Darren: > I'd like to have some discussion of the System D-Bus in a TX environment > - sorry for the long To: list but I'm not sure all the people with D-Bus > and TX experience are necessarily on security-discuss. > > Currently zones that represent TX labels have a session D-Bus but no > access to the system D-Bus. > > * What could we gain by providing access to the system D-Bus in a > labeled zone ? > What would work that is useful that doesn't now ? > What new things could we do using D-Bus that would benefit labeled > zones ? > Are there existing things we could solve easier ?
Artem should confirm since he knows better than I, but I think the only thing that uses the system bus on Solaris is HAL. So, I suspect that removable media support in zones may not work in a reasonable way. But it's perhaps also unclear how removable media should be mounted in a multi-zone environment. There are some other projects in Linux that use the system service. I believe that there is a Linux package installation system built around the D-Bus system service. However, there are obviously no plans to integrate that into Solaris. I believe PolicyKit may also use the system bus, but it is another program we are unlikely to integrate anytime soon, if at all. > * What type of information is on the system D-Bus ? > How sensitive is that likely to be ? > Remember that we must be very careful about opening up > channels that could be used to communicate between labeled zones. I'd think mostly just information about removable media events, and access to the removable media. In terms of security, you probably want to make sure that things get mounted to the intended zone. Not sure how you would know. I'm guessing most Trusted users probably don't use TJDS to rip CD's to their external hard drive. > * Is access always read/write or would read only access be useful / > available ? I'd think people would want to read and write to their removable media, but reading-only is probably better than nothing. > * Would a trusted proxy be needed to filter what information can be > seen? [ I and Stephen both suspect so but lets not assume that is the > only solution ]. I'd think some mechanism to make sure that when media is mounted, it gets mounted to the right zone(s). Perhaps this could be pre-configured in some way. You probably don't want to ping users in all running zones with a dialog asking them "Who owns the drive you just plugged in? First response wins" Brian
