Did you test this package? It seems requires much more stick check on dbus policy permission check. Any impact to existing apps?
Peter > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of rrware > Sent: Thursday, January 20, 2011 5:05 AM > To: [email protected] > Subject: [meego-commits] 12360: Changes to devel:base/dbus > > Hi, > I have made the following changes to dbus in project devel:base. Please review > and accept ASAP. > > Thank You, > rrware > > [This message was auto-generated] > > --- > > Request #12360: > > submit: devel:security/dbus(r7) -> devel:base/dbus > > > Message: > * Wed Jan 19 2011 Ryan Ware <[email protected]> - 1.4.1 > - This update adds the creds-dbus patch which enables mandatory access > controls for dbus communication. > - FEA#9093 > > State: new 2011-01-19T13:04:56 rrware > Comment: None > > > > changes files: > -------------- > --- dbus.changes > +++ dbus.changes > @@ -0,0 +1,4 @@ > +* Wed Jan 19 2011 Ryan Ware <[email protected]> - 1.4.1 > +- This update adds the creds-dbus patch which enables mandatory access > controls for dbus communication. > +- FEA#9093 > + > > new: > ---- > creds-dbus-1.4.1.patch > > spec files: > ----------- > --- dbus.spec > +++ dbus.spec > @@ -17,6 +17,7 @@ > Source100: dbus.yaml > Patch0: start-early.patch > Patch1: dbus-1.0.1-generate-xml-docs.patch > +Patch2: creds-dbus-1.4.1.patch > Requires: %{name}-libs = %{version} > Requires(pre): /usr/sbin/useradd > Requires(preun): /sbin/service > @@ -27,6 +28,7 @@ > BuildRequires: gettext > BuildRequires: libcap-devel > BuildRequires: libtool > +BuildRequires: libcreds3-devel > > > %description > @@ -83,6 +85,8 @@ > %patch0 -p1 > # dbus-1.0.1-generate-xml-docs.patch > %patch1 -p1 > +# creds-dbus-1.4.1.patch > +%patch2 -p1 > # >> setup > # << setup > > > other changes: > -------------- > > ++++++ creds-dbus-1.4.1.patch (new) > --- creds-dbus-1.4.1.patch > +++ creds-dbus-1.4.1.patch > +diff -Naurp dbus-1.4.1.orig/bus/config-parser.c > dbus-1.4.1/bus/config-parser.c > +--- dbus-1.4.1.orig/bus/config-parser.c 2010-10-05 20:50:54.000000000 > +0300 > ++++ dbus-1.4.1/bus/config-parser.c 2011-01-13 15:47:48.000000000 +0200 > +@@ -22,6 +22,11 @@ > + */ > + > + #include <config.h> > ++#ifdef DBUS_BUS_ENABLE_CREDS > ++#include <err.h> > ++#include <limits.h> > ++#include <sys/creds.h> > ++#endif > + #include "config-parser-common.h" > + #include "config-parser.h" > + #include "test.h" > +@@ -32,6 +37,8 @@ > + #include <dbus/dbus-internals.h> > + #include <string.h> > + > ++ > ++ > + typedef enum > + { > + /* we ignore policies for unknown groups/users */ > +@@ -42,6 +49,9 @@ typedef enum > + POLICY_MANDATORY, > + POLICY_USER, > + POLICY_GROUP, > ++#ifdef DBUS_BUS_ENABLE_CREDS > ++ POLICY_CREDS, > ++#endif > + POLICY_CONSOLE > + } PolicyType; > + > +@@ -970,6 +980,9 @@ start_busconfig_child (BusConfigParser > + const char *context; > + const char *user; > + const char *group; > ++#ifdef DBUS_BUS_ENABLE_CREDS > ++ const char *creds; > ++#endif > + const char *at_console; > + > + if ((e = push_element (parser, ELEMENT_POLICY)) == NULL) > +@@ -987,17 +1000,20 @@ start_busconfig_child (BusConfigParser > + "context", &context, > + "user", &user, > + "group", &group, > ++#ifdef DBUS_BUS_ENABLE_CREDS > ++ "creds", &creds, > ++#endif > + "at_console", &at_console, > + NULL)) > + return FALSE; > + > +- if (((context && user) || > +- (context && group) || > +- (context && at_console)) || > +- ((user && group) || > +- (user && at_console)) || > +- (group && at_console) || > +- !(context || user || group || at_console)) > ++ if ((context != NULL) + > ++ (user != NULL) + > ++ (group != NULL) + > ++#ifdef DBUS_BUS_ENABLE_CREDS > ++ (creds != NULL) + > ++#endif > ++ (at_console != NULL) != 1) > + { > + dbus_set_error (error, DBUS_ERROR_FAILED, > + "<policy> element must have exactly one of > (context|user|group|at_console) attributes"); > +@@ -1046,6 +1062,22 @@ start_busconfig_child (BusConfigParser > + _dbus_warn ("Unknown group \"%s\" in message bus > configuration file\n", > + group); > + } > ++#ifdef DBUS_BUS_ENABLE_CREDS > ++ else if (creds != NULL) > ++ { > ++ creds_type_t type; > ++ creds_value_t value; > ++ type = creds_str2creds(creds, &value); > ++ if (type != CREDS_BAD && (value & ~CREDS_MASK) == 0) > ++ { > ++ e->d.policy.type = POLICY_CREDS; > ++ e->d.policy.gid_uid_or_at_console = > CREDS_KEY(type,value); > ++ } > ++ else > ++ _dbus_warn("Unable to translate credential \"%s\" in > message bus configuration file\n", > ++ creds); > ++ } > ++#endif > + else if (at_console != NULL) > + { > + dbus_bool_t t; > +@@ -1617,6 +1649,21 @@ append_rule_from_element (BusConfigParse > + goto nomem; > + break; > + > ++#ifdef DBUS_BUS_ENABLE_CREDS > ++ case POLICY_CREDS: > ++ if (!BUS_POLICY_RULE_IS_PER_CLIENT (rule)) > ++ { > ++ dbus_set_error (error, DBUS_ERROR_FAILED, > ++ "<%s> rule cannot be per-group > because it has bus-global semantics", > ++ element_name); > ++ goto failed; > ++ } > ++ if (!bus_policy_append_creds_rule (parser->policy, > pe->d.policy.gid_uid_or_at_console, > ++ rule)) > ++ goto nomem; > ++ break; > ++ > ++#endif > + > + case POLICY_CONSOLE: > + if (!bus_policy_append_console_rule (parser->policy, > pe->d.policy.gid_uid_or_at_console, > +diff -Naurp dbus-1.4.1.orig/bus/policy.c dbus-1.4.1/bus/policy.c > +--- dbus-1.4.1.orig/bus/policy.c 2010-10-05 20:50:54.000000000 +0300 > ++++ dbus-1.4.1/bus/policy.c 2011-01-14 11:26:15.965461296 +0200 > +@@ -22,6 +22,10 @@ > + */ > + > + #include <config.h> > ++#ifdef DBUS_BUS_ENABLE_CREDS > ++#include <limits.h> > ++#include <sys/creds.h> > ++#endif > + #include "policy.h" > + #include "services.h" > + #include "test.h" > +@@ -130,6 +134,9 @@ struct BusPolicy > + DBusList *mandatory_rules; /**< Mandatory policy rules */ > + DBusHashTable *rules_by_uid; /**< per-UID policy rules */ > + DBusHashTable *rules_by_gid; /**< per-GID policy rules */ > ++#ifdef DBUS_BUS_ENABLE_CREDS > ++ DBusHashTable *rules_by_creds; /**< per-CREDS policy rules */ > ++#endif > + DBusList *at_console_true_rules; /**< console user policy rules where > at_console="true"*/ > + DBusList *at_console_false_rules; /**< console user policy rules where > at_console="false"*/ > + }; > +@@ -181,6 +188,15 @@ bus_policy_new (void) > + if (policy->rules_by_gid == NULL) > + goto failed; > + > ++#ifdef DBUS_BUS_ENABLE_CREDS > ++ policy->rules_by_creds = _dbus_hash_table_new (DBUS_HASH_UINTPTR, > ++ NULL, > ++ > free_rule_list_func); > ++ if (policy->rules_by_creds == NULL) > ++ goto failed; > ++ > ++#endif > ++ > + return policy; > + > + failed: > +@@ -230,6 +246,14 @@ bus_policy_unref (BusPolicy *policy) > + _dbus_hash_table_unref (policy->rules_by_gid); > + policy->rules_by_gid = NULL; > + } > ++ > ++#ifdef DBUS_BUS_ENABLE_CREDS > ++ if (policy->rules_by_creds) > ++ { > ++ _dbus_hash_table_unref (policy->rules_by_creds); > ++ policy->rules_by_creds = NULL; > ++ } > ++#endif > + > + dbus_free (policy); > + } > +@@ -321,6 +345,37 @@ bus_policy_create_client_policy (BusPoli > + > + dbus_free (groups); > + } > ++ > ++#ifdef DBUS_BUS_ENABLE_CREDS > ++ if (_dbus_hash_table_get_n_entries (policy->rules_by_creds) > 0) > ++ { > ++ unsigned long pid; > ++ creds_t creds; > ++ DBusHashIter iter; > ++ > ++ if (!dbus_connection_get_unix_process_id(connection, &pid)) > ++ goto failed; > ++ creds = creds_gettask(pid); > ++ if (creds == NULL) > ++ goto failed; > ++ _dbus_hash_iter_init(policy->rules_by_creds, &iter); > ++ while (_dbus_hash_iter_next(&iter)) > ++ { > ++ unsigned long id = _dbus_hash_iter_get_uintptr_key (&iter); > ++ DBusList **list = _dbus_hash_iter_get_value(&iter); > ++ > ++ if (list != NULL && creds_have_access(creds, CREDS_TYPE(id), > CREDS_VALUE(id), "rw")) > ++ { > ++ if (!add_list_to_client(list, client)) > (131 more lines skipped) > > ++++++ dbus.yaml > --- dbus.yaml > +++ dbus.yaml > @@ -10,6 +10,7 @@ > Patches: > - start-early.patch > - dbus-1.0.1-generate-xml-docs.patch > + - creds-dbus-1.4.1.patch > Description: | > D-Bus is a system for sending messages between applications. It is used > both > for the systemwide message bus service, and as a per-user-login-session > @@ -27,6 +28,7 @@ > - gettext > - libcap-devel > - libtool > + - libcreds3-devel > PkgConfigBR: > - x11 > Configure: reconfigure > > _______________________________________________ > MeeGo-commits mailing list > [email protected] > http://lists.meego.com/listinfo/meego-commits _______________________________________________ MeeGo-packaging mailing list [email protected] http://lists.meego.com/listinfo/meego-packaging
