1 From e8610297cf7031e94eb314a2e8c11246f4405403 Mon Sep 17 00:00:00 2001
2 From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
3 Date: Tue, 23 Jun 2015 11:08:48 +0200
4 Subject: [PATCH] Perform Cynara runtime policy checks by default
6 This change introduces http://tizen.org/privilege/internal/dbus privilege
7 which is supposed to be available only to trusted system resources.
8 Checks for this privilege are used in place of certain allow rules to
9 make security policy more strict.
11 For system bus sending and receiving signals now requires
12 http://tizen.org/privilege/internal/dbus privilege. Requesting name
13 ownership and sending methods is still denied by default.
15 For session bus http://tizen.org/privilege/internal/dbus privilege
16 is now required for requesting name, calling methods, sending and receiving
19 Services are supposed to override these default settings to implement their
22 Change-Id: Ifb4a160bf6e0638404e0295a2e4fa3077efd881c
23 Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
25 bus/session.conf.in | 32 ++++++++++++++++++++++++++------
26 bus/system.conf.in | 22 ++++++++++++++++------
27 2 files changed, 42 insertions(+), 12 deletions(-)
29 diff --git a/bus/session.conf.in b/bus/session.conf.in
30 index 74d9d1f..fa5c232 100644
31 --- a/bus/session.conf.in
32 +++ b/bus/session.conf.in
34 <standard_session_servicedirs />
36 <policy context="default">
37 - <!-- Allow everything to be sent -->
38 - <allow send_destination="*" eavesdrop="true"/>
39 - <!-- Allow everything to be received -->
40 - <allow eavesdrop="true"/>
41 - <!-- Allow anyone to own anything -->
43 + <!-- By default clients require internal/dbus privilege to communicate
44 + with D-Bus services and to claim name ownership. This is internal privilege that
45 + is only accessible to trusted system services -->
46 + <check own="*" privilege="http://tizen.org/privilege/internal/dbus" />
47 + <check send_type="method_call" privilege="http://tizen.org/privilege/internal/dbus" />
48 + <check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
49 + <check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
51 + <!-- Reply messages (method returns, errors) are allowed
53 + <allow send_requested_reply="true" send_type="method_return"/>
54 + <allow send_requested_reply="true" send_type="error"/>
56 + <!-- All messages but signals may be received by default -->
57 + <allow receive_type="method_call"/>
58 + <allow receive_type="method_return"/>
59 + <allow receive_type="error"/>
61 + <!-- Allow anyone to talk to the message bus -->
62 + <allow send_destination="org.freedesktop.DBus"/>
63 + <allow receive_sender="org.freedesktop.DBus"/>
65 + <!-- But disallow some specific bus services -->
66 + <deny send_destination="org.freedesktop.DBus"
67 + send_interface="org.freedesktop.DBus"
68 + send_member="UpdateActivationEnvironment"/>
71 <!-- Config files are placed here that among other things,
72 diff --git a/bus/system.conf.in b/bus/system.conf.in
73 index 92f4cc4..dd16947 100644
74 --- a/bus/system.conf.in
75 +++ b/bus/system.conf.in
78 <deny send_type="method_call"/>
80 - <!-- Signals and reply messages (method returns, errors) are allowed
81 + <!-- By default clients require internal/dbus privilege to send and receive signaks.
82 + This is internal privilege that is only accessible to trusted system services -->
83 + <check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
84 + <check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
86 + <!-- Reply messages (method returns, errors) are allowed
88 - <allow send_type="signal"/>
89 <allow send_requested_reply="true" send_type="method_return"/>
90 <allow send_requested_reply="true" send_type="error"/>
92 - <!-- All messages may be received by default -->
93 + <!-- All messages but signals may be received by default -->
94 <allow receive_type="method_call"/>
95 <allow receive_type="method_return"/>
96 <allow receive_type="error"/>
97 - <allow receive_type="signal"/>
99 - <!-- Allow anyone to talk to the message bus -->
100 + <!-- If there is a need specific bus services could be protected by Cynara as well.
101 + However, this can lead to deadlock during the boot process when such check is made and
102 + Cynara is not yet activated (systemd calls protected method synchronously,
103 + dbus daemon tries to consult Cynara, Cynara waits for systemd activation).
104 + Therefore it is advised to allow root processes to use bus services.
105 + Currently anyone is allowed to talk to the message bus -->
106 <allow send_destination="org.freedesktop.DBus"/>
107 - <!-- But disallow some specific bus services -->
108 + <allow receive_sender="org.freedesktop.DBus"/>
110 + <!-- Disallow some specific bus services -->
111 <deny send_destination="org.freedesktop.DBus"
112 send_interface="org.freedesktop.DBus"
113 send_member="UpdateActivationEnvironment"/>