diff options
| author | Colin Walters <walters@verbum.org> | 2009-01-21 15:27:10 -0500 |
|---|---|---|
| committer | Colin Walters <walters@verbum.org> | 2009-01-21 15:27:10 -0500 |
| commit | f0cc56e1919cdc762e1ba4b3b53d377312f0c6c2 (patch) | |
| tree | 31125fcfe1c83f7b3265dd24567ec14cf5d9c163 | |
| parent | 5b315d088a8884e11ea90721c54cf3923213cd81 (diff) | |
Clean up and clarify default system policy
The former was too reliant on old bugs and was generally unclear.
This one makes explicit exactly what is allowed and not.
Conflicts:
bus/system.conf.in
| -rw-r--r-- | bus/system.conf.in | 40 | ||||
| -rw-r--r-- | test/name-test/tmp-session-like-system.conf | 51 |
2 files changed, 45 insertions, 46 deletions
diff --git a/bus/system.conf.in b/bus/system.conf.in index db412327..a0dd7415 100644 --- a/bus/system.conf.in +++ b/bus/system.conf.in @@ -33,32 +33,28 @@ <listen>@DBUS_SYSTEM_BUS_DEFAULT_ADDRESS@</listen> <policy context="default"> - <!-- Deny everything then punch holes --> - <deny send_interface="*"/> - <deny receive_interface="*"/> - <deny own="*"/> - <!-- But allow all users to connect --> + <!-- All users can connect to system bus --> <allow user="*"/> - <!-- Allow anyone to talk to the message bus --> - <!-- FIXME I think currently these allow rules are always implicit - even if they aren't in here --> - <allow send_destination="org.freedesktop.DBus"/> - <allow receive_sender="org.freedesktop.DBus"/> - <!-- Allow all signals to be sent by default --> + + <!-- Holes must be punched in service configuration files for + name ownership and sending method calls --> + <deny own="*"/> + <deny send_type="method_call"/> + + <!-- Signals and reply messages (method returns, errors) are allowed + by default --> <allow send_type="signal"/> - <!-- allow sending valid replies --> <allow send_requested_reply="true" send_type="method_return"/> <allow send_requested_reply="true" send_type="error"/> - <!-- allow receiving valid replies --> - <allow receive_requested_reply="true"/> - <!-- Note: the rule above also allows receiving of all non-reply messages - that are not denied later. See: - https://bugs.freedesktop.org/show_bug.cgi?id=18229 - Potentially this will be replaced in the future by the - following two rules: - <allow receive_requested_reply="true" receive_type="method_return"/> - <allow receive_requested_reply="true" receive_type="error"/> - --> + + <!-- All messages may be received by default --> + <allow receive_type="method_call"/> + <allow receive_type="method_return"/> + <allow receive_type="error"/> + <allow receive_type="signal"/> + + <!-- Allow anyone to talk to the message bus --> + <allow send_destination="org.freedesktop.DBus"/> </policy> <!-- Config files are placed here that among other things, punch diff --git a/test/name-test/tmp-session-like-system.conf b/test/name-test/tmp-session-like-system.conf index b4e43960..41a4201a 100644 --- a/test/name-test/tmp-session-like-system.conf +++ b/test/name-test/tmp-session-like-system.conf @@ -14,27 +14,40 @@ <!-- intended to match system bus --> <policy context="default"> - <!-- Deny everything then punch holes --> - <deny send_interface="*"/> - <deny receive_interface="*"/> - <deny own="*"/> - <!-- But allow all users to connect --> + <!-- All users can connect to system bus --> <allow user="*"/> - <!-- Allow anyone to talk to the message bus --> - <!-- FIXME I think currently these eallow rules are always implicit - even if they aren't in here --> - <allow send_destination="org.freedesktop.DBus"/> - <allow receive_sender="org.freedesktop.DBus"/> - <!-- Allow all signals to be sent by default --> + + <!-- Holes must be punched in service configuration files for + name ownership and sending method calls --> + <deny own="*"/> + <deny send_type="method_call"/> + + <!-- Signals and reply messages (method returns, errors) are allowed + by default --> <allow send_type="signal"/> - <!-- valid replies are always allowed --> <allow send_requested_reply="true" send_type="method_return"/> <allow send_requested_reply="true" send_type="error"/> - <allow receive_requested_reply="true"/> - <!-- disallow changing the activation environment of system services --> + + <!-- All messages may be received by default --> + <allow receive_type="method_call"/> + <allow receive_type="method_return"/> + <allow receive_type="error"/> + <allow receive_type="signal"/> + + <!-- Allow anyone to talk to the message bus --> + <allow send_destination="org.freedesktop.DBus"/> + <!-- But disallow some specific bus services --> <deny send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus" send_member="UpdateActivationEnvironment"/> + + <!-- Specific to the test suite --> + <allow own="org.freedesktop.DBus.TestSuiteEchoService"/> + <allow send_destination="org.freedesktop.DBus.TestSuiteEchoService" + send_interface="org.freedesktop.DBus.Introspectable"/> + <allow send_destination="org.freedesktop.DBus.TestSuiteEchoService" + send_interface="org.freedesktop.TestSuite" + send_member="EmitFoo"/> </policy> <policy context="default"> @@ -46,16 +59,6 @@ send_member="EmitFoo"/> </policy> - <!-- Config files are placed here that among other things, - further restrict the above policy for specific services. --> - <includedir>session.d</includedir> - - <!-- This is included last so local configuration can override what's - in this standard file --> - <include ignore_missing="yes">session-local.conf</include> - - <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> - <!-- For the session bus, override the default relatively-low limits with essentially infinite limits, since the bus is just running as the user anyway, using up bus resources is not something we need |