[oe] [PATCH 2/5] networkmanager: introduce polkit package config

Thu Jan 17 19:57:08 UTC 2019

On Thu, Jan 17, 2019 at 8:09 PM Stefan Agner <stefan at agner.ch> wrote:
>
> On 17.01.2019 18:50, Andreas Müller wrote:
> > On Thu, Jan 17, 2019 at 5:27 PM Stefan Agner <stefan at agner.ch> wrote:
> > Hi Stefan,
> >
> > sorry but don't like this patch as is:
> >>
> >> From: Stefan Agner <stefan.agner at toradex.com>
> >>
> >> Currently polkit is enabled if systemd is in package config. Those
> >> two things are orthogonal: NetworkManager can be used with systemd
> >> and without polkit just fine.
> > Did you test this (=change networkmanager connections settings) as an
> > unpriviledged user?
>
> Works as expected: need to be root to change connection settings :-)
>
> We plan to use D-Bus and D-Bus policies (<policy> tags) to allow some
> settings to unpriviledged users/groups.
>
> >>
> >> Introduce a new polkit package config and enable it depending on
> >> whether polkit is in DISTRO_FEATURES.
> >
> > * it changes the current behaviour and the default suggested by
> > configure.ac: 'we usually compile with polkit support.' and
> > meson.build sets polkit by default.
>
> Yes, this changes default behavior. I did not do that lightly, but I
> think it is sensible to have a global policy on polkit, and also let
> NetworkManager follow it. I guess the change in default behavior needs
> to be pointed out in the documentation e.g. in the chapter "Moving to
> the Yocto Project 2.7 Release".
>
> Throughout OpenEmbedded we had vastly different behavior wrt polkit.
> ConnMan disables it by default without any option to enable it. Quite
> some packages make it dependent on systemd, some have just a local
> package config polkit etc...
>
> We have a WiFi capable headless device with restricted flash and would
> like to use NetworkManager. Using polkit pulls in mozjs, which is rather
> large. We do not need interactive authentication capabilities, since our
> device does not allow direct user interaction...
>
>
> > * as far as I know there is no polkit DISTRO_FEATURE in metaverse yet.
>
> Hm, yes, we definitely should add polkit. How can I do this?
>
> >
> > I suggest to add polkit PACKAGECONFIG if systemd is in DISTRO_FEATURES
> > - if you don't want polkit you can add a PACKAGECONFIG_remove =
> > "polkit" somewhere.
>
> Yes, I know that. We had this in place so far.
>
> However, rather than having a bunch of PACKAGECONFIG, I'd rather have a
> distro wide policy on polkit. I did send an email to oe-core with a
> cover letter, and since that patch got merged, I was assuming that
> polkit as a distro policy is the way to go.
> http://lists.openembedded.org/pipermail/openembedded-core/2019-January/278021.html
>
Am aware of what you want: Reduce image size.
Still don't like changing defaults because settings cannot be changed
by unprivileged users (and machines connected to network should not
run as root and this is what might be the consequence for lazy
people). And this would be another OE/Yocto default many other distros
don't have. BTW: The connection to systemd DISTRO_FEATURE was
introduced by me and there was a reason for it - but I don't remember
- it is long time ago and maybe it is not necessary any more.

How about inverting the logic: As long as no 'extra-setting' is done,
polkit is enabled by default (as suggested by the packets). Would a
DISTRO feature 'no-polkit' be something you could reach your target?

Andreas