network-manager-applet r1238 - trunk

[dcbw svn gnome org]

Author: dcbw
Date: Tue Mar 31 16:08:19 2009
New Revision: 1238
URL: http://svn.gnome.org/viewvc/network-manager-applet?rev=1238&view=rev

Log:
2009-03-31  Dan Williams  <dcbw redhat com>

	* configure.ac
	  Makefile.am
		- Check D-Bus version; use different applet dbus conf files for
			D-Bus >= 1.2.6 which uses deny-by-default processing.  New
			conf file fixes issues with 'root' also being at_console,
			where at_console permissions would deny root access to 
			applet secrets

	* nm-applet.conf
		- Remove; now generated

	* nm-applet-pre-dbus-126.conf
		- D-Bus config for dbus < 1.2.6

	* nm-applet-dbus-126.conf
		- D-Bus config for dbus >= 1.2.6 (from Tambet)



Added:
   trunk/nm-applet-dbus-126.conf
   trunk/nm-applet-pre-dbus-126.conf
Removed:
   trunk/nm-applet.conf
Modified:
   trunk/ChangeLog
   trunk/Makefile.am
   trunk/configure.ac

Modified: trunk/Makefile.am
==============================================================================
--- trunk/Makefile.am	(original)
+++ trunk/Makefile.am	Tue Mar 31 16:08:19 2009
@@ -9,6 +9,16 @@
 dbusservicedir = $(DBUS_SYS_DIR)
 dbusservice_DATA = nm-applet.conf
 
+DBUS_126_CONF = nm-applet-dbus-126.conf
+DBUS_PRE_126_CONF = nm-applet-pre-dbus-126.conf
+
+nm-applet.conf:
+if HAVE_DBUS_126
+	cp -f $(DBUS_126_CONF) nm-applet.conf
+else
+	cp -f $(DBUS_PRE_126_CONF) nm-applet.conf
+endif
+
 autostartdir = $(sysconfdir)/xdg/autostart
 autostart_in_files = nm-applet.desktop.in
 autostart_DATA = $(autostart_in_files:.desktop.in=.desktop)
@@ -19,13 +29,15 @@
 @INTLTOOL_DESKTOP_RULE@
 
 EXTRA_DIST += \
-	$(dbusservice_DATA) \
 	$(autostart_in_files) \
-	$(desktop_in_files)
+	$(desktop_in_files) \
+	$(DBUS_126_CONF) \
+	$(DBUS_PRE_126_CONF)
 
 CLEANFILES = \
 	$(autostart_DATA) \
-	$(desktop_DATA)
+	$(desktop_DATA) \
+	$(dbusservice_DATA)
 
 DISTCLEANFILES = intltool-extract intltool-merge intltool-update
 

Modified: trunk/configure.ac
==============================================================================
--- trunk/configure.ac	(original)
+++ trunk/configure.ac	Tue Mar 31 16:08:19 2009
@@ -112,6 +112,10 @@
 fi
 AC_SUBST(DBUS_CFLAGS)
 
+# Check for dbus-1.2.6 or later for deny-by-default rules
+PKG_CHECK_MODULES(DBUS_126, [dbus-1 >= 1.2.6], [have_dbus_126=yes],[have_dbus_126=no])
+AM_CONDITIONAL(HAVE_DBUS_126, test x"$have_dbus_126" = "xyes")
+
 #### PolicyKit checks; need at least 0.6 or later
 PKG_CHECK_EXISTS(polkit-gnome,[have_polkit_gnome=yes],[have_polkit_gnome=no])
 if test x"$have_polkit_gnome" = "xyes"; then

Added: trunk/nm-applet-dbus-126.conf
==============================================================================
--- (empty file)
+++ trunk/nm-applet-dbus-126.conf	Tue Mar 31 16:08:19 2009
@@ -0,0 +1,42 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";>
+<busconfig>
+	<!--
+	     WARNING: if running any D-Bus version prior to 1.2.6, you may be
+	     vulnerable to information leakage via the NM D-Bus interface.
+	     Previous D-Bus versions did not deny-by-default, and this permissions
+	     config file assumes that D-Bus will deny rules by default unless
+	     explicitly over-ridden with an <allow /> tag.
+	 -->
+
+        <policy user="root">
+                <allow own="org.freedesktop.NetworkManagerUserSettings"/>
+
+                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
+                       send_interface="org.freedesktop.NetworkManagerSettings"/>
+
+                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
+                       send_interface="org.freedesktop.NetworkManagerSettings.Connection"/>
+
+                <!-- Only root can get secrets -->
+                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
+                       send_interface="org.freedesktop.NetworkManagerSettings.Connection.Secrets"/>
+        </policy>
+        <policy at_console="true">
+                <allow own="org.freedesktop.NetworkManagerUserSettings"/>
+
+                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
+                       send_interface="org.freedesktop.NetworkManagerSettings"/>
+
+                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
+                       send_interface="org.freedesktop.NetworkManagerSettings.Connection"/>
+        </policy>
+        <policy context="default">
+                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
+                       send_interface="org.freedesktop.DBus.Introspectable"/>
+        </policy>
+
+        <limit name="max_replies_per_connection">512</limit>
+</busconfig>
+

Added: trunk/nm-applet-pre-dbus-126.conf
==============================================================================
--- (empty file)
+++ trunk/nm-applet-pre-dbus-126.conf	Tue Mar 31 16:08:19 2009
@@ -0,0 +1,32 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";>
+<busconfig>
+        <policy user="root">
+                <allow own="org.freedesktop.NetworkManagerUserSettings"/>
+
+                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"/>
+
+		<!-- Only root can get secrets -->
+		<allow send_destination="org.freedesktop.NetworkManagerUserSettings"
+		       send_interface="org.freedesktop.NetworkManagerSettings.Connection.Secrets"/>
+        </policy>
+        <policy at_console="true">
+                <allow own="org.freedesktop.NetworkManagerUserSettings"/>
+
+                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"/>
+
+                <!-- Only root can get secrets -->
+                <deny send_destination="org.freedesktop.NetworkManagerUserSettings"
+                      send_interface="org.freedesktop.NetworkManagerSettings.Connection.Secrets"/>
+        </policy>
+        <policy context="default">
+                <deny send_destination="org.freedesktop.NetworkManagerUserSettings"/>
+
+                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
+                       send_interface="org.freedesktop.DBus.Introspectable"/>
+        </policy>
+
+        <limit name="max_replies_per_connection">512</limit>
+</busconfig>
+