Re: [PATCH 2/2] connman: Don't use a blanket "allow" D-Bus policy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andreas Oberritter <obi@opendreambox.org>
To: Jussi Kukkonen <jussi.kukkonen@intel.com>,
	openembedded-core@lists.openembedded.org
Subject: Re: [PATCH 2/2] connman: Don't use a blanket "allow" D-Bus policy
Date: Fri, 25 Sep 2015 18:06:00 +0200	[thread overview]
Message-ID: <560570E8.7040808@opendreambox.org> (raw)
In-Reply-To: <6aa4eaa74c5e4d96f92c0b6bd022deb13a2e8be9.1443179044.git.jussi.kukkonen@intel.com>

On 25.09.2015 13:14, Jussi Kukkonen wrote:
> There are already "allow" rules for root and conditionally xuser to
> send messages to connman: there should be no reason for a default
> allow policy.
> 
> Also, conditionally add a policy to allow xuser to send to the
> connman vpn service (similar to main service).
> 
> Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
> ---
>  meta/recipes-connectivity/connman/connman.inc      |  6 -----
>  .../connman/add_xuser_dbus_permission.patch        | 28 +++++++++++++++++++---
>  2 files changed, 25 insertions(+), 9 deletions(-)
> 
> diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
> index 6c062ae..1712af3 100644
> --- a/meta/recipes-connectivity/connman/connman.inc
> +++ b/meta/recipes-connectivity/connman/connman.inc
> @@ -70,13 +70,7 @@ SYSTEMD_SERVICE_${PN} = "connman.service"
>  SYSTEMD_SERVICE_${PN}-vpn = "connman-vpn.service"
>  SYSTEMD_WIRED_SETUP = "ExecStartPre=-${libdir}/connman/wired-setup"
>  
> -# This allows *everyone* to access ConnMan over DBus, without any access
> -# control.  Really the at_console flag should work, which would mean that
> -# both this and the xuser patch can be dropped.
>  do_compile_append() {
> -	sed -i -e s:deny:allow:g ${S}/src/connman-dbus.conf
> -	sed -i -e s:deny:allow:g ${S}/vpn/vpn-dbus.conf
> -
>  	sed -i "s#ExecStart=#${SYSTEMD_WIRED_SETUP}\nExecStart=#" ${B}/src/connman.service
>  }
>  
> diff --git a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
> index 707b3ca..15a191d 100644
> --- a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
> +++ b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
> @@ -1,9 +1,14 @@
> -Because Poky doesn't support at_console we need to special-case the session
> -user.
> +Because Poky doesn't support at_console we need to
> +special-case the session user.

Here you can see that it really is poky's distro policy that slipped
into OE-Core. How about removing ROOTLESS_X and xuser from OE-Core and
putting it into a layer that actually sets the variable?

Regards,
Andreas

>  
>  Upstream-Status: Inappropriate [configuration]
>  
> -Signed-off-by: Ross Burton <ross.burton@intel.com>
> +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
> +
> +---
> + src/connman-dbus.conf | 3 +++
> + vpn/vpn-dbus.conf     | 3 +++
> + 2 files changed, 6 insertions(+)
>  
>  diff --git a/src/connman-dbus.conf b/src/connman-dbus.conf
>  index 98a773e..466809c 100644
> @@ -19,3 +24,20 @@ index 98a773e..466809c 100644
>       <policy at_console="true">
>           <allow send_destination="net.connman"/>
>       </policy>
> +diff --git a/vpn/vpn-dbus.conf b/vpn/vpn-dbus.conf
> +index 0f0c8da..9ad05b9 100644
> +--- a/vpn/vpn-dbus.conf
> ++++ b/vpn/vpn-dbus.conf
> +@@ -6,6 +6,9 @@
> +         <allow send_destination="net.connman.vpn"/>
> +         <allow send_interface="net.connman.vpn.Agent"/>
> +     </policy>
> ++    <policy user="xuser">
> ++        <allow send_destination="net.connman.vpn"/>
> ++    </policy>
> +     <policy at_console="true">
> +         <allow send_destination="net.connman.vpn"/>
> +     </policy>
> +-- 
> +2.1.4
> +
>

next prev parent reply	other threads:[~2015-09-25 16:06 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-25 11:13 [PATCH 0/2] connman: Always depend on xuser-account & fix D-Bus policy Jussi Kukkonen
2015-09-25 11:14 ` [PATCH 1/2] connman: Depend on xuser-account unconditionally Jussi Kukkonen
2015-09-25 15:59   ` Andreas Oberritter
2015-09-25 16:12     ` Burton, Ross
2015-09-30  7:08       ` Jussi Kukkonen
2015-09-30  9:42         ` Andreas Oberritter
2015-09-25 11:14 ` [PATCH 2/2] connman: Don't use a blanket "allow" D-Bus policy Jussi Kukkonen
2015-09-25 16:06   ` Andreas Oberritter [this message]
2015-09-25 16:13     ` Burton, Ross

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=560570E8.7040808@opendreambox.org \
    --to=obi@opendreambox.org \
    --cc=jussi.kukkonen@intel.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.