Bug 19060 - system policy cleanup
system policy cleanup
Status: RESOLVED FIXED
Product: dbus
Classification: Unclassified
Component: core
unspecified
Other All
: medium normal
Assigned To: Havoc Pennington
John (J5) Palmieri
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-12 14:29 UTC by Colin Walters
Modified: 2008-12-18 12:44 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Colin Walters 2008-12-12 14:29:03 UTC
The current system.conf default policy is too confusing and ill specified.  

Here's a pass at a rewrite which attempts to spell out exactly what we want in more explicit terms.  Please review carefully line by line.

  <policy context="default">
    <!-- All users can connect to system bus -->
    <allow user="*"/>

    <!-- Holes must be punched in service configuration files for
         name ownership and sending method calls -->
    <deny own="*"/>
    <deny send_type="method_call"/>

    <!-- Signals and reply messages (method returns, errors) are allowed
         by default -->
    <allow send_type="signal"/>
    <allow send_requested_reply="true" send_type="method_return"/>
    <allow send_requested_reply="true" send_type="error"/>

    <!-- All messages may be received by default -->
    <allow receive_type="method_call"/>
    <allow receive_type="method_return"/>
    <allow receive_type="error"/>
    <allow receive_type="signal"/>

    <!-- Allow anyone to talk to the message bus -->
    <allow send_destination="org.freedesktop.DBus"/>
    <!-- But disallow some specific bus services -->
    <deny send_destination="org.freedesktop.DBus"
          send_interface="org.freedesktop.DBus"
          send_member="UpdateActivationEnvironment"/>
  </policy>
Comment 1 Ray Strode [halfline] 2008-12-18 11:12:30 UTC
I think doing it this way makes a lot of sense.  It's very clear what's going on this way.

My only concern would be if new message types got added that this would need to be updated.  But that's not really an issue because it's unlikely that would happen since we're post-1.0 (and if it did, the patch would just need to remember to update the configuration)

Seems reasonable to me.
Comment 2 Colin Walters 2008-12-18 12:44:17 UTC
Pushed to 1.3 and 1.2:
commit dc77c213742d2a373e3ed134168e4377e7c99a61
Author: Colin Walters <walters@verbum.org>
Date:   Fri Dec 12 14:50:21 2008 -0500

    Clean up and clarify default system policy
    
    The former was too reliant on old bugs and was generally unclear.
    This one makes explicit exactly what is allowed and not.