On Jan 24, 2011, at 7:05 PM, Zhu, Peter J wrote: > Hi >> -----Original Message----- >> From: Ware, Ryan R >> Sent: Tuesday, January 25, 2011 2:59 AM >> To: Zhu, Peter J >> Cc: [email protected] >> Subject: Re: [meego-commits] 12360: Changes to devel:base/dbus >> >> Hey Peter, >> >> There should not be any impact to existing apps. The capability to do more >> stringent dbus checks is there, but is open by default. >> > I know the capability was there. I just want to make sure no apps would fail > with enforced such capability? Did you try to update this dbus in a latest > image and have a test?
I'm told by Nokia that they did QA on this change. Ryan >> On Jan 20, 2011, at 10:18 PM, Zhu, Peter J wrote: >> >>> Did you test this package? It seems requires much more stick check on dbus >> policy permission check. Any impact to existing apps? >>> >>> Peter >>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of rrware >>>> Sent: Thursday, January 20, 2011 5:05 AM >>>> To: [email protected] >>>> Subject: [meego-commits] 12360: Changes to devel:base/dbus >>>> >>>> Hi, >>>> I have made the following changes to dbus in project devel:base. Please >> review >>>> and accept ASAP. >>>> >>>> Thank You, >>>> rrware >>>> >>>> [This message was auto-generated] >>>> >>>> --- >>>> >>>> Request #12360: >>>> >>>> submit: devel:security/dbus(r7) -> devel:base/dbus >>>> >>>> >>>> Message: >>>> * Wed Jan 19 2011 Ryan Ware <[email protected]> - 1.4.1 >>>> - This update adds the creds-dbus patch which enables mandatory access >>>> controls for dbus communication. >>>> - FEA#9093 >>>> >>>> State: new 2011-01-19T13:04:56 rrware >>>> Comment: None >>>> >>>> >>>> >>>> changes files: >>>> -------------- >>>> --- dbus.changes >>>> +++ dbus.changes >>>> @@ -0,0 +1,4 @@ >>>> +* Wed Jan 19 2011 Ryan Ware <[email protected]> - 1.4.1 >>>> +- This update adds the creds-dbus patch which enables mandatory access >>>> controls for dbus communication. >>>> +- FEA#9093 >>>> + >>>> >>>> new: >>>> ---- >>>> creds-dbus-1.4.1.patch >>>> >>>> spec files: >>>> ----------- >>>> --- dbus.spec >>>> +++ dbus.spec >>>> @@ -17,6 +17,7 @@ >>>> Source100: dbus.yaml >>>> Patch0: start-early.patch >>>> Patch1: dbus-1.0.1-generate-xml-docs.patch >>>> +Patch2: creds-dbus-1.4.1.patch >>>> Requires: %{name}-libs = %{version} >>>> Requires(pre): /usr/sbin/useradd >>>> Requires(preun): /sbin/service >>>> @@ -27,6 +28,7 @@ >>>> BuildRequires: gettext >>>> BuildRequires: libcap-devel >>>> BuildRequires: libtool >>>> +BuildRequires: libcreds3-devel >>>> >>>> >>>> %description >>>> @@ -83,6 +85,8 @@ >>>> %patch0 -p1 >>>> # dbus-1.0.1-generate-xml-docs.patch >>>> %patch1 -p1 >>>> +# creds-dbus-1.4.1.patch >>>> +%patch2 -p1 >>>> # >> setup >>>> # << setup >>>> >>>> >>>> other changes: >>>> -------------- >>>> >>>> ++++++ creds-dbus-1.4.1.patch (new) >>>> --- creds-dbus-1.4.1.patch >>>> +++ creds-dbus-1.4.1.patch >>>> +diff -Naurp dbus-1.4.1.orig/bus/config-parser.c >> dbus-1.4.1/bus/config-parser.c >>>> +--- dbus-1.4.1.orig/bus/config-parser.c 2010-10-05 20:50:54.000000000 >> +0300 >>>> ++++ dbus-1.4.1/bus/config-parser.c 2011-01-13 15:47:48.000000000 >>>> +0200 >>>> +@@ -22,6 +22,11 @@ >>>> + */ >>>> + >>>> + #include <config.h> >>>> ++#ifdef DBUS_BUS_ENABLE_CREDS >>>> ++#include <err.h> >>>> ++#include <limits.h> >>>> ++#include <sys/creds.h> >>>> ++#endif >>>> + #include "config-parser-common.h" >>>> + #include "config-parser.h" >>>> + #include "test.h" >>>> +@@ -32,6 +37,8 @@ >>>> + #include <dbus/dbus-internals.h> >>>> + #include <string.h> >>>> + >>>> ++ >>>> ++ >>>> + typedef enum >>>> + { >>>> + /* we ignore policies for unknown groups/users */ >>>> +@@ -42,6 +49,9 @@ typedef enum >>>> + POLICY_MANDATORY, >>>> + POLICY_USER, >>>> + POLICY_GROUP, >>>> ++#ifdef DBUS_BUS_ENABLE_CREDS >>>> ++ POLICY_CREDS, >>>> ++#endif >>>> + POLICY_CONSOLE >>>> + } PolicyType; >>>> + >>>> +@@ -970,6 +980,9 @@ start_busconfig_child (BusConfigParser >>>> + const char *context; >>>> + const char *user; >>>> + const char *group; >>>> ++#ifdef DBUS_BUS_ENABLE_CREDS >>>> ++ const char *creds; >>>> ++#endif >>>> + const char *at_console; >>>> + >>>> + if ((e = push_element (parser, ELEMENT_POLICY)) == NULL) >>>> +@@ -987,17 +1000,20 @@ start_busconfig_child (BusConfigParser >>>> + "context", &context, >>>> + "user", &user, >>>> + "group", &group, >>>> ++#ifdef DBUS_BUS_ENABLE_CREDS >>>> ++ "creds", &creds, >>>> ++#endif >>>> + "at_console", &at_console, >>>> + NULL)) >>>> + return FALSE; >>>> + >>>> +- if (((context && user) || >>>> +- (context && group) || >>>> +- (context && at_console)) || >>>> +- ((user && group) || >>>> +- (user && at_console)) || >>>> +- (group && at_console) || >>>> +- !(context || user || group || at_console)) >>>> ++ if ((context != NULL) + >>>> ++ (user != NULL) + >>>> ++ (group != NULL) + >>>> ++#ifdef DBUS_BUS_ENABLE_CREDS >>>> ++ (creds != NULL) + >>>> ++#endif >>>> ++ (at_console != NULL) != 1) >>>> + { >>>> + dbus_set_error (error, DBUS_ERROR_FAILED, >>>> + "<policy> element must have exactly one >> of >>>> (context|user|group|at_console) attributes"); >>>> +@@ -1046,6 +1062,22 @@ start_busconfig_child (BusConfigParser >>>> + _dbus_warn ("Unknown group \"%s\" in message bus >>>> configuration file\n", >>>> + group); >>>> + } >>>> ++#ifdef DBUS_BUS_ENABLE_CREDS >>>> ++ else if (creds != NULL) >>>> ++ { >>>> ++ creds_type_t type; >>>> ++ creds_value_t value; >>>> ++ type = creds_str2creds(creds, &value); >>>> ++ if (type != CREDS_BAD && (value & ~CREDS_MASK) == 0) >>>> ++ { >>>> ++ e->d.policy.type = POLICY_CREDS; >>>> ++ e->d.policy.gid_uid_or_at_console = >>>> CREDS_KEY(type,value); >>>> ++ } >>>> ++ else >>>> ++ _dbus_warn("Unable to translate credential \"%s\" in >>>> message bus configuration file\n", >>>> ++ creds); >>>> ++ } >>>> ++#endif >>>> + else if (at_console != NULL) >>>> + { >>>> + dbus_bool_t t; >>>> +@@ -1617,6 +1649,21 @@ append_rule_from_element (BusConfigParse >>>> + goto nomem; >>>> + break; >>>> + >>>> ++#ifdef DBUS_BUS_ENABLE_CREDS >>>> ++ case POLICY_CREDS: >>>> ++ if (!BUS_POLICY_RULE_IS_PER_CLIENT (rule)) >>>> ++ { >>>> ++ dbus_set_error (error, DBUS_ERROR_FAILED, >>>> ++ "<%s> rule cannot be per-group >>>> because it has bus-global semantics", >>>> ++ element_name); >>>> ++ goto failed; >>>> ++ } >>>> ++ if (!bus_policy_append_creds_rule (parser->policy, >>>> pe->d.policy.gid_uid_or_at_console, >>>> ++ rule)) >>>> ++ goto nomem; >>>> ++ break; >>>> ++ >>>> ++#endif >>>> + >>>> + case POLICY_CONSOLE: >>>> + if (!bus_policy_append_console_rule (parser->policy, >>>> pe->d.policy.gid_uid_or_at_console, >>>> +diff -Naurp dbus-1.4.1.orig/bus/policy.c dbus-1.4.1/bus/policy.c >>>> +--- dbus-1.4.1.orig/bus/policy.c 2010-10-05 20:50:54.000000000 +0300 >>>> ++++ dbus-1.4.1/bus/policy.c 2011-01-14 11:26:15.965461296 +0200 >>>> +@@ -22,6 +22,10 @@ >>>> + */ >>>> + >>>> + #include <config.h> >>>> ++#ifdef DBUS_BUS_ENABLE_CREDS >>>> ++#include <limits.h> >>>> ++#include <sys/creds.h> >>>> ++#endif >>>> + #include "policy.h" >>>> + #include "services.h" >>>> + #include "test.h" >>>> +@@ -130,6 +134,9 @@ struct BusPolicy >>>> + DBusList *mandatory_rules; /**< Mandatory policy rules */ >>>> + DBusHashTable *rules_by_uid; /**< per-UID policy rules */ >>>> + DBusHashTable *rules_by_gid; /**< per-GID policy rules */ >>>> ++#ifdef DBUS_BUS_ENABLE_CREDS >>>> ++ DBusHashTable *rules_by_creds; /**< per-CREDS policy rules */ >>>> ++#endif >>>> + DBusList *at_console_true_rules; /**< console user policy rules where >>>> at_console="true"*/ >>>> + DBusList *at_console_false_rules; /**< console user policy rules where >>>> at_console="false"*/ >>>> + }; >>>> +@@ -181,6 +188,15 @@ bus_policy_new (void) >>>> + if (policy->rules_by_gid == NULL) >>>> + goto failed; >>>> + >>>> ++#ifdef DBUS_BUS_ENABLE_CREDS >>>> ++ policy->rules_by_creds = _dbus_hash_table_new >> (DBUS_HASH_UINTPTR, >>>> ++ NULL, >>>> ++ >>>> free_rule_list_func); >>>> ++ if (policy->rules_by_creds == NULL) >>>> ++ goto failed; >>>> ++ >>>> ++#endif >>>> ++ >>>> + return policy; >>>> + >>>> + failed: >>>> +@@ -230,6 +246,14 @@ bus_policy_unref (BusPolicy *policy) >>>> + _dbus_hash_table_unref (policy->rules_by_gid); >>>> + policy->rules_by_gid = NULL; >>>> + } >>>> ++ >>>> ++#ifdef DBUS_BUS_ENABLE_CREDS >>>> ++ if (policy->rules_by_creds) >>>> ++ { >>>> ++ _dbus_hash_table_unref (policy->rules_by_creds); >>>> ++ policy->rules_by_creds = NULL; >>>> ++ } >>>> ++#endif >>>> + >>>> + dbus_free (policy); >>>> + } >>>> +@@ -321,6 +345,37 @@ bus_policy_create_client_policy (BusPoli >>>> + >>>> + dbus_free (groups); >>>> + } >>>> ++ >>>> ++#ifdef DBUS_BUS_ENABLE_CREDS >>>> ++ if (_dbus_hash_table_get_n_entries (policy->rules_by_creds) > 0) >>>> ++ { >>>> ++ unsigned long pid; >>>> ++ creds_t creds; >>>> ++ DBusHashIter iter; >>>> ++ >>>> ++ if (!dbus_connection_get_unix_process_id(connection, &pid)) >>>> ++ goto failed; >>>> ++ creds = creds_gettask(pid); >>>> ++ if (creds == NULL) >>>> ++ goto failed; >>>> ++ _dbus_hash_iter_init(policy->rules_by_creds, &iter); >>>> ++ while (_dbus_hash_iter_next(&iter)) >>>> ++ { >>>> ++ unsigned long id = _dbus_hash_iter_get_uintptr_key (&iter); >>>> ++ DBusList **list = _dbus_hash_iter_get_value(&iter); >>>> ++ >>>> ++ if (list != NULL && creds_have_access(creds, >> CREDS_TYPE(id), >>>> CREDS_VALUE(id), "rw")) >>>> ++ { >>>> ++ if (!add_list_to_client(list, client)) >>>> (131 more lines skipped) >>>> >>>> ++++++ dbus.yaml >>>> --- dbus.yaml >>>> +++ dbus.yaml >>>> @@ -10,6 +10,7 @@ >>>> Patches: >>>> - start-early.patch >>>> - dbus-1.0.1-generate-xml-docs.patch >>>> + - creds-dbus-1.4.1.patch >>>> Description: | >>>> D-Bus is a system for sending messages between applications. It is >> used >>>> both >>>> for the systemwide message bus service, and as a >> per-user-login-session >>>> @@ -27,6 +28,7 @@ >>>> - gettext >>>> - libcap-devel >>>> - libtool >>>> + - libcreds3-devel >>>> PkgConfigBR: >>>> - x11 >>>> Configure: reconfigure >>>> >>>> _______________________________________________ >>>> MeeGo-commits mailing list >>>> [email protected] >>>> http://lists.meego.com/listinfo/meego-commits > > _______________________________________________ > MeeGo-packaging mailing list > [email protected] > http://lists.meego.com/listinfo/meego-packaging _______________________________________________ MeeGo-packaging mailing list [email protected] http://lists.meego.com/listinfo/meego-packaging
