Re: Connection policies control

From: Thomas Haller <thaller redhat com>
To: Daniel Vázquez <daniel2d2art gmail com>, networkmanager-list gnome org
Subject: Re: Connection policies control
Date: Sun, 16 Jun 2019 08:28:09 +0200

On Sat, 2019-06-15 at 14:36 +0200, Daniel Vázquez via networkmanager-
list wrote:

Hi guys!!

I'll want to setup a connect security policy like whitelist rules or
similar, some like:
- Users can connect only to any AP with security WPA2
- User can connect only to any AP in this list [{ssid:wnet01,
mac:E8:AD:A6:BC:EF:F2}, {ssid:wnet02, mac:B0:BE:76:73:20:8E}, ...]

First, I looking for any configuration option available on nm, but I
don't found any. Then, I write little script to test it running on
/etc/NetworkManager/dispatcher.d/pre-up.d/ that runs when AP
connection is stablished. But, I can see that the script is executed
after connection is fully stablished and a valid ip obtained. It's
not desired, I want to test if AP are OK with our policies before
stablish fully connection, at least before a fully stablished
connection with IP obtained and other pre-shared data. We want to
test the policies are ok running script on preparing connection state
or pre-authentication state or similar earlier stage.

I monitorized nm connection process, and I can see nm manages next
stages:

wlo1: connecting (prepare)
wlo1: using connection 'wnet02'
wlo1: NetworkManager: is now in the 'connecting' state
wlo1: connecting (need authentication)
wlo1: connecting (prepare)
wlo1: connecting (configuring)
wlo1: connecting (getting IP configuration)
wlo1: connecting (checking IP connectivity)
wlo1: connecting (starting secondary connections)
wlo1: conected
...
...

How can we run script on first four stages?
Exist any other way, aproach or recommendation to apply this security
policies?

Thank you guys!!a



Hi,


NetworkManager uses PolicyKit, see the available policy-kit actions:

 $ nmcli general permissions

and their comment at

  
https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/data/org.freedesktop.NetworkManager.policy.in.in?id=7d3a957c98edbc2874e8826e29c90e2fc39c4d70


Also, a profile can be either restricted to a user, by setting

  nmcli connection modify x_dummy connection.permissions "$USERNAME"

or it is not.

Depending on whether a profile is restricted, the user requires different
permissions to be able to perform certain actions. For example, 

  org.freedesktop.NetworkManager.settings.modify.system

vs

  org.freedesktop.NetworkManager.settings.modify.own

Another relevant permission to your question is

  org.freedesktop.NetworkManager.network-control


Note that the root user (user-id 0) always gets a pass, regardless of what you configure
in PolicyKit.


In PolicyKit you can write your own scripts to answer requests in any way you want,
but only the existing permissions (PolicyKit actions) that NetworkManager knows are
available there.


I am not sure the system is flexible enough to do exactly what you want. Maybe.


best,
Thomas

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: Connection policies control
  - From: Daniel Vázquez

References:
- Connection policies control
  - From: Daniel Vázquez

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]