Hi,
As you might know there is an idea to integrate Cynara checks into
dbus-daemon. Its implementation has been started by Patrick Ohly. I
continued this task and a version of dbus-daemon with this feature
implemented is available in my dbus sandbox.
git://review.tizen.org/platform/upstream/dbus
(sandbox/jacekbe/cynara-integration branch)
I believe that all the features that services need are implemented.
There are a few things that I need to do but these are rather minor. I
will also need to do more testing.
The idea is to extend D-Bus daemon XML policy language with <check ...
privilege="name_of_privilege" /> tag so when message matches <check>
rule Cynara is consulted. Attributes that can be put in this tag are the
same as in <allow> and <deny> tags (apart from user, group and own
attributes) so we can enforce policy checks with method/signal name,
interface, bus name, object path granularity.
For example in order to secure calling methods that are part of
"org.bluez.Device1" interface of service owning name
"org.bluez.Adapter1" one can put following lines in configuration file.
DBus daemon will take care of allowing only applications having
"http://tizen.org/privilege/bluetooth"; privilege.
<policy context="default">
<check send_interface="org.bluez.Device1"
send_destination="org.bluez.Adapter1"
privilege="http://tizen.org/privilege/bluetooth " />
</policy>
It would be nice to get feedback from service developers whether you
find it useful and sufficient to secure your services.
Ideally, service developers could try this version of D-Bus and see if
they notice any problems. I'm not sure if other parts of security
infrastructure are ready so such tests can be performed though.
Additionally, I'd like to know whether we also need to support such
construct:
<check own="com.example.name" privilege="example.privilege" />
That is: allow only applications/services having given privilege to own
given name.
It would be if services weren't trusted or applications would like to
request some well known name on the bus. I'm not sure if that's the case.
Also, are there resources that need multiple privileges or we can assume
that every resource maps to a single privilege?
Best regards,
--
Jacek Bukarewicz
Samsung R&D Institute Poland
Samsung Electronics
[email protected]
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
