diff mbox

More lenient D-Bus policy

Message ID 1400947886-18103-1-git-send-email-zeeshanak@gnome.org
State Changes Requested
Headers show

Commit Message

Zeeshan Ali (Khattak) May 24, 2014, 4:11 p.m. UTC 
It doesn't make sense to deny all non-root users access to all D-Bus API.
Lets at least give everyone the ability to receive signals, read
properties and introspect.

Signed-off-by: Zeeshan Ali (Khattak) <zeeshanak@gnome.org>
---
 wpa_supplicant/dbus/dbus-wpa_supplicant.conf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

Comments

Johannes Berg May 25, 2014, 6:46 a.m. UTC | #1 
On Sat, 2014-05-24 at 17:11 +0100, Zeeshan Ali (Khattak) wrote:
> It doesn't make sense to deny all non-root users access to all D-Bus API.
> Lets at least give everyone the ability to receive signals, read
> properties and introspect.

Introspect seems fine, but signals and properties might contain private
data like wifi keys?

johannes
Zeeshan Ali (Khattak) May 25, 2014, 10:10 a.m. UTC | #2 
On Sun, May 25, 2014 at 7:46 AM, Johannes Berg
<johannes@sipsolutions.net> wrote:
> On Sat, 2014-05-24 at 17:11 +0100, Zeeshan Ali (Khattak) wrote:
>> It doesn't make sense to deny all non-root users access to all D-Bus API.
>> Lets at least give everyone the ability to receive signals, read
>> properties and introspect.
>
> Introspect seems fine, but signals and properties might contain private
> data like wifi keys?

Thats a fair point. I see that the following interfaces don't have any
private data so I'll provide a v2 of this patch with only granting
access to them:

fi.w1.wpa_supplicant1
fi.w1.wpa_supplicant1.Interface
fi.w1.wpa_supplicant1.BSS
Johannes Berg May 25, 2014, 10:29 a.m. UTC | #3 
On Sun, 2014-05-25 at 11:10 +0100, Zeeshan Ali (Khattak) wrote:

> > Introspect seems fine, but signals and properties might contain private
> > data like wifi keys?
> 
> Thats a fair point. I see that the following interfaces don't have any
> private data so I'll provide a v2 of this patch with only granting
> access to them:
> 
> fi.w1.wpa_supplicant1
> fi.w1.wpa_supplicant1.Interface

I don't think that's true for .Interface - I believe you can retrieve
blobs which may contain private keys.

It would also stand to reason that to avoid breaking this in the future
something should be done in the *code* to mark things as safe for
anyone. Does DBus provide any mechanism where you could tag properties
in some way and enable permissions based on that, or would it require
another interface?

johannes
Zeeshan Ali (Khattak) May 25, 2014, 10:41 a.m. UTC | #4 
On Sun, May 25, 2014 at 11:29 AM, Johannes Berg
<johannes@sipsolutions.net> wrote:
> On Sun, 2014-05-25 at 11:10 +0100, Zeeshan Ali (Khattak) wrote:
>
>> > Introspect seems fine, but signals and properties might contain private
>> > data like wifi keys?
>>
>> Thats a fair point. I see that the following interfaces don't have any
>> private data so I'll provide a v2 of this patch with only granting
>> access to them:
>>
>> fi.w1.wpa_supplicant1
>> fi.w1.wpa_supplicant1.Interface
>
> I don't think that's true for .Interface - I believe you can retrieve
> blobs which may contain private keys.

Which properties or signals are those exactly?

> It would also stand to reason that to avoid breaking this in the future
> something should be done in the *code* to mark things as safe for
> anyone.

Yeah. you can easily deny access from code if/when you need to. We do
this sort of thing in Geoclue, where each client gets its own client
object and we reject any access to it by anyone other than the related
client. We also don't broadcast signals from these objects but send it
only to related client.

> Does DBus provide any mechanism where you could tag properties
> in some way and enable permissions based on that, or would it require
> another interface?

Unfortunately not and that is why I think you want to not restrict
access to properties through D-Bus policy but rather from code.
Zeeshan Ali (Khattak) May 25, 2014, 11:04 a.m. UTC | #5 
On Sun, May 25, 2014 at 11:10 AM, Zeeshan Ali (Khattak)
<zeeshanak@gnome.org> wrote:
> On Sun, May 25, 2014 at 7:46 AM, Johannes Berg
> <johannes@sipsolutions.net> wrote:
>> On Sat, 2014-05-24 at 17:11 +0100, Zeeshan Ali (Khattak) wrote:
>>> It doesn't make sense to deny all non-root users access to all D-Bus API.
>>> Lets at least give everyone the ability to receive signals, read
>>> properties and introspect.
>>
>> Introspect seems fine, but signals and properties might contain private
>> data like wifi keys?
>
> Thats a fair point. I see that the following interfaces don't have any
> private data so I'll provide a v2 of this patch with only granting
> access to them:
>
> fi.w1.wpa_supplicant1
> fi.w1.wpa_supplicant1.Interface
> fi.w1.wpa_supplicant1.BSS

Oh, actually that is not possible for properties as the interface for
them is org.freedesktop.DBus.Properties.

I'm afraid you'll have to do all properties access control from the
code instead. I can still provide a patch that only gives access to
signals on the above objects and I can even make it more specific if
we want that?
Johannes Berg May 26, 2014, 8:28 a.m. UTC | #6 
On Sun, 2014-05-25 at 12:04 +0100, Zeeshan Ali (Khattak) wrote:

> I'm afraid you'll have to do all properties access control from the
> code instead. I can still provide a patch that only gives access to
> signals on the above objects and I can even make it more specific if
> we want that?

Well, the signals have the same problem really - there's a "new blob"
signal I believe which probably has all the blob properties.

johannes
Zeeshan Ali (Khattak) May 26, 2014, 9:56 a.m. UTC | #7 
On Mon, May 26, 2014 at 9:28 AM, Johannes Berg
<johannes@sipsolutions.net> wrote:
> On Sun, 2014-05-25 at 12:04 +0100, Zeeshan Ali (Khattak) wrote:
>
>> I'm afraid you'll have to do all properties access control from the
>> code instead. I can still provide a patch that only gives access to
>> signals on the above objects and I can even make it more specific if
>> we want that?
>
> Well, the signals have the same problem really - there's a "new blob"
> signal I believe which probably has all the blob properties.

As I said:

1. You can define a refined policy for signals so thats fixable.
2. For properties, you can deny access from code.

BTW, can we please not talk in terms of facts and keep 'I believe' and
'probably' out of this discussion?
Johannes Berg May 26, 2014, 10:08 a.m. UTC | #8 
On Mon, 2014-05-26 at 10:56 +0100, Zeeshan Ali (Khattak) wrote:
> On Mon, May 26, 2014 at 9:28 AM, Johannes Berg
> <johannes@sipsolutions.net> wrote:
> > On Sun, 2014-05-25 at 12:04 +0100, Zeeshan Ali (Khattak) wrote:
> >
> >> I'm afraid you'll have to do all properties access control from the
> >> code instead. I can still provide a patch that only gives access to
> >> signals on the above objects and I can even make it more specific if
> >> we want that?
> >
> > Well, the signals have the same problem really - there's a "new blob"
> > signal I believe which probably has all the blob properties.
> 
> As I said:
> 
> 1. You can define a refined policy for signals so thats fixable.
> 2. For properties, you can deny access from code.

Ok.

> BTW, can we please not talk in terms of facts and keep 'I believe' and
> 'probably' out of this discussion?

Not really, that'd mean I have to reread the whole code for every
email :)

johannes
Dan Williams May 29, 2014, 10:44 p.m. UTC | #9 
On Mon, 2014-05-26 at 10:56 +0100, Zeeshan Ali (Khattak) wrote:
> On Mon, May 26, 2014 at 9:28 AM, Johannes Berg
> <johannes@sipsolutions.net> wrote:
> > On Sun, 2014-05-25 at 12:04 +0100, Zeeshan Ali (Khattak) wrote:
> >
> >> I'm afraid you'll have to do all properties access control from the
> >> code instead. I can still provide a patch that only gives access to
> >> signals on the above objects and I can even make it more specific if
> >> we want that?
> >
> > Well, the signals have the same problem really - there's a "new blob"
> > signal I believe which probably has all the blob properties.
> 
> As I said:
> 
> 1. You can define a refined policy for signals so thats fixable.
> 2. For properties, you can deny access from code.

That seems like the right way forward...  I guess we have to audit the
signals and properties to make sure what the permissions should be.  But
we really should do that anyway :)  I can try to look at that this week,
but can't guarantee when exactly I'd get to it.

Dan
diff mbox

Patch

diff --git a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
index c091234..06c9515 100644
--- a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
+++ b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
@@ -23,5 +23,22 @@ 
                 <deny send_destination="fi.w1.wpa_supplicant1"/>
                 <deny send_interface="fi.w1.wpa_supplicant1"/>
                 <deny receive_sender="fi.w1.wpa_supplicant1" receive_type="signal"/>
+
+                <!-- Allow receiving signals -->
+                <allow receive_sender="fi.w1.wpa_supplicant1"
+                       receive_type="signal"/>
+
+                <!-- Allow reading properties -->
+                <allow send_destination="fi.w1.wpa_supplicant1"
+                       send_interface="org.freedesktop.DBus.Properties"
+                       send_member="Get"/>
+
+                <allow send_destination="fi.w1.wpa_supplicant1"
+                       send_interface="org.freedesktop.DBus.Properties"
+                       send_member="GetAll"/>
+
+                <!-- Allow full access to introspection -->
+                <allow send_destination="fi.w1.wpa_supplicant1"
+                       send_interface="org.freedesktop.DBus.Introspectable"/>
         </policy>
 </busconfig>