diff options
author | José Bollo <jose.bollo@iot.bzh> | 2018-03-27 11:05:46 +0200 |
---|---|---|
committer | José Bollo <jose.bollo@iot.bzh> | 2018-04-04 21:19:22 +0200 |
commit | 1b847a21fac05e88510fe37db63d0d9e4b72e633 (patch) | |
tree | 2034b132f94888bd7c6c6263a438c3f642183489 /meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch | |
parent | ea00cb6f79616987d7e3c7e83a6ee01cb73eb170 (diff) |
dbus-cynara: Avoid dependency loop
The dependency loop appeared when compiling
with DISTRO_FEATURE ptest.
To avoid it, I restore the logic implemented before in
meta-intel-iot-security. I also remove unless files.
Bug-AGL: SPEC-1334
Change-Id: Ibe8b9359a65fec034df2534c5fceb4769e63aa99
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch')
-rw-r--r-- | meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch new file mode 100644 index 000000000..d30b2dbf8 --- /dev/null +++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch @@ -0,0 +1,123 @@ +From 92a373a6dbb1c7cd7c9824167aac232f3e0daebd Mon Sep 17 00:00:00 2001 +From: Jacek Bukarewicz <j.bukarewicz@samsung.com> +Date: Tue, 23 Jun 2015 11:08:48 +0200 +Subject: [PATCH 5/5] Perform Cynara runtime policy checks by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This change introduces http://tizen.org/privilege/internal/dbus privilege +which is supposed to be available only to trusted system resources. +Checks for this privilege are used in place of certain allow rules to +make security policy more strict. + +For system bus sending and receiving signals now requires +http://tizen.org/privilege/internal/dbus privilege. Requesting name +ownership and sending methods is still denied by default. + +For session bus http://tizen.org/privilege/internal/dbus privilege +is now required for requesting name, calling methods, sending and receiving +signals. + +Services are supposed to override these default settings to implement their +own security policy. + +Change-Id: Ifb4a160bf6e0638404e0295a2e4fa3077efd881c +Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com> + +Cherry picked from e8610297cf7031e94eb314a2e8c11246f4405403 by Jose Bollo +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + bus/session.conf.in | 32 ++++++++++++++++++++++++++------ + bus/system.conf.in | 19 +++++++++++++++---- + 2 files changed, 41 insertions(+), 10 deletions(-) + +diff --git a/bus/session.conf.in b/bus/session.conf.in +index affa7f1d..157dfb4d 100644 +--- a/bus/session.conf.in ++++ b/bus/session.conf.in +@@ -27,12 +27,32 @@ + <standard_session_servicedirs /> + + <policy context="default"> +- <!-- Allow everything to be sent --> +- <allow send_destination="*" eavesdrop="true"/> +- <!-- Allow everything to be received --> +- <allow eavesdrop="true"/> +- <!-- Allow anyone to own anything --> +- <allow own="*"/> ++ <!-- By default clients require internal/dbus privilege to communicate ++ with D-Bus services and to claim name ownership. This is internal privilege that ++ is only accessible to trusted system services --> ++ <check own="*" privilege="http://tizen.org/privilege/internal/dbus" /> ++ <check send_type="method_call" privilege="http://tizen.org/privilege/internal/dbus" /> ++ <check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" /> ++ <check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" /> ++ ++ <!-- Reply messages (method returns, errors) are allowed ++ by default --> ++ <allow send_requested_reply="true" send_type="method_return"/> ++ <allow send_requested_reply="true" send_type="error"/> ++ ++ <!-- All messages but signals may be received by default --> ++ <allow receive_type="method_call"/> ++ <allow receive_type="method_return"/> ++ <allow receive_type="error"/> ++ ++ <!-- Allow anyone to talk to the message bus --> ++ <allow send_destination="org.freedesktop.DBus"/> ++ <allow receive_sender="org.freedesktop.DBus"/> ++ ++ <!-- But disallow some specific bus services --> ++ <deny send_destination="org.freedesktop.DBus" ++ send_interface="org.freedesktop.DBus" ++ send_member="UpdateActivationEnvironment"/> + </policy> + + <!-- Include legacy configuration location --> +diff --git a/bus/system.conf.in b/bus/system.conf.in +index 014f67ee..ebbd468a 100644 +--- a/bus/system.conf.in ++++ b/bus/system.conf.in +@@ -50,23 +50,34 @@ + <deny own="*"/> + <deny send_type="method_call"/> + +- <!-- Signals and reply messages (method returns, errors) are allowed ++ <!-- By default clients require internal/dbus privilege to send and receive signaks. ++ This is internal privilege that is only accessible to trusted system services --> ++ <check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" /> ++ <check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" /> ++ ++ <!-- Reply messages (method returns, errors) are allowed + by default --> +- <allow send_type="signal"/> + <allow send_requested_reply="true" send_type="method_return"/> + <allow send_requested_reply="true" send_type="error"/> + +- <!-- All messages may be received by default --> ++ <!-- All messages but signals may be received by default --> + <allow receive_type="method_call"/> + <allow receive_type="method_return"/> + <allow receive_type="error"/> +- <allow receive_type="signal"/> + + <!-- Allow anyone to talk to the message bus --> + <allow send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" /> + <allow send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus.Introspectable"/> ++ <!-- If there is a need specific bus services could be protected by Cynara as well. ++ However, this can lead to deadlock during the boot process when such check is made and ++ Cynara is not yet activated (systemd calls protected method synchronously, ++ dbus daemon tries to consult Cynara, Cynara waits for systemd activation). ++ Therefore it is advised to allow root processes to use bus services. ++ Currently anyone is allowed to talk to the message bus --> ++ <allow receive_sender="org.freedesktop.DBus"/> ++ + <!-- But disallow some specific bus services --> + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" +-- +2.14.3 + |