Hi Thomas, thanks for your response.
I have previously used
org.freedesktop.NetworkManager.settings.modify.system to allow or deny
authorization of wifi connections. This works in scenario where the policy
is focused to allow/deny know connections or fully allow/deny actions or
use NM by some users. As you said this is not enough flexible to describe
more granulated policies. By other way custom scripting request to the
current existing NM PolicyKit org.freedesktop.NetworkManager.* actions will
don't provide any advantage for this granularity. Moreover, If asking for a
new AP security schema requires launch a connection, at some early point NM
should provide some hook or new request to this custom policykit action.
I think that described policy is very usual and widely required and I
thought there would be something more widely established already. How is it
being solved, what tools are currently used to apply these policies in
corporate environments?
Thank you,
El dom., 16 jun. 2019 a las 8:28, Thomas Haller (<thal...@redhat.com>)
escribió:
> On Sat, 2019-06-15 at 14:36 +0200, Daniel Vázquez via networkmanager-
> list wrote:
> > Hi guys!!
> >
> > I'll want to setup a connect security policy like whitelist rules or
> > similar, some like:
> > - Users can connect only to any AP with security WPA2
> > - User can connect only to any AP in this list [{ssid:wnet01,
> > mac:E8:AD:A6:BC:EF:F2}, {ssid:wnet02, mac:B0:BE:76:73:20:8E}, ...]
> >
> > First, I looking for any configuration option available on nm, but I
> > don't found any. Then, I write little script to test it running on
> > /etc/NetworkManager/dispatcher.d/pre-up.d/ that runs when AP
> > connection is stablished. But, I can see that the script is executed
> > after connection is fully stablished and a valid ip obtained. It's
> > not desired, I want to test if AP are OK with our policies before
> > stablish fully connection, at least before a fully stablished
> > connection with IP obtained and other pre-shared data. We want to
> > test the policies are ok running script on preparing connection state
> > or pre-authentication state or similar earlier stage.
> >
> > I monitorized nm connection process, and I can see nm manages next
> > stages:
> >
> > wlo1: connecting (prepare)
> > wlo1: using connection 'wnet02'
> > wlo1: NetworkManager: is now in the 'connecting' state
> > wlo1: connecting (need authentication)
> > wlo1: connecting (prepare)
> > wlo1: connecting (configuring)
> > wlo1: connecting (getting IP configuration)
> > wlo1: connecting (checking IP connectivity)
> > wlo1: connecting (starting secondary connections)
> > wlo1: conected
> > ...
> > ...
> >
> > How can we run script on first four stages?
> > Exist any other way, aproach or recommendation to apply this security
> > policies?
> >
> > Thank you guys!!a
>
>
> Hi,
>
>
> NetworkManager uses PolicyKit, see the available policy-kit actions:
>
> $ nmcli general permissions
>
> and their comment at
>
>
> https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/data/org.freedesktop.NetworkManager.policy.in.in?id=7d3a957c98edbc2874e8826e29c90e2fc39c4d70
>
>
> Also, a profile can be either restricted to a user, by setting
>
> nmcli connection modify x_dummy connection.permissions "$USERNAME"
>
> or it is not.
>
> Depending on whether a profile is restricted, the user requires different
> permissions to be able to perform certain actions. For example,
>
> org.freedesktop.NetworkManager.settings.modify.system
>
> vs
>
> org.freedesktop.NetworkManager.settings.modify.own
>
> Another relevant permission to your question is
>
> org.freedesktop.NetworkManager.network-control
>
>
> Note that the root user (user-id 0) always gets a pass, regardless of what
> you configure
> in PolicyKit.
>
>
> In PolicyKit you can write your own scripts to answer requests in any way
> you want,
> but only the existing permissions (PolicyKit actions) that NetworkManager
> knows are
> available there.
>
>
> I am not sure the system is flexible enough to do exactly what you want.
> Maybe.
>
>
> best,
> Thomas
>
_______________________________________________
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list
