* @short_description: Functions for registering security modules
*/
+enum connman_security_privilege {
+ CONNMAN_SECURITY_PRIVILEGE_PUBLIC = 0,
+ CONNMAN_SECURITY_PRIVILEGE_MODIFY = 1,
+ CONNMAN_SECURITY_PRIVILEGE_SECRET = 2,
+};
+
#define CONNMAN_SECURITY_PRIORITY_LOW -100
#define CONNMAN_SECURITY_PRIORITY_DEFAULT 0
#define CONNMAN_SECURITY_PRIORITY_HIGH 100
struct connman_security {
const char *name;
int priority;
- int (*authorize_sender) (const char *sender);
+ int (*authorize_sender) (const char *sender,
+ enum connman_security_privilege privilege);
};
extern int connman_security_register(struct connman_security *security);
<policyconfig>
<vendor>Connection Manager</vendor>
- <icon_name>stock_internet</icon_name>
+ <icon_name>network-wireless</icon_name>
<action id="org.moblin.connman.modify">
- <description>Modify configuration</description>
+ <description>Settings configuration</description>
<message>Policy prevents modification of settings</message>
<defaults>
<allow_inactive>no</allow_inactive>
</defaults>
</action>
- <action id="org.moblin.connman.passphrase">
- <description>Passphrase configuration</description>
- <message>Policy prevents modification of passphrases</message>
+ <action id="org.moblin.connman.secret">
+ <description>Secrets configuration</description>
+ <message>Policy prevents modification of secrets</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep_always</allow_active>
#include <connman/dbus.h>
#include <connman/log.h>
-#define ACTION "org.moblin.connman.modify"
+#define ACTION_MODIFY "org.moblin.connman.modify"
+#define ACTION_SECRET "org.moblin.connman.secret"
static DBusConnection *connection;
static PolKitContext *polkit_context;
-static int polkit_authorize(const char *sender)
+static int polkit_authorize(const char *sender,
+ enum connman_security_privilege privilege)
{
DBusError error;
PolKitCaller *caller;
PolKitAction *action;
PolKitResult result;
+ const char *id;
DBG("sender %s", sender);
+ switch (privilege) {
+ case CONNMAN_SECURITY_PRIVILEGE_PUBLIC:
+ return 0;
+ case CONNMAN_SECURITY_PRIVILEGE_MODIFY:
+ id = ACTION_MODIFY;
+ break;
+ case CONNMAN_SECURITY_PRIVILEGE_SECRET:
+ id = ACTION_SECRET;
+ break;
+ }
+
dbus_error_init(&error);
caller = polkit_caller_new_from_dbus_name(connection, sender, &error);
}
action = polkit_action_new();
- polkit_action_set_action_id(action, ACTION);
+ polkit_action_set_action_id(action, id);
result = polkit_context_is_caller_authorized(polkit_context,
action, caller, TRUE, NULL);
DBG("conn %p", conn);
+ if (__connman_security_check_privilege(msg,
+ CONNMAN_SECURITY_PRIVILEGE_PUBLIC) < 0)
+ return __connman_error_permission_denied(msg);
+
reply = dbus_message_new_method_return(msg);
if (reply == NULL)
return NULL;
dbus_message_iter_next(&iter);
dbus_message_iter_recurse(&iter, &value);
- if (__connman_security_check_privileges(msg) < 0)
+ if (__connman_security_check_privilege(msg,
+ CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0)
return __connman_error_permission_denied(msg);
return g_dbus_create_reply(msg, DBUS_TYPE_INVALID);
#include <connman/security.h>
-int __connman_security_check_privileges(DBusMessage *message);
+int __connman_security_check_privilege(DBusMessage *message,
+ enum connman_security_privilege privilege);
#include <connman/ipv4.h>
DBG("conn %p", conn);
+ if (__connman_security_check_privilege(msg,
+ CONNMAN_SECURITY_PRIVILEGE_PUBLIC) < 0)
+ return __connman_error_permission_denied(msg);
+
reply = dbus_message_new_method_return(msg);
if (reply == NULL)
return NULL;
dbus_message_iter_next(&iter);
dbus_message_iter_recurse(&iter, &value);
- if (__connman_security_check_privileges(msg) < 0)
+ if (__connman_security_check_privilege(msg,
+ CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0)
return __connman_error_permission_denied(msg);
if (g_str_equal(name, "Powered") == TRUE) {
{
DBG("conn %p", conn);
- if (__connman_security_check_privileges(msg) < 0)
+ if (__connman_security_check_privilege(msg,
+ CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0)
return __connman_error_permission_denied(msg);
return __connman_error_invalid_arguments(msg);
{
DBG("conn %p", conn);
- if (__connman_security_check_privileges(msg) < 0)
+ if (__connman_security_check_privilege(msg,
+ CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0)
return __connman_error_permission_denied(msg);
return __connman_error_invalid_arguments(msg);
DBG("conn %p", conn);
+ if (__connman_security_check_privilege(msg,
+ CONNMAN_SECURITY_PRIVILEGE_PUBLIC) < 0)
+ return __connman_error_permission_denied(msg);
+
reply = dbus_message_new_method_return(msg);
if (reply == NULL)
return NULL;
dbus_message_iter_next(&iter);
dbus_message_iter_recurse(&iter, &value);
- if (__connman_security_check_privileges(msg) < 0)
+ if (__connman_security_check_privilege(msg,
+ CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0)
return __connman_error_permission_denied(msg);
if (g_str_equal(name, "Policy") == TRUE) {
DBG("conn %p", conn);
+ if (__connman_security_check_privilege(msg,
+ CONNMAN_SECURITY_PRIVILEGE_PUBLIC) < 0)
+ return __connman_error_permission_denied(msg);
+
reply = dbus_message_new_method_return(msg);
if (reply == NULL)
return NULL;
dbus_message_iter_next(&iter);
dbus_message_iter_recurse(&iter, &value);
- if (__connman_security_check_privileges(msg) < 0)
+ if (__connman_security_check_privilege(msg,
+ CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0)
return __connman_error_permission_denied(msg);
if (g_str_equal(name, "Remember") == TRUE) {
DBG("conn %p", conn);
- if (__connman_security_check_privileges(msg) < 0)
+ if (__connman_security_check_privilege(msg,
+ CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0)
return __connman_error_permission_denied(msg);
if (network->connected == TRUE)
DBG("conn %p", conn);
- if (__connman_security_check_privileges(msg) < 0)
+ if (__connman_security_check_privilege(msg,
+ CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0)
return __connman_error_permission_denied(msg);
if (network->connected == FALSE)
security_list = g_slist_remove(security_list, security);
}
-int __connman_security_check_privileges(DBusMessage *message)
+int __connman_security_check_privilege(DBusMessage *message,
+ enum connman_security_privilege privilege)
{
GSList *list;
const char *sender;
DBG("%s", security->name);
if (security->authorize_sender) {
- err = security->authorize_sender(sender);
+ err = security->authorize_sender(sender, privilege);
break;
}
}