Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. Re: [RFC] vpn: Restrict connman-vpnd capabilities (Andrew Bibb)
2. Re: [RFC] vpn: Restrict connman-vpnd capabilities (Patrik Flykt)
3. [PATCH] core: No need to compare expression against NULL
(Saurav Babu)
4. Enable/disbale connman autoconnect (Pushkin Andrei)
5. Re: Enable/disbale connman autoconnect (Patrik Flykt)
----------------------------------------------------------------------
Message: 1
Date: Mon, 8 Feb 2016 20:19:49 -0500
From: Andrew Bibb <[email protected]>
To: Patrik Flykt <[email protected]>
Cc: [email protected]
Subject: Re: [RFC] vpn: Restrict connman-vpnd capabilities
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"; format=flowed
On 2/8/2016 4:08 AM, Patrik Flykt wrote:
> Hi,
>
> On Sun, 2016-02-07 at 13:26 -0500, Andrew Bibb wrote:
>> Actually need to remove all three lines, not just the two I mentioned.
>> I reverted the file back to the way it was in 1.30, and I initially
>> thought it was only the two lines that were different.
>>
>> Sorry about the initial misinformation.
>>
>> -
>> Andrew
>>
>> On 2/7/2016 10:51 AM, Andrew Bibb wrote:
>>> I'm sorry about being late to the party, but now that 1.31 is out I've
>>> discovered that this change seems to make OpenVPN not work. I had an
>>> OpenVPN config file that works fine in 1.30 but not 1.31. Removing the
>>> ProtectHome and ProtectSystem lines from the .service file allows
>>> OpenVPN to work in 1.31.
>>>
>>> I also have a functional PPTP config file and that works in both 1.30
>>> and 1.31 without modification.
>>>
>>> Thanks
>>> Andrew
>>>
>>> On 12/1/2015 8:32 AM, Patrik Flykt wrote:
>>>> Have systemd set /home and /run/users read only as VPN certificates can
>>>> be stored also in these directories. Protect other directories in the
>>>> system by making also them read only. The directory options affect also
>>>> all VPN applications started by connman-vpnd.
>>>>
>>>> Restrict capabilities to a subset necessary for normal operations.
>>>> ---
>>>>
>>>> ProtectSystem=full means the VPN applications cannot write anything to
>>>> /usr or /etc. Let's hope this works out for all VPN daemons.
>>>>
>>>> Please test,
>>>>
>>>> Patrik
>>>>
>>>>
>>>> vpn/connman-vpn.service.in | 3 +++
>>>> 1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/vpn/connman-vpn.service.in b/vpn/connman-vpn.service.in
>>>> index 120245e..e98fb71 100644
>>>> --- a/vpn/connman-vpn.service.in
>>>> +++ b/vpn/connman-vpn.service.in
>>>> @@ -6,6 +6,9 @@ Type=dbus
>>>> BusName=net.connman.vpn
>>>> ExecStart=@sbindir@/connman-vpnd -n
>>>> StandardOutput=null
>>>> +CapabilityBoundingSet=CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE
>>>> CAP_NET_RAW
>>>> +ProtectHome=read-only
>>>> +ProtectSystem=full
> Where does your openvpn instance store its config? Where does it write
> its temporary files? A decently configured system should only write
> to /var/, as by definition all the other locations should be read-only.
> There should not be anything a system wide daemon needs from /home/
> either.
>
> Might it be that the capabilities were causing this?
>
> Cheers,
>
> Patrik
>
>
>
Pretty much everything is in ~/.local/share. OpenVNP.CACert,
OpenVPN.Cert, OpenVPN.Key, OpenVPN.ConfigFile and OpenVPN.AuthUserPass
in the Connman provisioning file all point to files which live in a
sub-directory inside ~/.local/share. I'm trying to find where it puts
temporary files, but not having a lot of luck so far. I'm using a
stock Arch Linux install with no other modifications.
From your response it sounds as if putting all these in ~/.local/share
is not correct. I was doing that because the VPN connection is only for
me, no one else.
------------------------------
Message: 2
Date: Tue, 09 Feb 2016 09:01:28 +0200
From: Patrik Flykt <[email protected]>
To: Andrew Bibb <[email protected]>
Cc: [email protected]
Subject: Re: [RFC] vpn: Restrict connman-vpnd capabilities
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
Hi,
On Mon, 2016-02-08 at 20:19 -0500, Andrew Bibb wrote:
> Pretty much everything is in ~/.local/share. OpenVNP.CACert,
> OpenVPN.Cert, OpenVPN.Key, OpenVPN.ConfigFile and OpenVPN.AuthUserPass
> in the Connman provisioning file all point to files which live in a
> sub-directory inside ~/.local/share. I'm trying to find where it puts
> temporary files, but not having a lot of luck so far. I'm using a
> stock Arch Linux install with no other modifications.
>
> From your response it sounds as if putting all these in ~/.local/share
> is not correct. I was doing that because the VPN connection is only for
> me, no one else.
Reading stuff from ~/.local/share is ok. And works with the current
systemd .service file. I also have certs stored in ~/ and it works fine
here.
Writing temporary and other stuff should go somewhere else, as an
unmodified connman-vpnd will behave as running system-wide. Probably
openvpn tries to write somewhere else than /var, which is prevented
for /home by ProtectHome=read-only and /usr and /etc by
ProtectSystem=full.
Does the openvpn daemon start (ps axu | grep openvpn) ? Does the
OpenVPN.ConfigFile point temporary or other configuration directories
somewhere else than /var ?
Somewhere else someone said that between Arch Linux 1.31-1 and 1.31-2
modifications were made and /var/run/connman/resolv.conf stopped
working. So at least something with the Arch packaging has changed.
Cheers,
Patrik
------------------------------
Message: 3
Date: Tue, 09 Feb 2016 16:10:54 +0530
From: Saurav Babu <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: [PATCH] core: No need to compare expression against NULL
Message-ID: <[email protected]>
doc/coding-style.txt M13: Check for pointer being NULL
---
src/agent.c | 2 +-
src/dnsproxy.c | 6 +++---
src/service.c | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/agent.c b/src/agent.c
index 4866c8d..8f7b19b 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -586,7 +586,7 @@ static void agent_release(struct connman_agent *agent,
const char *interface)
message = dbus_message_new_method_call(agent->owner, agent->path,
interface, "Release");
- if (message == NULL) {
+ if (!message) {
connman_error("Couldn't allocate D-Bus message");
return;
}
diff --git a/src/dnsproxy.c b/src/dnsproxy.c
index 06e867a..48fbef0 100644
--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
@@ -2050,21 +2050,21 @@ static int forward_dns_reply(unsigned char *reply, int
reply_len, int protocol,
(char *)reply + offset, eom,
ptr, uncompressed, NS_MAXDNAME,
&uptr);
- if (ptr == NULL)
+ if (!ptr)
goto out;
ptr = uncompress(ntohs(hdr->nscount),
(char *)reply + offset, eom,
ptr, uncompressed, NS_MAXDNAME,
&uptr);
- if (ptr == NULL)
+ if (!ptr)
goto out;
ptr = uncompress(ntohs(hdr->arcount),
(char *)reply + offset, eom,
ptr, uncompressed, NS_MAXDNAME,
&uptr);
- if (ptr == NULL)
+ if (!ptr)
goto out;
/*
diff --git a/src/service.c b/src/service.c
index a93aebf..8e07337 100644
--- a/src/service.c
+++ b/src/service.c
@@ -3653,7 +3653,7 @@ void __connman_service_set_active_session(bool enable,
GSList *list)
else
active_count--;
- while (list != NULL) {
+ while (list) {
enum connman_service_type type = GPOINTER_TO_INT(list->data);
switch (type) {
--
1.9.1
------------------------------
Message: 4
Date: Tue, 9 Feb 2016 11:57:41 +0000
From: Pushkin Andrei <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Enable/disbale connman autoconnect
Message-ID:
<b2c6c6c6422e5f47a75eaed990eaefe3029df90...@sv-exmb01-lo1.promwad.corp>
Content-Type: text/plain; charset="koi8-r"
Hi. How I can enabale\disable connman 'AutoConnect' feature via dbus?
Andrei Pushkin
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.01.org/pipermail/connman/attachments/20160209/49e059dc/attachment-0001.html>
------------------------------
Message: 5
Date: Tue, 09 Feb 2016 14:07:20 +0200
From: Patrik Flykt <[email protected]>
To: Pushkin Andrei <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: Enable/disbale connman autoconnect
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
On Tue, 2016-02-09 at 11:57 +0000, Pushkin Andrei wrote:
> Hi. How I can enabale\disable connman 'AutoConnect' feature via dbus?
See doc/service-api.txt, the Autoconnect property.
The command 'connmanctl config <serviceid> autoconnect on|off' sends the
Autoconnect property over D-Bus, you can look at the C code sources. Or
even look at test/test-connman, written in python.
Cheers,
Patrik
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 4, Issue 11
**************************************
