Specify supports-safe-private-file-access=true and update build

grahamwhiteuk · grahamwhiteuk · commit 4cd0c68fb1bf · 2025-12-12T15:56:17.000Z
diff --git a/README.md b/README.md
@@ -1,22 +1,23 @@
 # NetworkManager-anyconnect
 
-NetworkManager-anyconnect is a VPN plugin for NetworkManager.  It extends NetworkManager in a similar way to [other VPN plugins](https://wiki.gnome.org/Projects/NetworkManager/VPN) and provides a wrapper to the proprietary Cisco AnyConnect VPN client.
+NetworkManager-anyconnect is a VPN plugin for NetworkManager. It extends NetworkManager in a similar way to [other VPN plugins](https://wiki.gnome.org/Projects/NetworkManager/VPN) and provides a wrapper to the proprietary Cisco AnyConnect VPN client.
 
 ## Usage
 
-Since NetworkManager-anyconnect provides a wrapper around the AnyConnect client, you should ensure that you can first connect via AnyConnect.  Set up your certificates and connection using the proprietary client and test your connection.  Once successfully set up and with NetworkManager-anyconnect installed on your system, you should see a `Cisco AnyConnect` option when adding a new VPN connection.  Select this option to configure your VPN and you will be presented with the configuration screen (shown below).  Configuration is very simple, since you have your certificates set up already you just need to choose the VPN gateway to connect to from the drop down list and give your VPN connection a name.
+Since NetworkManager-anyconnect provides a wrapper around the AnyConnect client, you should ensure that you can first connect via AnyConnect. Set up your certificates and connection using the proprietary client and test your connection. Once successfully set up and with NetworkManager-anyconnect installed on your system, you should see a `Cisco AnyConnect` option when adding a new VPN connection. Select this option to configure your VPN and you will be presented with the configuration screen (shown below). Configuration is very simple, since you have your certificates set up already you just need to choose the VPN gateway to connect to from the drop down list and give your VPN connection a name.
 
 ![AnyConnect Configuration](https://user-images.githubusercontent.com/1632332/86220337-5e8ea680-bb7b-11ea-93c7-a95dfa3340f1.png "AnyConnect Configuration")
 
 ### Known Issue and Work Around
 
 Whether you hit this problem will depend on two things being true:
+
 1. Your AnyConnect gateway needs to be configured to require downloading data to VPN clients
 2. Your NetworkManager must be started by systemd using `ProtectHome=read-only`
 
-As outlined in the [AnyConnect Manual](https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8.pdf), certificates must live in the `~/.cisco/` directory.  Similarly, AnyConnect may download data from the VPN server during the connection attempt and if so, this downloaded data is also written to the `~/.cisco/` directory.  However, in many Linux distributions the NetworkManager service is started with read-only access to the entire `/home` directory structure using the `ProtectHome=read-only` [configuration from systemd](https://www.freedesktop.org/software/systemd/man/systemd.exec.html).  In these cases where AnyConnect needs to write to `~/.cisco/` but cannot, the connection attempt will fail.
+As outlined in the [AnyConnect Manual](https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8.pdf), certificates must live in the `~/.cisco/` directory. Similarly, AnyConnect may download data from the VPN server during the connection attempt and if so, this downloaded data is also written to the `~/.cisco/` directory. However, in many Linux distributions the NetworkManager service is started with read-only access to the entire `/home` directory structure using the `ProtectHome=read-only` [configuration from systemd](https://www.freedesktop.org/software/systemd/man/systemd.exec.html). In these cases where AnyConnect needs to write to `~/.cisco/` but cannot, the connection attempt will fail.
 
-The work-around for this issue is to move your certificates elsewhere within your home directory and create a `~/.cisco` directory in another branch of the file system that is writeable to your user id.  This can be achieved using the `/var/tmp/` directory using the following commands that should be run under your own user ID (not root) as an example:
+The work-around for this issue is to move your certificates elsewhere within your home directory and create a `~/.cisco` directory in another branch of the file system that is writeable to your user id. This can be achieved using the `/var/tmp/` directory using the following commands that should be run under your own user ID (not root) as an example:
 
 ```shell
 mv ~/.cisco ~/.cisco2
@@ -26,20 +27,21 @@ ln -s ~/.cisco2/certificates /var/tmp/${USER}-cisco
 ```
 
 The above commands:
+
 1. move your `~/.cisco/` directory out of the way so it can be replaced with a symbolic link
 2. create a new directory that will be writeable to NetworkManager sub-processes
 3. link the writeable directory from your `~/.cisco/` directory
 4. keep your certificates in your home directory and link those to the writeable directory (they will remain read-only)
 
-The `/var/tmp/` directory is recommended for this work-around since it is considered more persistent than `/tmp/`.  However, you may find that the sub-directory you created there is wiped out from time to time so you may want to set something up perhaps with a systemd timer or cron to make sure the directory remains in place for when you need it for your VPN connections.
+The `/var/tmp/` directory is recommended for this work-around since it is considered more persistent than `/tmp/`. However, you may find that the sub-directory you created there is wiped out from time to time so you may want to set something up perhaps with a systemd timer or cron to make sure the directory remains in place for when you need it for your VPN connections.
 
 ## Building
 
-You will need gcc and the GNU autotools installed on your build system.  There is a `autogen.sh` script you can use to generate the required build files.  Then it's the standard configure and make script you'd expect.  The `autogen.sh` script is set to run the configure script but you may choose to reconfigure the build.  An example is shown below:
+You will need gcc and the GNU autotools installed on your build system. There is a `autogen.sh` script you can use to generate the required build files. Then it's the standard configure and make script you'd expect. The `autogen.sh` script is set to run the configure script but you may choose to reconfigure the build. An example is shown below:
 
 ```shell
 cd NetworkManager-anyconnect
-meson builddir
+meson setup builddir
 cd builddir
 ninja
 sudo ninja install
@@ -55,7 +57,7 @@ meson builddir
 cd builddir
 meson dist
 rpmbuild -bs --define "_sourcedir meson-dist" NetworkManager-anyconnect.spec  --define "_srcrpmdir ." --undefine dist
-mock --arch=x86_64 --resultdir="mock/NetworkManager-anyconnect-1.2.3-1" NetworkManager-anyconnect-1.2.3-1.src.rpm
+mock --arch=x86_64 --resultdir="mock/NetworkManager-anyconnect-1.2.4-1" NetworkManager-anyconnect-1.2.4-1.src.rpm
 ```
 
 Note 1: the `meson dist` command will only build a tar file from the currently committed code i.e. if you have local changes these will **not** be added to the build.
@@ -71,5 +73,5 @@ Since the SELinux policy isn't required on all machines where NetworkManager-any
 ```shell
 cd NetworkManager-anyconnect/rpm/selinux/
 rpmbuild -bs --define "_sourcedir ." NetworkManager-anyconnect-selinux.spec  --define "_srcrpmdir ." --undefine dist
-mock --arch=x86_64 --resultdir="mock/NetworkManager-anyconnect-selinux-1.0.0-1" NetworkManager-anyconnect-selinux-1.0.0-1.src.rpm
+mock --arch=x86_64 --resultdir="mock/NetworkManager-anyconnect-selinux-1.0.0-2" NetworkManager-anyconnect-selinux-1.0.0-2.src.rpm
 ```
diff --git a/meson.build b/meson.build
@@ -1,6 +1,6 @@
 project('NetworkManager-anyconnect', 'c',
   license : 'GPL2',
-  version : '1.2.3',
+  version : '1.2.4',
   default_options: ['warning_level=2']
 )
 
@@ -186,24 +186,10 @@ asresources = gnome.compile_resources(
   c_name : 'as')
 
 # glib-compile-resources
-glib_resources_path = join_paths(meson.build_root(), 'properties/')
-r = run_command('mkdir', glib_resources_path)
-if r.returncode() != 0
-  message('Could not compile glib resources:')
-  message(r.stderr().strip())
-endif
-
-r = run_command('glib-compile-resources', '--target', join_paths(glib_resources_path, 'resources.h'), '--sourcedir=properties/', '--generate-header', 'properties/gresource.xml')
-if r.returncode() != 0
-  message('Could not compile glib resources:')
-  error(r.stderr().strip())
-endif
-
-r = run_command('glib-compile-resources', '--target', join_paths(glib_resources_path, 'resources.c'), '--sourcedir=properties/', '--generate-source', 'properties/gresource.xml')
-if r.returncode() != 0
-  message('Could not compile glib resources:')
-  error(r.stderr().strip())
-endif
+glib_resources_path = join_paths(meson.project_build_root(), 'properties/')
+r = run_command('mkdir', glib_resources_path, check: true)
+r = run_command('glib-compile-resources', '--target', join_paths(glib_resources_path, 'resources.h'), '--sourcedir=properties/', '--generate-header', 'properties/gresource.xml', check: true)
+r = run_command('glib-compile-resources', '--target', join_paths(glib_resources_path, 'resources.c'), '--sourcedir=properties/', '--generate-source', 'properties/gresource.xml', check: true)
 
 # Generate appdata
 conf_nm_service = configuration_data()
diff --git a/nm-anyconnect-service.name.in b/nm-anyconnect-service.name.in
@@ -3,6 +3,7 @@ name=anyconnect
 service=org.freedesktop.NetworkManager.anyconnect
 program=@LIBEXECDIR@/nm-anyconnect-service
 supports-multiple-connections=true
+supports-safe-private-file-access=true
 
 [libnm]
 plugin=libnm-vpn-plugin-anyconnect.so
diff --git a/po/meson.build b/po/meson.build
@@ -14,8 +14,8 @@ i18n.gettext(
   meson.project_name(),
   args: [
     '--add-comments=TRANSLATORS:',
-    '--directory=@0@'.format(meson.source_root()),
-    '--directory=@0@'.format(meson.build_root()),
+    '--directory=@0@'.format(meson.project_source_root()),
+    '--directory=@0@'.format(meson.project_build_root()),
     '--files-from=@0@'.format(meson.current_build_dir() / 'POTFILES'),
     '--package-version=@0@'.format(meson.project_version()),
     '--sort-output',
diff --git a/rpm/NetworkManager-anyconnect.spec.in b/rpm/NetworkManager-anyconnect.spec.in
@@ -86,6 +86,10 @@ the anyconnect server with NetworkManager (GNOME files).
 %endif
 
 %changelog
+* Fri Dec 12 2025 Graham White - 1.2.4-1
+- Update the build
+- Specify supports-safe-private-file-access=true
+
 * Fri Feb 12 2021 Graham White - 1.2.3-1
 - Add SELinux policy (required for permission fix script)
 - Add notifications using libnotify
