X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;f=meta-security%2Frecipes-core%2Fdbus-cynara%2Fdbus%2F0005-Perform-Cynara-runtime-policy-checks-by-default.patch;fp=meta-security%2Frecipes-core%2Fdbus-cynara%2Fdbus%2F0005-Perform-Cynara-runtime-policy-checks-by-default.patch;h=d30b2dbf8e0359797490366a83d1c5f291e0ce75;hb=5a827a287451d9916a6bcb6eae90770add971be9;hp=0000000000000000000000000000000000000000;hpb=0d732135b4011bec7d5367bb56d7be1c1a3ac44e;p=AGL%2Fmeta-agl.git

diff --git a/meta-security/recipes-core/dbus-cynara/dbus/0005-Perform-Cynara-runtime-policy-checks-by-default.patch b/meta-security/recipes-core/dbus-cynara/dbus/0005-Perform-Cynara-runtime-policy-checks-by-default.patch
new file mode 100644
index 000000000..d30b2dbf8
--- /dev/null
+++ b/meta-security/recipes-core/dbus-cynara/dbus/0005-Perform-Cynara-runtime-policy-checks-by-default.patch
@@ -0,0 +1,123 @@
+From 92a373a6dbb1c7cd7c9824167aac232f3e0daebd Mon Sep 17 00:00:00 2001
+From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
+Date: Tue, 23 Jun 2015 11:08:48 +0200
+Subject: [PATCH 5/5] Perform Cynara runtime policy checks by default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This change introduces http://tizen.org/privilege/internal/dbus privilege
+which is supposed to be available only to trusted system resources.
+Checks for this privilege are used in place of certain allow rules to
+make security policy more strict.
+
+For system bus sending and receiving signals now requires
+http://tizen.org/privilege/internal/dbus privilege. Requesting name
+ownership and sending methods is still denied by default.
+
+For session bus http://tizen.org/privilege/internal/dbus privilege
+is now required for requesting name, calling methods, sending and receiving
+signals.
+
+Services are supposed to override these default settings to implement their
+own security policy.
+
+Change-Id: Ifb4a160bf6e0638404e0295a2e4fa3077efd881c
+Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
+
+Cherry picked from e8610297cf7031e94eb314a2e8c11246f4405403 by Jose Bollo
+Signed-off-by: JosÃ© Bollo <jose.bollo@iot.bzh>
+---
+ bus/session.conf.in | 32 ++++++++++++++++++++++++++------
+ bus/system.conf.in  | 19 +++++++++++++++----
+ 2 files changed, 41 insertions(+), 10 deletions(-)
+
+diff --git a/bus/session.conf.in b/bus/session.conf.in
+index affa7f1d..157dfb4d 100644
+--- a/bus/session.conf.in
++++ b/bus/session.conf.in
+@@ -27,12 +27,32 @@
+   <standard_session_servicedirs />
+ 
+   <policy context="default">
+-    <!-- Allow everything to be sent -->
+-    <allow send_destination="*" eavesdrop="true"/>
+-    <!-- Allow everything to be received -->
+-    <allow eavesdrop="true"/>
+-    <!-- Allow anyone to own anything -->
+-    <allow own="*"/>
++    <!-- By default clients require internal/dbus privilege to communicate
++         with D-Bus services and to claim name ownership. This is internal privilege that
++         is only accessible to trusted system services -->
++    <check own="*"                  privilege="http://tizen.org/privilege/internal/dbus" />
++    <check send_type="method_call"  privilege="http://tizen.org/privilege/internal/dbus" />
++    <check send_type="signal"       privilege="http://tizen.org/privilege/internal/dbus" />
++    <check receive_type="signal"    privilege="http://tizen.org/privilege/internal/dbus" />
++
++    <!-- Reply messages (method returns, errors) are allowed
++         by default -->
++    <allow send_requested_reply="true" send_type="method_return"/>
++    <allow send_requested_reply="true" send_type="error"/>
++
++    <!-- All messages but signals may be received by default -->
++    <allow receive_type="method_call"/>
++    <allow receive_type="method_return"/>
++    <allow receive_type="error"/>
++
++    <!-- Allow anyone to talk to the message bus -->
++    <allow send_destination="org.freedesktop.DBus"/>
++    <allow receive_sender="org.freedesktop.DBus"/>
++
++    <!-- But disallow some specific bus services -->
++    <deny send_destination="org.freedesktop.DBus"
++          send_interface="org.freedesktop.DBus"
++          send_member="UpdateActivationEnvironment"/>
+   </policy>
+ 
+   <!-- Include legacy configuration location -->
+diff --git a/bus/system.conf.in b/bus/system.conf.in
+index 014f67ee..ebbd468a 100644
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -50,23 +50,34 @@
+     <deny own="*"/>
+     <deny send_type="method_call"/>
+ 
+-    <!-- Signals and reply messages (method returns, errors) are allowed
++    <!-- By default clients require internal/dbus privilege to send and receive signaks.
++         This is internal privilege that is only accessible to trusted system services -->
++    <check send_type="signal"       privilege="http://tizen.org/privilege/internal/dbus" />
++    <check receive_type="signal"    privilege="http://tizen.org/privilege/internal/dbus" />
++
++    <!-- Reply messages (method returns, errors) are allowed
+          by default -->
+-    <allow send_type="signal"/>
+     <allow send_requested_reply="true" send_type="method_return"/>
+     <allow send_requested_reply="true" send_type="error"/>
+ 
+-    <!-- All messages may be received by default -->
++    <!-- All messages but signals may be received by default -->
+     <allow receive_type="method_call"/>
+     <allow receive_type="method_return"/>
+     <allow receive_type="error"/>
+-    <allow receive_type="signal"/>
+ 
+     <!-- Allow anyone to talk to the message bus -->
+     <allow send_destination="org.freedesktop.DBus"
+            send_interface="org.freedesktop.DBus" />
+     <allow send_destination="org.freedesktop.DBus"
+            send_interface="org.freedesktop.DBus.Introspectable"/>
++    <!-- If there is a need specific bus services could be protected by Cynara as well.
++         However, this can lead to deadlock during the boot process when such check is made and
++         Cynara is not yet activated (systemd calls protected method synchronously,
++         dbus daemon tries to consult Cynara, Cynara waits for systemd activation).
++         Therefore it is advised to allow root processes to use bus services.
++         Currently anyone is allowed to talk to the message bus -->
++    <allow receive_sender="org.freedesktop.DBus"/>
++
+     <!-- But disallow some specific bus services -->
+     <deny send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus"
+-- 
+2.14.3
+
