[PATCH 0/3][fido][dizzy] D-Bus policy fixes

[PATCH 0/3][fido][dizzy] D-Bus policy fixes

[Jussi Kukkonen]

The major patch in the series is the bluez one: Bluez
D-Bus policy was incorrectly written so it actually allowed
access to system services _other than bluetoothd_ overriding
the default deny policy on the system bus. Fixing this may
naturally affect other system services too.

The patches I'm sending are for master but I believe both fido and
dizzy behave similarly. I can send a patch for those as well but
am not sure what to include there: I'm guessing people now have
services running that are expecting an open-by-default system bus --
closing it now will require good release notes at the very least.

So RFC on fido and dizzy: The best I can think of is taking the bluez
patch, patching in an xuser allow policy for bluez, and making the
(practical) policy change very clear in the release notes.

 - Jussi

The following changes since commit 4bc3f0994e68b3302a0523a3156dd0dca0cac7a0:

  bitbake: toaster: move clones into subdirectory (2015-09-29 14:11:39 +0100)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib jku/dbus-policy
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=jku/dbus-policy

Jussi Kukkonen (3):
  bluez5: Use upstream D-Bus policy
  dbus: Use the xuser policy file
  xuser-account: Take over xuser specific D-Bus policy

 meta/recipes-connectivity/bluez5/bluez5.inc        |  5 +--
 .../bluez5/bluez5/bluetooth.conf                   | 17 ---------
 meta/recipes-connectivity/connman/connman.inc      |  1 -
 .../connman/add_xuser_dbus_permission.patch        | 43 ----------------------
 meta/recipes-connectivity/connman/connman_1.30.bb  |  1 -
 meta/recipes-core/dbus/dbus.inc                    |  1 +
 ...-Apply-xuser-specific-policies-if-present.patch | 33 +++++++++++++++++
 .../user-creation/files/system-xuser.conf          | 15 ++++++++
 .../user-creation/xuser-account_0.1.bb             |  6 ++-
 9 files changed, 55 insertions(+), 67 deletions(-)
 delete mode 100644 meta/recipes-connectivity/bluez5/bluez5/bluetooth.conf
 delete mode 100644 meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
 create mode 100644 meta/recipes-core/dbus/dbus/0001-Apply-xuser-specific-policies-if-present.patch
 create mode 100644 meta/recipes-support/user-creation/files/system-xuser.conf

-- 
2.1.4

[PATCH 1/3] bluez5: Use upstream D-Bus policy

[Jussi Kukkonen]

The Bluez D-Bus policy is much too open and affects not just bluez but
all system services: Use upstream policy configuration instead.

This change has a chance of affecting other D-Bus services: the bug
that is fixed here may have hidden problems in other policies.

[YOCTO #8414]

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
 meta/recipes-connectivity/bluez5/bluez5.inc            |  5 ++---
 meta/recipes-connectivity/bluez5/bluez5/bluetooth.conf | 17 -----------------
 2 files changed, 2 insertions(+), 20 deletions(-)
 delete mode 100644 meta/recipes-connectivity/bluez5/bluez5/bluetooth.conf

diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 039c443..df42c88 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -18,7 +18,6 @@ PACKAGECONFIG[experimental] = "--enable-experimental,--disable-experimental,"
 
 SRC_URI = "\
     ${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
-    file://bluetooth.conf \
 "
 S = "${WORKDIR}/bluez-${PV}"
 
@@ -53,8 +52,8 @@ do_install_append() {
 	if [ -f ${S}/profiles/input/input.conf ]; then
 	    install -m 0644 ${S}/profiles/input/input.conf ${D}/${sysconfdir}/bluetooth/
 	fi
-	# at_console doesn't really work with the current state of OE, so punch some more holes so people can actually use BT
-	install -m 0644 ${WORKDIR}/bluetooth.conf ${D}/${sysconfdir}/dbus-1/system.d/
+
+	install -m 0644 ${S}/src/bluetooth.conf ${D}/${sysconfdir}/dbus-1/system.d/
 
 	# Install desired tools that upstream leaves in build area
         for f in ${NOINST_TOOLS} ; do
diff --git a/meta/recipes-connectivity/bluez5/bluez5/bluetooth.conf b/meta/recipes-connectivity/bluez5/bluez5/bluetooth.conf
deleted file mode 100644
index 26845bb..0000000
--- a/meta/recipes-connectivity/bluez5/bluez5/bluetooth.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This configuration file specifies the required security policies
-     for Bluetooth core daemon to work. -->
-
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
-
-  <!-- ../system.conf have denied everything, so we just punch some holes -->
-
-  <policy context="default">
-    <allow own="org.bluez"/>
-    <allow send_destination="org.bluez"/>
-    <allow send_interface="org.bluez.Agent1"/>
-    <allow send_type="method_call"/>
-  </policy>
-
-</busconfig>
-- 
2.1.4

[PATCH 2/3] dbus: Use the xuser policy file

[Jussi Kukkonen]

Apply the xuser-related policies (if they have been installed by
xuser-account) after the service-specific policies are applied.

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
 meta/recipes-core/dbus/dbus.inc                    |  1 +
 ...-Apply-xuser-specific-policies-if-present.patch | 33 ++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 meta/recipes-core/dbus/dbus/0001-Apply-xuser-specific-policies-if-present.patch

diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index 3971081..59e3afe 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
            file://dbus-1.init \
            file://os-test.patch \
            file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+           file://0001-Apply-xuser-specific-policies-if-present.patch \
 "
 
 inherit useradd autotools pkgconfig gettext update-rc.d
diff --git a/meta/recipes-core/dbus/dbus/0001-Apply-xuser-specific-policies-if-present.patch b/meta/recipes-core/dbus/dbus/0001-Apply-xuser-specific-policies-if-present.patch
new file mode 100644
index 0000000..01a4870
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/0001-Apply-xuser-specific-policies-if-present.patch
@@ -0,0 +1,33 @@
+From 3a37ec47ffc9e4d34ac726d649a822cdead1b38f Mon Sep 17 00:00:00 2001
+From: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Date: Wed, 30 Sep 2015 11:25:08 +0300
+Subject: [PATCH] Apply xuser-specific policies if present
+
+system-xuser.conf is installed by xuser-account and contains
+policies that override the default service policies (allowing
+xuser to send messages to the services).
+
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+---
+ bus/system.conf.in | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/bus/system.conf.in b/bus/system.conf.in
+index 851b9e6..1822011 100644
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -82,6 +82,10 @@
+        holes in the above policy for specific services. -->
+   <includedir>system.d</includedir>
+ 
++  <!-- Apply xuser policies (if present) after the service
++       policies so the xuser ones don't get overridden. -->
++  <include ignore_missing="yes">system-xuser.conf</include>
++
+   <!-- This is included last so local configuration can override what's 
+        in this standard file -->
+   <include ignore_missing="yes">system-local.conf</include>
+-- 
+2.1.4
+
-- 
2.1.4

[PATCH 3/3] xuser-account: Take over xuser specific D-Bus policy

[Jussi Kukkonen]

Move connmans xuser-related D-Bus policy to a separate file that
xuser-account installs: This way connman does not need to depend on
xuser-account. Add policies for bluez and ofono in the same file.

The new policy file still needs to be used by dbus-daemon.

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
 meta/recipes-connectivity/connman/connman.inc      |  1 -
 .../connman/add_xuser_dbus_permission.patch        | 43 ----------------------
 meta/recipes-connectivity/connman/connman_1.30.bb  |  1 -
 .../user-creation/files/system-xuser.conf          | 15 ++++++++
 .../user-creation/xuser-account_0.1.bb             |  6 ++-
 5 files changed, 19 insertions(+), 47 deletions(-)
 delete mode 100644 meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
 create mode 100644 meta/recipes-support/user-creation/files/system-xuser.conf

diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index 1712af3..ab7f86d 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -107,7 +107,6 @@ RPROVIDES_${PN} = "\
 
 RDEPENDS_${PN} = "\
 	dbus \
-	xuser-account \
 	"
 
 PACKAGES_DYNAMIC += "^${PN}-plugin-.*"
diff --git a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
deleted file mode 100644
index 15a191d..0000000
--- a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-Because Poky doesn't support at_console we need to
-special-case the session user.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
-
----
- src/connman-dbus.conf | 3 +++
- vpn/vpn-dbus.conf     | 3 +++
- 2 files changed, 6 insertions(+)
-
-diff --git a/src/connman-dbus.conf b/src/connman-dbus.conf
-index 98a773e..466809c 100644
---- a/src/connman-dbus.conf
-+++ b/src/connman-dbus.conf
-@@ -8,6 +8,9 @@
-         <allow send_interface="net.connman.Counter"/>
-         <allow send_interface="net.connman.Notification"/>
-     </policy>
-+    <policy user="xuser">
-+        <allow send_destination="net.connman"/>
-+    </policy>
-     <policy at_console="true">
-         <allow send_destination="net.connman"/>
-     </policy>
-diff --git a/vpn/vpn-dbus.conf b/vpn/vpn-dbus.conf
-index 0f0c8da..9ad05b9 100644
---- a/vpn/vpn-dbus.conf
-+++ b/vpn/vpn-dbus.conf
-@@ -6,6 +6,9 @@
-         <allow send_destination="net.connman.vpn"/>
-         <allow send_interface="net.connman.vpn.Agent"/>
-     </policy>
-+    <policy user="xuser">
-+        <allow send_destination="net.connman.vpn"/>
-+    </policy>
-     <policy at_console="true">
-         <allow send_destination="net.connman.vpn"/>
-     </policy>
--- 
-2.1.4
-
diff --git a/meta/recipes-connectivity/connman/connman_1.30.bb b/meta/recipes-connectivity/connman/connman_1.30.bb
index 9b512c5..7d65ac9 100644
--- a/meta/recipes-connectivity/connman/connman_1.30.bb
+++ b/meta/recipes-connectivity/connman/connman_1.30.bb
@@ -2,7 +2,6 @@ require connman.inc
 
 SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
             file://0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch \
-            file://add_xuser_dbus_permission.patch \
             file://0001-Detect-backtrace-API-availability-before-using-it.patch \
             file://0002-resolve-musl-does-not-implement-res_ninit.patch \
             file://0003-Fix-header-inclusions-for-musl.patch \
diff --git a/meta/recipes-support/user-creation/files/system-xuser.conf b/meta/recipes-support/user-creation/files/system-xuser.conf
new file mode 100644
index 0000000..7a8e786
--- /dev/null
+++ b/meta/recipes-support/user-creation/files/system-xuser.conf
@@ -0,0 +1,15 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+
+    <!-- This policy allows xuser to send messages to various services.
+         It should be applied after the service policies. -->
+
+    <policy user="xuser">
+        <allow send_destination="net.connman"/>
+        <allow send_destination="net.connman.vpn"/>
+        <allow send_destination="org.ofono"/>
+        <allow send_destination="org.bluez"/>
+    </policy>
+</busconfig>
+
diff --git a/meta/recipes-support/user-creation/xuser-account_0.1.bb b/meta/recipes-support/user-creation/xuser-account_0.1.bb
index 77ba97d..f7830fb 100644
--- a/meta/recipes-support/user-creation/xuser-account_0.1.bb
+++ b/meta/recipes-support/user-creation/xuser-account_0.1.bb
@@ -2,7 +2,7 @@ SUMMARY = "Creates an 'xuser' account used for running X11"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
-SRC_URI = ""
+SRC_URI = "file://system-xuser.conf"
 
 inherit allarch useradd
 
@@ -15,9 +15,11 @@ do_compile() {
 }
 
 do_install() {
-    :
+    install -D -m 0644 ${WORKDIR}/system-xuser.conf ${D}${sysconfdir}/dbus-1/system-xuser.conf
 }
 
+FILES_${PN} = "${sysconfdir}/dbus-1/system-xuser.conf"
+
 USERADD_PACKAGES = "${PN}"
 GROUPADD_PARAM_${PN} = "--system shutdown"
 USERADD_PARAM_${PN} = "--create-home \
-- 
2.1.4

Re: [PATCH 0/3][fido][dizzy] D-Bus policy fixes

[Jussi Kukkonen]

[-- Attachment #1: Type: text/plain, Size: 1679 bytes --]

On 30 September 2015 at 18:33, Jussi Kukkonen <jussi.kukkonen@intel.com>
wrote:

>   bluez5: Use upstream D-Bus policy
>   dbus: Use the xuser policy file
>   xuser-account: Take over xuser specific D-Bus policy
>

Please don't take the last two patches yet: I believe dbus itself does not
actually have to be modified and the xuser policy file can just be a normal
file in /etc/dbus-1/system.d/. I originally thought the default context
policies in the services files could override the xuser user policy but
this seems to not be the case: user policy always overrides default context
policy.



>  meta/recipes-connectivity/bluez5/bluez5.inc        |  5 +--
>  .../bluez5/bluez5/bluetooth.conf                   | 17 ---------
>  meta/recipes-connectivity/connman/connman.inc      |  1 -
>  .../connman/add_xuser_dbus_permission.patch        | 43
> ----------------------
>  meta/recipes-connectivity/connman/connman_1.30.bb  |  1 -
>  meta/recipes-core/dbus/dbus.inc                    |  1 +
>  ...-Apply-xuser-specific-policies-if-present.patch | 33 +++++++++++++++++
>  .../user-creation/files/system-xuser.conf          | 15 ++++++++
>  .../user-creation/xuser-account_0.1.bb             |  6 ++-
>  9 files changed, 55 insertions(+), 67 deletions(-)
>  delete mode 100644 meta/recipes-connectivity/bluez5/bluez5/bluetooth.conf
>  delete mode 100644
> meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
>  create mode 100644
> meta/recipes-core/dbus/dbus/0001-Apply-xuser-specific-policies-if-present.patch
>  create mode 100644
> meta/recipes-support/user-creation/files/system-xuser.conf
>
> --
> 2.1.4
>
>

[-- Attachment #2: Type: text/html, Size: 2425 bytes --]