************************************/ NMAuthManager * @@ -548,6 +554,7 @@ constructed (GObject *object) G_OBJECT_CLASS (nm_auth_manager_parent_class)->constructed (object); +#if WITH_POLKIT _LOGD ("create auth-manager: polkit %s", priv->polkit_enabled ? "enabled" : "disabled"); if (priv->polkit_enabled) { @@ -567,6 +574,12 @@ constructed (GObject *object) _dbus_new_proxy_cb, p_self); } +#else + if (priv->polkit_enabled) + _LOGW ("create auth-manager: polkit disabled at compile time. All authentication requests will fail"); + else + _LOGD ("create auth-manager: polkit disabled at compile time"); +#endif } @@ -574,10 +587,13 @@ static void dispose (GObject *object) { NMAuthManager* self = NM_AUTH_MANAGER (object); +#if WITH_POLKIT NMAuthManagerPrivate *priv = NM_AUTH_MANAGER_GET_PRIVATE (self); +#endif _LOGD ("dispose"); +#if WITH_POLKIT /* since we take a reference for each queued call, we don't expect to have any queued calls in dispose() */ g_assert (!priv->queued_calls); @@ -591,6 +607,7 @@ dispose (GObject *object) g_signal_handlers_disconnect_by_func (priv->proxy, _dbus_on_g_signal_cb, self); g_clear_object (&priv->proxy); } +#endif G_OBJECT_CLASS (nm_auth_manager_parent_class)->dispose (object); } diff --git a/src/nm-auth-manager.h b/src/nm-auth-manager.h index 3f5ebc6589..06cd00867d 100644 --- a/src/nm-auth-manager.h +++ b/src/nm-auth-manager.h @@ -62,6 +62,8 @@ NMAuthManager *nm_auth_manager_get (void); gboolean nm_auth_manager_get_polkit_enabled (NMAuthManager *self); +#if WITH_POLKIT + void nm_auth_manager_polkit_authority_check_authorization (NMAuthManager *self, NMAuthSubject *subject, const char *action_id, @@ -75,6 +77,7 @@ gboolean nm_auth_manager_polkit_authority_check_authorization_finish (NMAuthMana gboolean *out_is_challenge, GError **error); +#endif G_END_DECLS diff --git a/src/nm-auth-subject.c b/src/nm-auth-subject.c index f982616677..fa3b5dca47 100644 --- a/src/nm-auth-subject.c +++ b/src/nm-auth-subject.c @@ -150,6 +150,8 @@ nm_auth_subject_to_string (NMAuthSubject *self, char *buf, gsize buf_len) return buf; } +#if WITH_POLKIT + /* returns a floating variant */ GVariant * nm_auth_subject_unix_process_to_polkit_gvariant (NMAuthSubject *self) @@ -171,6 +173,8 @@ nm_auth_subject_unix_process_to_polkit_gvariant (NMAuthSubject *self) return ret; } +#endif + NMAuthSubjectType nm_auth_subject_get_subject_type (NMAuthSubject *subject) { diff --git a/src/nm-auth-subject.h b/src/nm-auth-subject.h index 4e1d83162f..cc004fa90c 100644 --- a/src/nm-auth-subject.h +++ b/src/nm-auth-subject.h @@ -82,6 +82,10 @@ gulong nm_auth_subject_get_unix_process_uid (NMAuthSubject *subject); const char *nm_auth_subject_to_string (NMAuthSubject *self, char *buf, gsize buf_len); +#if WITH_POLKIT + GVariant * nm_auth_subject_unix_process_to_polkit_gvariant (NMAuthSubject *self); +#endif + #endif /* __NETWORKMANAGER_AUTH_SUBJECT_H__ */ diff --git a/src/nm-auth-utils.c b/src/nm-auth-utils.c index 0a652507e9..77b0fd1088 100644 --- a/src/nm-auth-utils.c +++ b/src/nm-auth-utils.c @@ -298,6 +298,7 @@ auth_call_cancel (gpointer user_data) } } +#if WITH_POLKIT static void pk_call_cb (GObject *object, GAsyncResult *result, gpointer user_data) { @@ -345,6 +346,7 @@ pk_call_cb (GObject *object, GAsyncResult *result, gpointer user_data) auth_call_complete (call); } +#endif void nm_auth_chain_add_call (NMAuthChain *self, @@ -369,6 +371,7 @@ nm_auth_chain_add_call (NMAuthChain *self, call->call_idle_id = g_idle_add ((GSourceFunc) auth_call_complete, call); } else { /* Non-root always gets authenticated when using polkit */ +#if WITH_POLKIT call->cancellable = g_cancellable_new (); nm_auth_manager_polkit_authority_check_authorization (auth_manager, self->subject, @@ -377,6 +380,14 @@ nm_auth_chain_add_call (NMAuthChain *self, call->cancellable, pk_call_cb, call); +#else + if (!call->chain->error) { + call->chain->error = g_error_new_literal (DBUS_GERROR, + DBUS_GERROR_FAILED, + "Polkit support is disabled at compile time"); + } + call->call_idle_id = g_idle_add ((GSourceFunc) auth_call_complete, call); +#endif } } |