FS#48984 - [networkmanager] hidepid incompatible with default networkmanager-1.1.x configuration

Attached to Project: Arch Linux
Opened by Celti Burroughs (Celti) - Saturday, 16 April 2016, 21:55 GMT
Last edited by Jan Alexander Steffens (heftig) - Sunday, 24 April 2016, 11:37 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Jan de Groot (JGC)
Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

NetworkManager 1.1.x refuses to connect to its clients (nmcli, nm-applet) when procfs is configured with hidepid. Adding SupplementaryGroups=proc to NetworkManager.service (as is already done for logind in the hidepid package) resolves this.

Additional info:
* networkmanager-1.1.93, 1.1.94; hidepid-*

Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819808
Upstream bug report: https://bugzilla.gnome.org/show_bug.cgi?id=764502
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Sunday, 24 April 2016, 11:37 GMT
Reason for closing:  Fixed
Additional comments about closing:  nm 1.2.0-2
Comment by Celti Burroughs (Celti) - Friday, 22 April 2016, 05:29 GMT
I did some more digging and found another solution (submitted upstream), namely adding SYS_CAP_PTRACE to CapabilityBoundingSet. That one's portable across distributions (the presence/gid of the 'proc' group for access to /proc is Arch-specific) so I assume it will become the upstream default.
Comment by Celti Burroughs (Celti) - Friday, 22 April 2016, 12:53 GMT
After discussion upstream neither SupplementaryGroups nor SYS_CAP_PTRACE was decided to be desirable; NetworkManager's auth mechanism has been patched to work with hidepid as long as polkitd can access the necessary processes.

Relevant commit on the nm-1-2 development branch: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=nm-1-2&id=4f06ae603e268f237d439afe3f3e7e662a0c2727
Comment by Daniel Micay (thestinger) - Friday, 22 April 2016, 13:14 GMT
The polkitd package adds the user it runs as to the proc group, so it already works there.

Loading...