NetworkManager/2298.patch

From c312390932d1f1198baacca0de3c6a01811728a8 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 14 Oct 2025 10:41:26 +0200
Subject: [PATCH 1/2] libnm-glib-aux: add temp name argument to
 nm_utils_file_set_contents()

In some cases it's useful to specify the name of the temporary file to
be used.
---
 src/core/devices/wifi/nm-iwd-manager.c         |  2 +-
 src/core/main-utils.c                          |  2 +-
 src/core/nm-core-utils.c                       |  1 +
 src/core/platform/tests/monitor.c              |  1 +
 .../plugins/ifcfg-rh/nms-ifcfg-rh-writer.c     |  1 +
 .../plugins/keyfile/nms-keyfile-utils.c        |  1 +
 .../plugins/keyfile/nms-keyfile-writer.c       | 10 +++++++++-
 src/libnm-glib-aux/nm-io-utils.c               | 18 +++++++++++++-----
 src/libnm-glib-aux/nm-io-utils.h               |  1 +
 src/nm-initrd-generator/nm-initrd-generator.c  |  2 +-
 10 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/src/core/devices/wifi/nm-iwd-manager.c b/src/core/devices/wifi/nm-iwd-manager.c
index 76a342e206c..bb2e056d39c 100644
--- a/src/core/devices/wifi/nm-iwd-manager.c
+++ b/src/core/devices/wifi/nm-iwd-manager.c
@@ -684,7 +684,7 @@ iwd_config_write(GKeyFile              *config,
      * in the last few filename characters -- it cannot end in .open, .psk
      * or .8021x.
      */
-    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, error);
+    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, NULL, error);
 }
 
 static const char *
diff --git a/src/core/main-utils.c b/src/core/main-utils.c
index 0f62da29024..d1be6814875 100644
--- a/src/core/main-utils.c
+++ b/src/core/main-utils.c
@@ -81,7 +81,7 @@ nm_main_utils_write_pidfile(const char *pidfile)
     char                  pid[16];
 
     nm_sprintf_buf(pid, "%lld", (long long) getpid());
-    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, &error)) {
+    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, NULL, &error)) {
         fprintf(stderr, _("Writing to %s failed: %s\n"), pidfile, error->message);
         return FALSE;
     }
diff --git a/src/core/nm-core-utils.c b/src/core/nm-core-utils.c
index 8b7ee1ddf67..33f53a06358 100644
--- a/src/core/nm-core-utils.c
+++ b/src/core/nm-core-utils.c
@@ -2865,6 +2865,7 @@ _host_id_read(guint8 **out_host_id, gsize *out_host_id_len)
                                                0600,
                                                NULL,
                                                NULL,
+                                               NULL,
                                                &error)) {
             nm_log_warn(
                 LOGD_CORE,
diff --git a/src/core/platform/tests/monitor.c b/src/core/platform/tests/monitor.c
index c83192bbc92..f413facfcdc 100644
--- a/src/core/platform/tests/monitor.c
+++ b/src/core/platform/tests/monitor.c
@@ -186,6 +186,7 @@ ip_again:
                                00644,
                                NULL,
                                NULL,
+                               NULL,
                                NULL);
 
     nm_log_dbg(LOGD_PLATFORM, "dump to file complete");
diff --git a/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
index 42675cf222e..21908090f73 100644
--- a/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
+++ b/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
@@ -320,6 +320,7 @@ write_blobs(GHashTable *blobs, GError **error)
                                         0600,
                                         NULL,
                                         NULL,
+                                        NULL,
                                         &write_error)) {
             g_set_error(error,
                         NM_SETTINGS_ERROR,
diff --git a/src/core/settings/plugins/keyfile/nms-keyfile-utils.c b/src/core/settings/plugins/keyfile/nms-keyfile-utils.c
index 7c0e329e2d6..26fb34418d5 100644
--- a/src/core/settings/plugins/keyfile/nms-keyfile-utils.c
+++ b/src/core/settings/plugins/keyfile/nms-keyfile-utils.c
@@ -280,6 +280,7 @@ nms_keyfile_nmmeta_write(const char *dirname,
                                         length,
                                         0600,
                                         NULL,
+                                        NULL,
                                         &errsv,
                                         NULL)) {
             NM_SET_OUT(out_full_filename, g_steal_pointer(&full_filename_tmp));
diff --git a/src/core/settings/plugins/keyfile/nms-keyfile-writer.c b/src/core/settings/plugins/keyfile/nms-keyfile-writer.c
index b1dd2e446fd..c7c88260790 100644
--- a/src/core/settings/plugins/keyfile/nms-keyfile-writer.c
+++ b/src/core/settings/plugins/keyfile/nms-keyfile-writer.c
@@ -133,6 +133,7 @@ cert_writer(NMConnection                     *connection,
                                              0600,
                                              NULL,
                                              NULL,
+                                             NULL,
                                              &local);
         if (success) {
             /* Write the path value to the keyfile.
@@ -384,7 +385,14 @@ _internal_write_connection(NMConnection                   *connection,
         }
     }
 
-    nm_utils_file_set_contents(path, kf_content_buf, kf_content_len, 0600, NULL, NULL, &local_err);
+    nm_utils_file_set_contents(path,
+                               kf_content_buf,
+                               kf_content_len,
+                               0600,
+                               NULL,
+                               NULL,
+                               NULL,
+                               &local_err);
     if (local_err) {
         g_set_error(error,
                     NM_SETTINGS_ERROR,
diff --git a/src/libnm-glib-aux/nm-io-utils.c b/src/libnm-glib-aux/nm-io-utils.c
index 9443172b46b..d26ecee4f05 100644
--- a/src/libnm-glib-aux/nm-io-utils.c
+++ b/src/libnm-glib-aux/nm-io-utils.c
@@ -415,8 +415,10 @@ nm_utils_file_get_contents(int                         dirfd,
 
 /*
  * Copied from GLib's g_file_set_contents() et al., but allows
- * specifying a mode for the new file and optionally the last access
- * and last modification times.
+ * specifying:
+ * - the file mode (@mode)
+ * - optionally, the last access and modification times (@times)
+ * - optionally, a fixed name for the temporary file (@tmp_name)
  */
 gboolean
 nm_utils_file_set_contents(const char            *filename,
@@ -424,10 +426,11 @@ nm_utils_file_set_contents(const char            *filename,
                            gssize                 length,
                            mode_t                 mode,
                            const struct timespec *times,
+                           const char            *tmp_name,
                            int                   *out_errsv,
                            GError               **error)
 {
-    gs_free char *tmp_name = NULL;
+    gs_free char *tmp_name_free = NULL;
     struct stat   statbuf;
     int           errsv;
     gssize        s;
@@ -442,8 +445,13 @@ nm_utils_file_set_contents(const char            *filename,
     if (length == -1)
         length = strlen(contents);
 
-    tmp_name = g_strdup_printf("%s.XXXXXX", filename);
-    fd       = g_mkstemp_full(tmp_name, O_RDWR | O_CLOEXEC, mode);
+    if (tmp_name) {
+        fd = open(tmp_name, O_CREAT | O_RDWR | O_TRUNC | O_CLOEXEC, mode);
+    } else {
+        tmp_name_free = g_strdup_printf("%s.XXXXXX", filename);
+        tmp_name      = tmp_name_free;
+        fd            = g_mkstemp_full(tmp_name_free, O_RDWR | O_CLOEXEC, mode);
+    }
     if (fd < 0) {
         return _get_contents_error_errno(error, out_errsv, "failed to create file %s", tmp_name);
     }
diff --git a/src/libnm-glib-aux/nm-io-utils.h b/src/libnm-glib-aux/nm-io-utils.h
index 0021138f464..ff02ecb108a 100644
--- a/src/libnm-glib-aux/nm-io-utils.h
+++ b/src/libnm-glib-aux/nm-io-utils.h
@@ -55,6 +55,7 @@ gboolean nm_utils_file_set_contents(const char            *filename,
                                     gssize                 length,
                                     mode_t                 mode,
                                     const struct timespec *times,
+                                    const char            *tmp_name,
                                     int                   *out_errsv,
                                     GError               **error);
 
diff --git a/src/nm-initrd-generator/nm-initrd-generator.c b/src/nm-initrd-generator/nm-initrd-generator.c
index b89b4e413f5..68993c002f3 100644
--- a/src/nm-initrd-generator/nm-initrd-generator.c
+++ b/src/nm-initrd-generator/nm-initrd-generator.c
@@ -78,7 +78,7 @@ output_conn(gpointer key, gpointer value, gpointer user_data)
         filename      = nm_keyfile_utils_create_filename(basename, TRUE);
         full_filename = g_build_filename(connections_dir, filename, NULL);
 
-        if (!nm_utils_file_set_contents(full_filename, data, len, 0600, NULL, NULL, &error))
+        if (!nm_utils_file_set_contents(full_filename, data, len, 0600, NULL, NULL, NULL, &error))
             goto err_out;
     } else
         g_print("\n*** Connection '%s' ***\n\n%s", basename, data);
-- 
GitLab


From 2d438ebef840cc003e423d3d0ad10e5832b5b49a Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 14 Oct 2025 10:42:53 +0200
Subject: [PATCH 2/2] dns: specify a temporary file name when writing
 no-stub-resolv.conf

Using g_file_set_contents() makes it impossible to write a proper
SELinux policy because the function creates a file with a random
suffix, and SELinux file transitions can't match on wildcards.

Use a fixed temporary file name. In this case it's fine because
/run/NetworkManager is only writable by root and NetworkManager is the
only process writing into it.
---
 src/core/dns/nm-dns-manager.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/core/dns/nm-dns-manager.c b/src/core/dns/nm-dns-manager.c
index 57e732264cf..c746e714972 100644
--- a/src/core/dns/nm-dns-manager.c
+++ b/src/core/dns/nm-dns-manager.c
@@ -26,6 +26,7 @@
 
 #include "libnm-core-intern/nm-core-internal.h"
 #include "libnm-glib-aux/nm-str-buf.h"
+#include "libnm-glib-aux/nm-io-utils.h"
 
 #include "NetworkManagerUtils.h"
 #include "devices/nm-device.h"
@@ -1006,7 +1007,8 @@ _read_link_cached(const char *path, gboolean *is_cached, char **cached)
 #define MY_RESOLV_CONF_TMP MY_RESOLV_CONF ".tmp"
 #define RESOLV_CONF_TMP    "/etc/.resolv.conf.NetworkManager"
 
-#define NO_STUB_RESOLV_CONF NMRUNDIR "/no-stub-resolv.conf"
+#define NO_STUB_RESOLV_CONF     NMRUNDIR "/no-stub-resolv.conf"
+#define NO_STUB_RESOLV_CONF_TMP NMRUNDIR "/no-stub-resolv.conf.tmp"
 
 static void
 update_resolv_conf_no_stub(NMDnsManager      *self,
@@ -1019,7 +1021,14 @@ update_resolv_conf_no_stub(NMDnsManager      *self,
 
     content = create_resolv_conf(searches, nameservers, options);
 
-    if (!g_file_set_contents(NO_STUB_RESOLV_CONF, content, -1, &local)) {
+    if (!nm_utils_file_set_contents(NO_STUB_RESOLV_CONF,
+                                    content,
+                                    -1,
+                                    0644,
+                                    NULL,
+                                    NO_STUB_RESOLV_CONF_TMP,
+                                    NULL,
+                                    &local)) {
         _LOGD("update-resolv-no-stub: failure to write file: %s", local->message);
         g_error_free(local);
         return;
-- 
GitLab

diff --git a/src/libnm-core-impl/nm-utils.c b/src/libnm-core-impl/nm-utils.c
index 9a78e9471c..d935e63978 100644
--- a/src/libnm-core-impl/nm-utils.c
+++ b/src/libnm-core-impl/nm-utils.c
@@ -6444,6 +6444,7 @@ nm_utils_copy_cert_as_user(const char *filename, const char *user, GError **erro
                                     0600,
                                     NULL,
                                     NULL,
+                                    NULL,
                                     error)) {
         return NULL;
     }