1 From 69ba571e0daa0a7a9aa6c6b5be5d3338a89d144a Mon Sep 17 00:00:00 2001
2 From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
3 Date: Tue, 23 Jun 2015 11:08:48 +0200
4 Subject: Perform Cynara runtime policy checks by default
6 Content-Type: text/plain; charset=UTF-8
7 Content-Transfer-Encoding: 8bit
9 This change introduces http://tizen.org/privilege/internal/dbus privilege
10 which is supposed to be available only to trusted system resources.
11 Checks for this privilege are used in place of certain allow rules to
12 make security policy more strict.
14 For system bus sending and receiving signals now requires
15 http://tizen.org/privilege/internal/dbus privilege. Requesting name
16 ownership and sending methods is still denied by default.
18 For session bus http://tizen.org/privilege/internal/dbus privilege
19 is now required for requesting name, calling methods, sending and receiving
22 Services are supposed to override these default settings to implement their
25 Cherry picked from e8610297cf7031e94eb314a2e8c11246f4405403 by Jose Bollo
27 Updated for dbus 1.10.20 by Scott Murray and José Bollo
29 Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
30 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
31 Signed-off-by: Scott Murray <scott.murray@konsulko.com>
33 diff --git a/bus/activation.c b/bus/activation.c
34 index ffdc6fc..6a95b95 100644
35 --- a/bus/activation.c
36 +++ b/bus/activation.c
37 @@ -1837,22 +1837,32 @@ bus_activation_activate_service (BusActivation *activation,
40 if (auto_activation &&
42 - BUS_RESULT_TRUE != bus_context_check_security_policy (activation->context,
44 - connection, /* sender */
45 - NULL, /* addressed recipient */
46 - NULL, /* proposed recipient */
52 - _DBUS_ASSERT_ERROR_IS_SET (error);
53 - _dbus_verbose ("activation not authorized: %s: %s\n",
54 - error != NULL ? error->name : "(error ignored)",
55 - error != NULL ? error->message : "(error ignored)");
61 + result = bus_context_check_security_policy (activation->context,
63 + connection, /* sender */
64 + NULL, /* addressed recipient */
65 + NULL, /* proposed recipient */
70 + if (result == BUS_RESULT_FALSE)
72 + _DBUS_ASSERT_ERROR_IS_SET (error);
73 + _dbus_verbose ("activation not authorized: %s: %s\n",
74 + error != NULL ? error->name : "(error ignored)",
75 + error != NULL ? error->message : "(error ignored)");
78 + if (result == BUS_RESULT_LATER)
81 + _dbus_verbose ("ALERT FIX ME!!!!!!!!!!!!!!!");
85 /* Bypass the registry lookup if we're auto-activating, bus_dispatch would not
86 diff --git a/bus/session.conf.in b/bus/session.conf.in
87 index affa7f1..157dfb4 100644
88 --- a/bus/session.conf.in
89 +++ b/bus/session.conf.in
91 <standard_session_servicedirs />
93 <policy context="default">
94 - <!-- Allow everything to be sent -->
95 - <allow send_destination="*" eavesdrop="true"/>
96 - <!-- Allow everything to be received -->
97 - <allow eavesdrop="true"/>
98 - <!-- Allow anyone to own anything -->
100 + <!-- By default clients require internal/dbus privilege to communicate
101 + with D-Bus services and to claim name ownership. This is internal privilege that
102 + is only accessible to trusted system services -->
103 + <check own="*" privilege="http://tizen.org/privilege/internal/dbus" />
104 + <check send_type="method_call" privilege="http://tizen.org/privilege/internal/dbus" />
105 + <check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
106 + <check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
108 + <!-- Reply messages (method returns, errors) are allowed
110 + <allow send_requested_reply="true" send_type="method_return"/>
111 + <allow send_requested_reply="true" send_type="error"/>
113 + <!-- All messages but signals may be received by default -->
114 + <allow receive_type="method_call"/>
115 + <allow receive_type="method_return"/>
116 + <allow receive_type="error"/>
118 + <!-- Allow anyone to talk to the message bus -->
119 + <allow send_destination="org.freedesktop.DBus"/>
120 + <allow receive_sender="org.freedesktop.DBus"/>
122 + <!-- But disallow some specific bus services -->
123 + <deny send_destination="org.freedesktop.DBus"
124 + send_interface="org.freedesktop.DBus"
125 + send_member="UpdateActivationEnvironment"/>
128 <!-- Include legacy configuration location -->
129 diff --git a/bus/system.conf.in b/bus/system.conf.in
130 index f139b55..19d0c04 100644
131 --- a/bus/system.conf.in
132 +++ b/bus/system.conf.in
135 <deny send_type="method_call"/>
137 - <!-- Signals and reply messages (method returns, errors) are allowed
138 + <!-- By default clients require internal/dbus privilege to send and receive signaks.
139 + This is internal privilege that is only accessible to trusted system services -->
140 + <check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
141 + <check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
143 + <!-- Reply messages (method returns, errors) are allowed
145 - <allow send_type="signal"/>
146 <allow send_requested_reply="true" send_type="method_return"/>
147 <allow send_requested_reply="true" send_type="error"/>
149 - <!-- All messages may be received by default -->
150 + <!-- All messages but signals may be received by default -->
151 <allow receive_type="method_call"/>
152 <allow receive_type="method_return"/>
153 <allow receive_type="error"/>
154 - <allow receive_type="signal"/>
156 <!-- Allow anyone to talk to the message bus -->
157 <allow send_destination="org.freedesktop.DBus"
159 send_interface="org.freedesktop.DBus.Introspectable"/>
160 <allow send_destination="org.freedesktop.DBus"
161 send_interface="org.freedesktop.DBus.Properties"/>
162 + <!-- If there is a need specific bus services could be protected by Cynara as well.
163 + However, this can lead to deadlock during the boot process when such check is made and
164 + Cynara is not yet activated (systemd calls protected method synchronously,
165 + dbus daemon tries to consult Cynara, Cynara waits for systemd activation).
166 + Therefore it is advised to allow root processes to use bus services.
167 + Currently anyone is allowed to talk to the message bus -->
168 + <allow receive_sender="org.freedesktop.DBus"/>
170 <!-- But disallow some specific bus services -->
171 <deny send_destination="org.freedesktop.DBus"
172 send_interface="org.freedesktop.DBus"