Perform Cynara runtime policy checks by defaultsubmit/tizen/20150921.104500 accepted/tizen/wearable/20150922.001109 accepted/tizen/tv/20150922.001046 accepted/tizen/mobile/20150922.001026

This change introduces http://tizen.org/privilege/internal/dbus privilege which is supposed to be available only to trusted system resources. Checks for this privilege are used in place of certain allow rules to make security policy more strict. For system bus sending and receiving signals now requires http://tizen.org/privilege/internal/dbus privilege. Requesting name ownership and sending methods is still denied by default. For session bus http://tizen.org/privilege/internal/dbus privilege is now required for requesting name, calling methods, sending and receiving signals. Services are supposed to override these default settings to implement their own security policy. Change-Id: Ifb4a160bf6e0638404e0295a2e4fa3077efd881c Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
author: Jacek Bukarewicz <j.bukarewicz@samsung.com> 2015-06-23 11:08:48 +0200
committer: Jacek Bukarewicz <j.bukarewicz@samsung.com> 2015-06-23 12:15:38 +0200
commit: e8610297cf7031e94eb314a2e8c11246f4405403 (patch)
tree: b422ef044b7ab62c77240e89cc29aaae0e96263e
parent: 2ea4776a002745174ca295a89aa7fdcfc255725e (diff)
download: dbus-accepted/tizen/wearable/20150922.001109.tar.gz
dbus-accepted/tizen/wearable/20150922.001109.tar.bz2
dbus-accepted/tizen/wearable/20150922.001109.zip
2 files changed, 42 insertions, 12 deletions
diff --git a/bus/session.conf.in b/bus/session.conf.in
index 74d9d1fd..fa5c2323 100644
--- a/bus/session.conf.in
+++ b/bus/session.conf.in
@@ -17,12 +17,32 @@
   <standard_session_servicedirs />
 
   <policy context="default">
-    <!-- Allow everything to be sent -->
-    <allow send_destination="*" eavesdrop="true"/>
-    <!-- Allow everything to be received -->
-    <allow eavesdrop="true"/>
-    <!-- Allow anyone to own anything -->
-    <allow own="*"/>
+    <!-- By default clients require internal/dbus privilege to communicate
+         with D-Bus services and to claim name ownership. This is internal privilege that
+         is only accessible to trusted system services -->
+    <check own="*"                  privilege="http://tizen.org/privilege/internal/dbus" />
+    <check send_type="method_call"  privilege="http://tizen.org/privilege/internal/dbus" />
+    <check send_type="signal"       privilege="http://tizen.org/privilege/internal/dbus" />
+    <check receive_type="signal"    privilege="http://tizen.org/privilege/internal/dbus" />
+
+    <!-- Reply messages (method returns, errors) are allowed
+         by default -->
+    <allow send_requested_reply="true" send_type="method_return"/>
+    <allow send_requested_reply="true" send_type="error"/>
+
+    <!-- All messages but signals may be received by default -->
+    <allow receive_type="method_call"/>
+    <allow receive_type="method_return"/>
+    <allow receive_type="error"/>
+
+    <!-- Allow anyone to talk to the message bus -->
+    <allow send_destination="org.freedesktop.DBus"/>
+    <allow receive_sender="org.freedesktop.DBus"/>
+
+    <!-- But disallow some specific bus services -->
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.DBus"
+          send_member="UpdateActivationEnvironment"/>
   </policy>
 
   <!-- Config files are placed here that among other things, 
diff --git a/bus/system.conf.in b/bus/system.conf.in
index 92f4cc42..dd169478 100644
--- a/bus/system.conf.in
+++ b/bus/system.conf.in
@@ -50,21 +50,31 @@
     <deny own="*"/>
     <deny send_type="method_call"/>
 
-    <!-- Signals and reply messages (method returns, errors) are allowed
+    <!-- By default clients require internal/dbus privilege to send and receive signaks.
+         This is internal privilege that is only accessible to trusted system services -->
+    <check send_type="signal"       privilege="http://tizen.org/privilege/internal/dbus" />
+    <check receive_type="signal"    privilege="http://tizen.org/privilege/internal/dbus" />
+
+    <!-- Reply messages (method returns, errors) are allowed
          by default -->
-    <allow send_type="signal"/>
     <allow send_requested_reply="true" send_type="method_return"/>
     <allow send_requested_reply="true" send_type="error"/>
 
-    <!-- All messages may be received by default -->
+    <!-- All messages but signals may be received by default -->
     <allow receive_type="method_call"/>
     <allow receive_type="method_return"/>
     <allow receive_type="error"/>
-    <allow receive_type="signal"/>
 
-    <!-- Allow anyone to talk to the message bus -->
+    <!-- If there is a need specific bus services could be protected by Cynara as well.
+         However, this can lead to deadlock during the boot process when such check is made and
+         Cynara is not yet activated (systemd calls protected method synchronously,
+         dbus daemon tries to consult Cynara, Cynara waits for systemd activation).
+         Therefore it is advised to allow root processes to use bus services.
+         Currently anyone is allowed to talk to the message bus -->
     <allow send_destination="org.freedesktop.DBus"/>
-    <!-- But disallow some specific bus services -->
+    <allow receive_sender="org.freedesktop.DBus"/>
+
+    <!-- Disallow some specific bus services -->
     <deny send_destination="org.freedesktop.DBus"
           send_interface="org.freedesktop.DBus"
           send_member="UpdateActivationEnvironment"/>
author	Jacek Bukarewicz <j.bukarewicz@samsung.com>	2015-06-23 11:08:48 +0200
committer	Jacek Bukarewicz <j.bukarewicz@samsung.com>	2015-06-23 12:15:38 +0200
commit	e8610297cf7031e94eb314a2e8c11246f4405403 (patch)
tree	b422ef044b7ab62c77240e89cc29aaae0e96263e
parent	2ea4776a002745174ca295a89aa7fdcfc255725e (diff)
download	dbus-accepted/tizen/wearable/20150922.001109.tar.gz dbus-accepted/tizen/wearable/20150922.001109.tar.bz2 dbus-accepted/tizen/wearable/20150922.001109.zip