{"object_kind":"push","event_name":"push","before":"dc3beb479fc07fbdf43b148f529b21a6474e52a1","after":"8efa30db90bdb6fb49d97f6b11d3e710683c2c16","ref":"refs/heads/nm-1-54","ref_protected":false,"checkout_sha":"8efa30db90bdb6fb49d97f6b11d3e710683c2c16","message":null,"user_id":94562,"user_name":"Íñigo Huguet","user_username":"ihuguet","user_email":"","user_avatar":"https://gitlab.freedesktop.org/uploads/-/system/user/avatar/94562/avatar.png","project_id":411,"project":{"id":411,"name":"NetworkManager","description":"NetworkManager — network management daemon","web_url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager","avatar_url":"https://gitlab.freedesktop.org/uploads/-/system/project/avatar/411/nm_logo.png","git_ssh_url":"git@ssh.gitlab.freedesktop.org:NetworkManager/NetworkManager.git","git_http_url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git","namespace":"NetworkManager","visibility_level":20,"path_with_namespace":"NetworkManager/NetworkManager","default_branch":"main","ci_config_path":"","homepage":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager","url":"git@ssh.gitlab.freedesktop.org:NetworkManager/NetworkManager.git","ssh_url":"git@ssh.gitlab.freedesktop.org:NetworkManager/NetworkManager.git","http_url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git"},"commits":[{"id":"abdf3385d6881d98ffa4311e4d34a74c1b558020","message":"libnm-core, core: add permission helpers\n\nAdd utility functions to get the number of users and the first user\nfrom the connection.permissions property of a connection.\n\n(cherry picked from commit 59543620dcf7bb3e4b1316536f0330ab4a752e3e)\n(cherry picked from commit 2fc662cc712e9e1a1992cbbc187f257f57476e53)\n","title":"libnm-core, core: add permission helpers","timestamp":"2025-12-10T10:48:02+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/abdf3385d6881d98ffa4311e4d34a74c1b558020","author":{"name":"Beniamino Galvani","email":"bgalvani@redhat.com"},"added":[],"modified":["src/core/nm-core-utils.c","src/core/nm-core-utils.h","src/libnm-core-impl/nm-setting-connection.c","src/libnm-core-intern/nm-core-internal.h"],"removed":[]},{"id":"d1776c539465c81da6143c1470cedb72312e1561","message":"helpers: move helper programs to the same directory\n\nCreate a new 'nm-helpers' directory for all the helper programs, to\navoid having too many subdirs in the src directory.\n\n(cherry picked from commit 3d76d12eee88b667d1a385b861c54fcdd4e490ed)\n(cherry picked from commit afa6fc951b4a19b55d76fb365446a5cf8896a1d3)\n","title":"helpers: move helper programs to the same directory","timestamp":"2025-12-10T10:48:04+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/d1776c539465c81da6143c1470cedb72312e1561","author":{"name":"Beniamino Galvani","email":"bgalvani@redhat.com"},"added":["src/nm-helpers/README.md","src/nm-helpers/meson.build","src/nm-helpers/nm-daemon-helper.c","src/nm-helpers/nm-priv-helper.c","src/nm-helpers/nm-priv-helper.conf","src/nm-helpers/org.freedesktop.nm_priv_helper.service.in"],"modified":["src/meson.build"],"removed":["src/nm-daemon-helper/README.md","src/nm-daemon-helper/meson.build"]},{"id":"310887be7123ace3c0517c15e5552761f0201d5b","message":"daemon-helper: add read-file-as-user\n\nAdd a new command to read the content of a file after switching to the\ngiven user. This command can be used to enforce Unix filesystem\npermissions when accessing a file on behalf of a user.\n\n(cherry picked from commit 285457a5f8284f21387753d7f245e3f51ce29248)\n(cherry picked from commit 022b992846712ecff6454524eb3934ff0800cf54)\n","title":"daemon-helper: add read-file-as-user","timestamp":"2025-12-10T10:48:04+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/310887be7123ace3c0517c15e5552761f0201d5b","author":{"name":"Beniamino Galvani","email":"bgalvani@redhat.com"},"added":[],"modified":["src/libnm-std-aux/nm-std-utils.c","src/libnm-std-aux/nm-std-utils.h","src/nm-helpers/README.md","src/nm-helpers/nm-daemon-helper.c"],"removed":[]},{"id":"4f3597448dd774729b74810de262f7fcffb6d2f9","message":"supplicant: remove blobs before adding new ones\n\nWhen connecting, we add the blobs to the Interface object of the\nsupplicant. Those blobs are not removed on disconnect and so when we\ntry to add blobs with the same id, the supplicant returns an error.\n\nMake sure we start from a clean slate on each connection attempt, by\ndeleting all existing blobs. Probably we should also delete the added\nblobs on disconnect, but that's left for a future improvement.\n\n(cherry picked from commit 0093bbd9507df3b16eaa08cd3a6b799b678c7599)\n(cherry picked from commit ce3ebf6d3e5c511f872872bf51bee7f08db6f045)\n","title":"supplicant: remove blobs before adding new ones","timestamp":"2025-12-10T10:48:04+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/4f3597448dd774729b74810de262f7fcffb6d2f9","author":{"name":"Beniamino Galvani","email":"bgalvani@redhat.com"},"added":[],"modified":["src/core/supplicant/nm-supplicant-interface.c"],"removed":[]},{"id":"7acf70dfb912ca65e1daaf669ad5f4ed1faadbcb","message":"core: support returning binary output from the daemon helper\n\nThe full output of the daemon helper is added to a NMStrBuf, without\ninterpreting it as a string (that is, without stopping at the first\nNUL character).\n\nHowever, when we retrieve the content from the NMStrBuf we assume it's\na string. This is fine for certain commands that expect a string\noutput, but it's not for other commands as the read-file-as-user one.\n\nAdd a new argument to nm_utils_spawn_helper() to specify whether the\noutput is binary or not. Also have different finish functions\ndepending on the return type.\n\n(cherry picked from commit 1d90d50fc6e8c167581c6831c2511bc4148f234b)\n(cherry picked from commit 59df5fc93fc30c9b8c9ceca3c42b173f831f53f7)\n","title":"core: support returning binary output from the daemon helper","timestamp":"2025-12-10T10:48:04+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/7acf70dfb912ca65e1daaf669ad5f4ed1faadbcb","author":{"name":"Beniamino Galvani","email":"bgalvani@redhat.com"},"added":[],"modified":["src/core/devices/nm-device-utils.c","src/core/nm-core-utils.c","src/core/nm-core-utils.h"],"removed":[]},{"id":"b7926872e154fb508691de8aa8885de86b96456f","message":"supplicant: rename variables\n\nRename uid to to blob_id, and con_uid to con_uuid.\n\n(cherry picked from commit 586f7700b8ad6b4b4cffdb4cdb2bed2e4726ef5c)\n(cherry picked from commit a17f51fe156ed63882d5dc49e594e23913f883fd)\n","title":"supplicant: rename variables","timestamp":"2025-12-10T10:48:05+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/b7926872e154fb508691de8aa8885de86b96456f","author":{"name":"Beniamino Galvani","email":"bgalvani@redhat.com"},"added":[],"modified":["src/core/supplicant/nm-supplicant-config.c"],"removed":[]},{"id":"399d7be7712b268c630f9a62b27b1b7cf904c307","message":"core: add functions to read private files of connections\n\nAdd function nm_utils_read_private_files(). It can be used to read a\nlist of paths as the given user. It spawns the daemon-helper to read\neach path and returns asynchronously a hash table containing the files\ncontent.\n\nAlso add nm_utils_get_connection_private_files_paths() to return a\nlist of file paths referenced in a connection. The function currently\nreturns only 802.1x file paths for certificates and keys.\n\n(cherry picked from commit de4eb64253d493364d676b509f63f2e8d1810061)\n(cherry picked from commit 9432822f3460975520aeba4b3367108d5322b28a)\n","title":"core: add functions to read private files of connections","timestamp":"2025-12-10T10:48:05+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/399d7be7712b268c630f9a62b27b1b7cf904c307","author":{"name":"Beniamino Galvani","email":"bgalvani@redhat.com"},"added":[],"modified":["src/core/nm-core-utils.c","src/core/nm-core-utils.h"],"removed":[]},{"id":"b8f8731636ff1de6a2e44b17e95ae27320e9dc4e","message":"device: read private files in stage2\n\nDuring stage2 (prepare) of an activation, check if the connection is\nprivate and if it contains any certificate/key path. If so, start\nreading the files and delay stage2. Once done, store the files'\ncontent into priv->private_files.table and continue the activation.\n\n(cherry picked from commit 98e6dbdf21e5b165bae498ab2a29bb14f331ccd1)\n(cherry picked from commit a417df34847ae7cd1eb0d77af8b70beb6619cfbe)\n","title":"device: read private files in stage2","timestamp":"2025-12-10T10:48:06+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/b8f8731636ff1de6a2e44b17e95ae27320e9dc4e","author":{"name":"Beniamino Galvani","email":"bgalvani@redhat.com"},"added":[],"modified":["src/core/devices/nm-device-private.h","src/core/devices/nm-device.c"],"removed":[]},{"id":"f08ee617b99a25c7c3d4d820fbe2539f9b78e986","message":"core: pass certificates as blobs to supplicant for private connections\n\nIn case of private connections, the device has already read the\ncertificates and keys content from disk, validating that the owner of\nthe connection has access to them. Pass those files as blobs to the\nsupplicant so that it doesn't have to read them again from the\nfilesystem, creating the opportunity for TOCTOU bugs.\n\n(cherry picked from commit 36ea70c0993cb48d3155c2de6d6c8e48a2b08c60)\n(cherry picked from commit aac5b80fcad34489e737b6eb1c5389bd32169d23)\n","title":"core: pass certificates as blobs to supplicant for private connections","timestamp":"2025-12-10T10:50:02+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/f08ee617b99a25c7c3d4d820fbe2539f9b78e986","author":{"name":"Beniamino Galvani","email":"bgalvani@redhat.com"},"added":[],"modified":["NEWS","src/core/devices/nm-device-ethernet.c","src/core/devices/nm-device-macsec.c","src/core/devices/wifi/nm-device-wifi.c","src/core/supplicant/nm-supplicant-config.c","src/core/supplicant/nm-supplicant-config.h","src/core/supplicant/tests/test-supplicant-config.c"],"removed":[]},{"id":"9bc4d626809ed534a49dd5e436c4079eccf60b0a","message":"core,libnm-core: introduce property flag for certificate and keys\n\nIf we add a new property in the future and it references a certificate\nor key stored on disk, we need to also implement the logic to verify\nthe access to the file for private connections.\n\nAdd a new property flag NM_SETTING_PARAM_CERT_KEY_FILE to existing\ncertificate and key properties, so that it's easier to see that they\nneed special treatment. Also add some assertions to verify that the\nproperties with the flag are handled properly.\n\nWhile at it, move the enumeration of private-files to the settings.\n\n(cherry picked from commit acbfae5e051af8647e32d14ccc6be05419dcca77)\n(cherry picked from commit e3c27f2a22b75c98c300c5ba6249193b9047eaaf)\n","title":"core,libnm-core: introduce property flag for certificate and keys","timestamp":"2025-12-10T10:50:04+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/9bc4d626809ed534a49dd5e436c4079eccf60b0a","author":{"name":"Beniamino Galvani","email":"bgalvani@redhat.com"},"added":[],"modified":["src/core/nm-core-utils.c","src/libnm-core-impl/nm-setting-8021x.c","src/libnm-core-impl/nm-setting-private.h","src/libnm-core-impl/nm-setting.c","src/libnm-core-intern/nm-core-internal.h"],"removed":[]},{"id":"ce4ec4ac809ac8be0ae150fe7954bcf056c802ad","message":"libnm: introduce NM_VERSION_1_54_3\n","title":"libnm: introduce NM_VERSION_1_54_3","timestamp":"2025-12-10T13:17:29+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/ce4ec4ac809ac8be0ae150fe7954bcf056c802ad","author":{"name":"Íñigo Huguet","email":"ihuguet@riseup.net"},"added":[],"modified":["src/libnm-core-public/nm-version-macros.h.in","src/libnm-core-public/nm-version.h"],"removed":[]},{"id":"15346f1a4f150f1ad16d5f447ecb21b727daa4c2","message":"vpn: add nm_vpn_plugin_info_supports_safe_private_file_access()\n\nThe new API indicates that the VPN plugin supports reading files\n(certificates, keys) of private connections in a safe way\n(i.e. checking user permissions), or that it doesn't need to read any\nfile from disk.\n\n(cherry picked from commit 10db4baeb6d3eef76cf036b2f342ab61caa29764)\n(cherry picked from commit 8437e14758d1d70de2c01b43685f47101967b3e5)\n","title":"vpn: add nm_vpn_plugin_info_supports_safe_private_file_access()","timestamp":"2025-12-12T13:33:38+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/15346f1a4f150f1ad16d5f447ecb21b727daa4c2","author":{"name":"Beniamino Galvani","email":"bgalvani@redhat.com"},"added":[],"modified":["src/libnm-client-impl/libnm.ver","src/libnm-client-impl/tests/test-gir.py","src/libnm-core-impl/nm-vpn-plugin-info.c","src/libnm-core-public/nm-vpn-plugin-info.h"],"removed":[]},{"id":"4587832735653ff27eae7afb7c4e3541d6cfc271","message":"libnm: add function to copy a certificate or key as user\n\nAdd a new public function nm_utils_copy_cert_as_user() to libnm. It\nreads a certificate or key file on behalf of the given user and writes\nit to a directory in /run/NetworkManager. It is useful for VPN plugins\nthat run as root and need to verify that the user owning the\nconnection (the one listed in the connection.permissions property) can\naccess the file.\n\n(cherry picked from commit 1a52bbe7c9dcabc066d8930dfd7b7cfe74dabf78)\n(cherry picked from commit 3d85bace3dcd8aaf9773db90fa412a7cdc131e4b)\n","title":"libnm: add function to copy a certificate or key as user","timestamp":"2025-12-12T13:34:04+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/4587832735653ff27eae7afb7c4e3541d6cfc271","author":{"name":"Beniamino Galvani","email":"bgalvani@redhat.com"},"added":["src/libnm-client-impl/tests/test-copy-cert-as-user.c","src/nm-helpers/nm-libnm-helper.c"],"modified":["NEWS","contrib/fedora/rpm/NetworkManager.spec","src/libnm-client-impl/libnm.ver","src/libnm-client-impl/tests/meson.build","src/libnm-client-impl/tests/test-gir.py","src/libnm-core-impl/nm-utils.c","src/libnm-core-public/nm-utils.h","src/nm-helpers/README.md","src/nm-helpers/meson.build"],"removed":[]},{"id":"4393b3768631b3fdabdb90a755b16fcda9a0bfd8","message":"nm-version: set API_VERSION with MICRO+1 (temporary)\n\nIn the past, stable branches used odd micro numbers as development micro\nversion. Because of that, NM_API_VERSION was defined with MICRO+1 so we\ndon't get warnings during development.\n\nAs we stopped using odd micro=devel it is wrong to set MICRO+1 on odd\nreleases. Final users of 1.52.3 has NM_API_VERSION 1.52.4.\n\nHowever, during development we need to have MICRO+1. For example, if we\nare working on top of 1.52.3 towards the next 1.52.4, we define new\nsymbols with NM_AVAILABLE_IN_1_52_4. Because of that, we get compilation\nfailures until we finally bump to 1.52.4, just before the release. The\nCI remains red until then, potentially missing many bugs.\n\nFor now, just set MICRO+1 all the time. It is wrong, but it was wrong\nhalf of the time anyway, and at least we'll have a green CI until we\nimplement a definitive solution.\n\n(cherry picked from commit 13bfa44cebf504e88e2ac00ab85145119263d8fe)\n","title":"nm-version: set API_VERSION with MICRO+1 (temporary)","timestamp":"2025-12-12T13:34:06+01:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/4393b3768631b3fdabdb90a755b16fcda9a0bfd8","author":{"name":"Íñigo Huguet","email":"ihuguet@riseup.net"},"added":[],"modified":["src/libnm-core-public/nm-version-macros.h.in"],"removed":[]},{"id":"8efa30db90bdb6fb49d97f6b11d3e710683c2c16","message":"merge: branch 'nm-1-54-issue1809'\n\n[nm-1-54] CVE-2025-9615: avoid that non-admin user using other users' certificates\n\nhttps://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2326","title":"merge: branch 'nm-1-54-issue1809'","timestamp":"2025-12-12T13:03:26+00:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/8efa30db90bdb6fb49d97f6b11d3e710683c2c16","author":{"name":"Íñigo Huguet","email":"ihuguet@riseup.net"},"added":["src/libnm-client-impl/tests/test-copy-cert-as-user.c","src/nm-helpers/README.md","src/nm-helpers/meson.build","src/nm-helpers/nm-daemon-helper.c","src/nm-helpers/nm-libnm-helper.c","src/nm-helpers/nm-priv-helper.c","src/nm-helpers/nm-priv-helper.conf","src/nm-helpers/org.freedesktop.nm_priv_helper.service.in"],"modified":["NEWS","contrib/fedora/rpm/NetworkManager.spec","src/core/devices/nm-device-ethernet.c","src/core/devices/nm-device-macsec.c","src/core/devices/nm-device-private.h","src/core/devices/nm-device-utils.c","src/core/devices/nm-device.c","src/core/devices/wifi/nm-device-wifi.c","src/core/nm-core-utils.c","src/core/nm-core-utils.h","src/core/supplicant/nm-supplicant-config.c","src/core/supplicant/nm-supplicant-config.h","src/core/supplicant/nm-supplicant-interface.c","src/core/supplicant/tests/test-supplicant-config.c","src/libnm-client-impl/libnm.ver","src/libnm-client-impl/tests/meson.build","src/libnm-client-impl/tests/test-gir.py","src/libnm-core-impl/nm-setting-8021x.c","src/libnm-core-impl/nm-setting-connection.c","src/libnm-core-impl/nm-setting-private.h","src/libnm-core-impl/nm-setting.c","src/libnm-core-impl/nm-utils.c","src/libnm-core-impl/nm-vpn-plugin-info.c","src/libnm-core-intern/nm-core-internal.h","src/libnm-core-public/nm-utils.h","src/libnm-core-public/nm-version-macros.h.in","src/libnm-core-public/nm-version.h","src/libnm-core-public/nm-vpn-plugin-info.h","src/libnm-std-aux/nm-std-utils.c","src/libnm-std-aux/nm-std-utils.h","src/meson.build"],"removed":["src/nm-daemon-helper/README.md","src/nm-daemon-helper/meson.build"]}],"total_commits_count":15,"push_options":{},"repository":{"name":"NetworkManager","url":"git@ssh.gitlab.freedesktop.org:NetworkManager/NetworkManager.git","description":"NetworkManager — network management daemon","homepage":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager","git_http_url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git","git_ssh_url":"git@ssh.gitlab.freedesktop.org:NetworkManager/NetworkManager.git","visibility_level":20}}