feat: Reduce kill switch auth requirements#10
Open
SRugina wants to merge 1 commit intoProtonVPN:stablefrom
Open
feat: Reduce kill switch auth requirements#10SRugina wants to merge 1 commit intoProtonVPN:stablefrom
SRugina wants to merge 1 commit intoProtonVPN:stablefrom
Conversation
To mitigate CVE-2025-9615, NetworkManager from 1.57.1 (at least) will remove the modify_system build option (a new option is available for backwards compatibility but is discouraged). Debian, NixOS, & Tumbleweed already do not rely on this, but Arch, Fedora, and Alpine do (for now). See https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324 If a non-permanent kill switch were enabled ("Standard" and/or IPv6) without modify_system, a polkit prompt would appear for every manual (dis)connection of the VPN (except within auth timeout of previous prompt). This is because editing system connections uses the `org.freedesktop.NetworkManager.settings.modify.system` polkit action, which without modify_system defaults to `auth_admin_keep`. To fix this, a user connection is sufficient as on boot it is acceptable to wait for login like the VPN connection (also a user connection). When the user's regular connection is also a user connection, there will be no polkit prompt to manually (dis)connect the VPN. Only the permanent ("Advanced") kill switch needs to be a system connection so that there is no leak before user login on boot, and since it's permanent (written to disk) the polkit prompt is only required when enabling/disabling the permanent kill switch setting and not on every manual (dis)connection of the VPN.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
To mitigate CVE-2025-9615, NetworkManager from 1.57.1 (at least) will remove the modify_system build option (a new option is available for backwards compatibility but is discouraged). Debian, NixOS, & Tumbleweed already do not rely on this, but Arch, Fedora, and Alpine do (for now). See https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324
If a non-permanent kill switch were enabled ("Standard" and/or IPv6) without modify_system, a polkit prompt would appear for every manual (dis)connection of the VPN (except within auth timeout of previous prompt). This is because editing system connections uses the
org.freedesktop.NetworkManager.settings.modify.systempolkit action, which without modify_system defaults toauth_admin_keep.To fix this, a user connection is sufficient as on boot it is acceptable to wait for login like the VPN connection (also a user connection). When the user's regular connection is also a user connection, there will be no polkit prompt to manually (dis)connect the VPN.
Only the permanent ("Advanced") kill switch needs to be a system connection so that there is no leak before user login on boot, and since it's permanent (written to disk) the polkit prompt is only required when enabling/disabling the permanent kill switch setting and not on every manual (dis)connection of the VPN.