@@ -36,18 +36,27 @@ |
| 36 | 36 | - `subject.isInGroup("networkmanager")` + `org.freedesktop.NetworkManager.*` -> `polkit.Result.YES` |
| 37 | 37 | - session user groups include `networkmanager` (`id` output), so NetworkManager probes bypass challenge by design. |
| 38 | 38 | |
| 39 | | -## Deferred Caveat Closure Plan |
| 40 | | -1. Use `examples/force-networkmanager-auth-admin.rules` as temporary override. |
| 41 | | -2. Install and reload policy: |
| 39 | +## Deferred Caveat Closure Execution (2026-02-19) |
| 40 | +1. Temporary override installed and polkit restarted: |
| 42 | 41 | - `sudo install -m644 examples/force-networkmanager-auth-admin.rules /etc/polkit-1/rules.d/00-garcard-networkmanager-auth.rules` |
| 43 | 42 | - `sudo systemctl restart polkit` |
| 44 | | -3. Re-run probe while daemon is active: |
| 43 | +2. First post-restart probe hit: |
| 44 | + - `Authorization requires authentication but no agent is available.` |
| 45 | + - Cause: daemon socket was no longer present after restart and daemon was relaunched. |
| 46 | +3. After daemon relaunch, forced NetworkManager probe: |
| 45 | 47 | - `pkcheck --allow-user-interaction --process $$ --action-id org.freedesktop.NetworkManager.settings.modify.system` |
| 46 | | -4. Expect callback logs from `garcard` auth request processing path. |
| 47 | | -5. Remove override and restart polkit after validation. |
| 48 | + - Result: exit `1` (`Not authorized.`) with auth challenge metadata: |
| 49 | + - `polkit.result=auth_admin_keep` |
| 50 | +4. Daemon logs confirmed live callback path for NetworkManager action: |
| 51 | + - `Started active polkit auth request action_id=org.freedesktop.NetworkManager.settings.modify.system ...` |
| 52 | + - `Processing polkit auth request action_id=org.freedesktop.NetworkManager.settings.modify.system ...` |
| 53 | + - `Starting helper authentication dialog context=System policy prevents modification of network settings for all users` |
| 54 | +5. Cleanup commands after validation: |
| 55 | + - `sudo rm -f /etc/polkit-1/rules.d/00-garcard-networkmanager-auth.rules` |
| 56 | + - `sudo systemctl restart polkit` |
| 48 | 57 | |
| 49 | 58 | ## Conclusion |
| 50 | 59 | 1. Sprint 03 static integration wiring is in place. |
| 51 | 60 | 2. logind-side runtime challenge callback is verified with live daemon. |
| 52 | 61 | 3. NetworkManager challenge suppression cause is identified and reproducible. |
| 53 | | -4. A deterministic override path is documented to force and validate the callback path on this host. |
| 62 | +4. Forced NetworkManager callback validation is executed successfully via temporary policy override. |