From: Jussi Kukkonen <jussi.kukkonen@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCHv2 0/2][fido][dizzy] D-Bus policy fixes
Date: Thu, 1 Oct 2015 11:04:31 +0300 [thread overview]
Message-ID: <cover.1443686344.git.jussi.kukkonen@intel.com> (raw)
Changes since v1:
- move the xuser policy file to {sysconfdir}/dbus-1/system.d/
as it works just fine from there.
original cover letter follows:
The major patch in the series is the bluez one: Bluez
D-Bus policy was incorrectly written so it actually allowed
access to system services _other than bluetoothd_ overriding
the default deny policy on the system bus. Fixing this may
naturally affect other system services too.
The patches I'm sending are for master but I believe both fido and
dizzy behave similarly. I can send a patch for those as well but
am not sure what to include there: I'm guessing people now have
services running that are expecting an open-by-default system bus --
closing it now will require good release notes at the very least.
So RFC on fido and dizzy: The best I can think of is taking the bluez
patch, patching in an xuser allow policy for bluez, and making the
(practical) policy change very clear in the release notes.
- Jussi
The following changes since commit 4bc3f0994e68b3302a0523a3156dd0dca0cac7a0:
bitbake: toaster: move clones into subdirectory (2015-09-29 14:11:39 +0100)
are available in the git repository at:
git://git.yoctoproject.org/poky-contrib jku/dbus-policy
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=jku/dbus-policy
Jussi Kukkonen (2):
bluez5: Use upstream D-Bus policy
xuser-account: Take over xuser specific D-Bus policy
meta/recipes-connectivity/bluez5/bluez5.inc | 5 +--
.../bluez5/bluez5/bluetooth.conf | 17 ---------
meta/recipes-connectivity/connman/connman.inc | 1 -
.../connman/add_xuser_dbus_permission.patch | 43 ----------------------
meta/recipes-connectivity/connman/connman_1.30.bb | 1 -
.../user-creation/files/system-xuser.conf | 11 ++++++
.../user-creation/xuser-account_0.1.bb | 6 ++-
7 files changed, 17 insertions(+), 67 deletions(-)
delete mode 100644 meta/recipes-connectivity/bluez5/bluez5/bluetooth.conf
delete mode 100644 meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
create mode 100644 meta/recipes-support/user-creation/files/system-xuser.conf
--
2.1.4
next reply other threads:[~2015-10-01 8:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-01 8:04 Jussi Kukkonen [this message]
2015-10-01 8:04 ` [PATCHv2 1/2] bluez5: Use upstream D-Bus policy Jussi Kukkonen
2015-10-01 8:04 ` [PATCHv2 2/2] xuser-account: Take over xuser specific " Jussi Kukkonen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1443686344.git.jussi.kukkonen@intel.com \
--to=jussi.kukkonen@intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.