`74f7ad1`

Record forced NetworkManager callback

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 2 months ago

SHA: 74f7ad1669358629f0fb5aec08938c274836f0a7
Parents: 1b4a165
Tree: 6643473

1 changed file

Status	File	+	-
M	`examples/sprint-03-validation-report-2026-02-18.md`	16	7

examples/sprint-03-validation-report-2026-02-18.mdmodified

       - `subject.isInGroup("networkmanager")` + `org.freedesktop.NetworkManager.*` -> `polkit.Result.YES`
     - session user groups include `networkmanager` (`id` output), so NetworkManager probes bypass challenge by design.
--## Deferred Caveat Closure Plan
++## Deferred Caveat Closure Execution (2026-02-19)
--1. Use `examples/force-networkmanager-auth-admin.rules` as temporary override.
++1. Temporary override installed and polkit restarted:
--2. Install and reload policy:
     - `sudo install -m644 examples/force-networkmanager-auth-admin.rules /etc/polkit-1/rules.d/00-garcard-networkmanager-auth.rules`
     - `sudo systemctl restart polkit`
--3. Re-run probe while daemon is active:
++2. First post-restart probe hit:
++   - `Authorization requires authentication but no agent is available.`
++   - Cause: daemon socket was no longer present after restart and daemon was relaunched.
++3. After daemon relaunch, forced NetworkManager probe:
     - `pkcheck --allow-user-interaction --process $$ --action-id org.freedesktop.NetworkManager.settings.modify.system`
--4. Expect callback logs from `garcard` auth request processing path.
++   - Result: exit `1` (`Not authorized.`) with auth challenge metadata:
--5. Remove override and restart polkit after validation.
++     - `polkit.result=auth_admin_keep`
++4. Daemon logs confirmed live callback path for NetworkManager action:
++   - `Started active polkit auth request action_id=org.freedesktop.NetworkManager.settings.modify.system ...`
++   - `Processing polkit auth request action_id=org.freedesktop.NetworkManager.settings.modify.system ...`
++   - `Starting helper authentication dialog context=System policy prevents modification of network settings for all users`
++5. Cleanup commands after validation:
++   - `sudo rm -f /etc/polkit-1/rules.d/00-garcard-networkmanager-auth.rules`
++   - `sudo systemctl restart polkit`
  ## Conclusion
 . Sprint 03 static integration wiring is in place.
 . logind-side runtime challenge callback is verified with live daemon.
 . NetworkManager challenge suppression cause is identified and reproducible.
--4. A deterministic override path is documented to force and validate the callback path on this host.
++4. Forced NetworkManager callback validation is executed successfully via temporary policy override.