On 2014-11-26 15:46, José Bollo wrote:
> Le mercredi 26 novembre 2014 à 14:48 +0100, Jacek Bukarewicz a écrit :
>> Hi,
>>
>> Recently D-Bus version 1.8.2 has landed in the common image. Also, new
>> Cynara version supporting asynchronous API has been released, so I
>> believe it's time to push Cynara integration patches to the tizen branch
>> - now they are put in my sandbox. There are 40 commits for Cynara-DBus
>> daemon integration and 4 commits for "GetConnectionCredentials" method
>> smack support. Number of patches is pretty big so I'll squash them into
>> several bigger ones before sending to review (unless you think it's not
>> required). I also prepared a wiki page on Cynara/D-Bus integration:
>> https://wiki.tizen.org/wiki/Security:Cynara:DBus_integration
>>
>> Before I send the changes to the review there are several things I'd
>> like you to be aware of. The most important fact is that these patches
>> are very unlikely to be accepted in the upstream. D-Bus maintainer made
>> it pretty clear [1]. The biggest problem is the fact that we're doing
>> asynchronous checks within D-Bus daemon which processes messages
>> synchronously. I believe that if checks were synchronous, the changes
>> would be acceptable.
>> The proposed alternative is to perform checks on the service side.
>> However, this is also problematic:
>> * additional code needs to be written
>> * services sending sensitive broadcast messages would have to be modified
>> * whether such patches will be accepted in the upstream is dubious as
>> Cynara is still a fresh project.
>> * connection credentials needs to be obtained via
>> "GetConnectionCredentials" method which also makes the process less
>> efficient. Credentials could possibly be cached on the service side, but
>> it's also additional code to write.
> Hi Jaceck,
>
> This last is a big evolution from previous DBUS version. I'm not sure to
> understand why it "makes the process less efficient". However it may
> break some legacy code. I've searched quickly in some copies of
> tizen.org repo and did not found much references to
> GetConnectionUnixUser (cynara, crosswalk) or GetConnectionSmackContext
> (no package). Thus including a legacy function for
> GetConnectionSmackContext is not needed.
>
>> Recent talks on the D-Bus mailing list suggest that in the future all
>> messages could contain connection credentials [2] which would make
>> integration process on the service side a bit easier. Such posts suggest
>> that performing checks on the service side is an approach that is
>> endorsed by the community. From my understanding it will also be the
>> suggested way of securing kdbus services.
> That is very interesting. Thank you for that input, even if it exclude
> the path taken by tizen.
I would be quite worried if "path taken by Tizen" would be radically
different
from upstream's. Ignoring community direction might cost us a lot in
long run
- and I do not think anyone would be interested in that,
I do believe we are considering this approach because:
(1) there is clear need for fine-grained policy checking
(2) upstream packages we are interested in do not implement it on
service side
(3) trying to change above does seem too much work compared to gains
it might bring.
... and I agree that in above cases implementing dynamic checks in
dbus-daemon
might be great idea.
However, what I would warn (and advise) against is delegating policy
checks to
dbus-daemon where we can implement it directly in given service without
too much
trouble (ie. all services we are *the* upstream of).
While this isn't problem for now I would encourage to really take into
account
that in next 1-2 years Linux systems are likely to be running without
dbus-daemon
at all.
>> So we basically have an option of securing services via configuration
>> files and directly in the services. Neither of these approaches is
>> perfect, but I believe at this point patching dbus daemon and
>> maintaining security policy in individual configuration files is better
>> solution. Especially considering the fact that Cynara integration in
>> dbus daemon is done (but review is still needed).
> I agree with you and I'm hoping that the work you made with Patrick will
> be available very soon in tizen common.
>
> Best regards
> José Bollo
Cheers,
--
Karol Lewandowski, Samsung R&D Institute Poland
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
