1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
From 1f7ba56c9ced669951061d13b06e31d96a170e37 Mon Sep 17 00:00:00 2001
From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
Date: Tue, 23 Jun 2015 11:08:48 +0200
Subject: [PATCH 5/8] Perform Cynara runtime policy checks by default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This change introduces http://tizen.org/privilege/internal/dbus privilege
which is supposed to be available only to trusted system resources.
Checks for this privilege are used in place of certain allow rules to
make security policy more strict.
For system bus sending and receiving signals now requires
http://tizen.org/privilege/internal/dbus privilege. Requesting name
ownership and sending methods is still denied by default.
For session bus http://tizen.org/privilege/internal/dbus privilege
is now required for requesting name, calling methods, sending and receiving
signals.
Services are supposed to override these default settings to implement their
own security policy.
Cherry picked from e8610297cf7031e94eb314a2e8c11246f4405403 by Jose Bollo
Updated for dbus 1.10.20 by Scott Murray and José Bollo
Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
bus/activation.c | 42 ++++++++++++++++++++++++++----------------
bus/session.conf.in | 32 ++++++++++++++++++++++++++------
bus/system.conf.in | 19 +++++++++++++++----
3 files changed, 67 insertions(+), 26 deletions(-)
diff --git a/bus/activation.c b/bus/activation.c
index d4b597c..8aabeaa 100644
--- a/bus/activation.c
+++ b/bus/activation.c
@@ -1840,22 +1840,32 @@ bus_activation_activate_service (BusActivation *activation,
}
if (auto_activation &&
- entry != NULL &&
- BUS_RESULT_TRUE != bus_context_check_security_policy (activation->context,
- transaction,
- connection, /* sender */
- NULL, /* addressed recipient */
- NULL, /* proposed recipient */
- activation_message,
- entry,
- error,
- NULL))
- {
- _DBUS_ASSERT_ERROR_IS_SET (error);
- _dbus_verbose ("activation not authorized: %s: %s\n",
- error != NULL ? error->name : "(error ignored)",
- error != NULL ? error->message : "(error ignored)");
- return FALSE;
+ entry != NULL)
+ {
+ BusResult result;
+
+ result = bus_context_check_security_policy (activation->context,
+ transaction,
+ connection, /* sender */
+ NULL, /* addressed recipient */
+ NULL, /* proposed recipient */
+ activation_message,
+ entry,
+ error,
+ NULL);
+ if (result == BUS_RESULT_FALSE)
+ {
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+ _dbus_verbose ("activation not authorized: %s: %s\n",
+ error != NULL ? error->name : "(error ignored)",
+ error != NULL ? error->message : "(error ignored)");
+ return FALSE;
+ }
+ if (result == BUS_RESULT_LATER)
+ {
+ /* TODO */
+ _dbus_verbose ("ALERT FIX ME!!!!!!!!!!!!!!!");
+ }
}
/* Bypass the registry lookup if we're auto-activating, bus_dispatch would not
diff --git a/bus/session.conf.in b/bus/session.conf.in
index affa7f1..157dfb4 100644
--- a/bus/session.conf.in
+++ b/bus/session.conf.in
@@ -27,12 +27,32 @@
<standard_session_servicedirs />
<policy context="default">
- <!-- Allow everything to be sent -->
- <allow send_destination="*" eavesdrop="true"/>
- <!-- Allow everything to be received -->
- <allow eavesdrop="true"/>
- <!-- Allow anyone to own anything -->
- <allow own="*"/>
+ <!-- By default clients require internal/dbus privilege to communicate
+ with D-Bus services and to claim name ownership. This is internal privilege that
+ is only accessible to trusted system services -->
+ <check own="*" privilege="http://tizen.org/privilege/internal/dbus" />
+ <check send_type="method_call" privilege="http://tizen.org/privilege/internal/dbus" />
+ <check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
+ <check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
+
+ <!-- Reply messages (method returns, errors) are allowed
+ by default -->
+ <allow send_requested_reply="true" send_type="method_return"/>
+ <allow send_requested_reply="true" send_type="error"/>
+
+ <!-- All messages but signals may be received by default -->
+ <allow receive_type="method_call"/>
+ <allow receive_type="method_return"/>
+ <allow receive_type="error"/>
+
+ <!-- Allow anyone to talk to the message bus -->
+ <allow send_destination="org.freedesktop.DBus"/>
+ <allow receive_sender="org.freedesktop.DBus"/>
+
+ <!-- But disallow some specific bus services -->
+ <deny send_destination="org.freedesktop.DBus"
+ send_interface="org.freedesktop.DBus"
+ send_member="UpdateActivationEnvironment"/>
</policy>
<!-- Include legacy configuration location -->
diff --git a/bus/system.conf.in b/bus/system.conf.in
index f139b55..19d0c04 100644
--- a/bus/system.conf.in
+++ b/bus/system.conf.in
@@ -50,17 +50,20 @@
<deny own="*"/>
<deny send_type="method_call"/>
- <!-- Signals and reply messages (method returns, errors) are allowed
+ <!-- By default clients require internal/dbus privilege to send and receive signaks.
+ This is internal privilege that is only accessible to trusted system services -->
+ <check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
+ <check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
+
+ <!-- Reply messages (method returns, errors) are allowed
by default -->
- <allow send_type="signal"/>
<allow send_requested_reply="true" send_type="method_return"/>
<allow send_requested_reply="true" send_type="error"/>
- <!-- All messages may be received by default -->
+ <!-- All messages but signals may be received by default -->
<allow receive_type="method_call"/>
<allow receive_type="method_return"/>
<allow receive_type="error"/>
- <allow receive_type="signal"/>
<!-- Allow anyone to talk to the message bus -->
<allow send_destination="org.freedesktop.DBus"
@@ -69,6 +72,14 @@
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus.Properties"/>
+ <!-- If there is a need specific bus services could be protected by Cynara as well.
+ However, this can lead to deadlock during the boot process when such check is made and
+ Cynara is not yet activated (systemd calls protected method synchronously,
+ dbus daemon tries to consult Cynara, Cynara waits for systemd activation).
+ Therefore it is advised to allow root processes to use bus services.
+ Currently anyone is allowed to talk to the message bus -->
+ <allow receive_sender="org.freedesktop.DBus"/>
+
<!-- But disallow some specific bus services -->
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus"
--
2.21.1
|
