On Tue, 2014-11-18 at 11:07 +0100, Dominig ar Foll (Intel OTC) wrote: > Le 18/11/2014 10:41, Patrick Ohly a écrit : > > On Tue, 2014-11-18 at 10:30 +0100, Dominig ar Foll (Intel OTC) wrote: > >> Le 17/11/2014 11:00, Patrick Ohly a écrit : > >>> I've argued that it is the latter (see also > >>> https://bugs.tizen.org/jira/browse/TC-1411) while the NTB developers > >>> claim that the less secure access control in NTB is good enough for 3.0. > >> You are correct, as BT FW demon run with the Bluetooth user ID, we will > >> have to filter other user make direct call to BlueZ. > >> That can be done quite easily via a dbus policy. > > I doubt that a dbus-daemon policy could be used to protect against > > malicious users. dbus-daemon has no knowledge about which devices a user > > is allowed to access. > > > > We cannot block all accesses either, because that would break NTB, which > > relies on getting at least some D-Bus calls from a non-privileged user > > process handled directly by Bluez. > I thought that the Dbus integration in Cynera would allow us to activate > privileged autorisation for given users. > Could we not use that model ?
Some kinds of access control are possible, others aren't. Checks that are highly domain specific (for example, depend on the value of certain parameters in a method call) are not possible inside dbus-daemon and need to be implemented inside the D-Bus service (for example, obexd). That's how Cynara was meant to be used in Tizen initially. Adding Cynara support to dbus-daemon was just meant to offer a potentially easier solution for some services and to allow running unmodified services by limiting access to trusted processes by default. The other complication for multi-user is that obexd runs as the user itself (at least at the moment) and talks to the kernel and/or the system bluetooth daemon to access the remote device. Any kind of check that we put into obexd could be bypassed by a malicious user by running an app that replicates the obexd functionality. That would work because the system has no understanding that obexd is allowed to use PBAP while that malicious app is not. All of that can be changed, but how specifically is perhaps better discussed in a smaller work group. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
