Message ID | 1453910527-26322-1-git-send-email-lkundrak@v3.sk |
---|---|
State | Accepted |
Headers | show |
On Wed, 2016-01-27 at 17:02 +0100, Lubomir Rintel wrote: > It does more than intended; apart from denying messages to that > particular > interface it also denies all messages non-qualified with an interface > globally. > This blocks messages completely unrelated to wpa_supplicant, such as > NetworkManager communication with the VPN plugins. Hmm, not sure why that should happen. But anyway, yes, these were a mistake in the original rules, and the send_destination denies are all that is required to protect the supplicant from unauthorized users. Dan > From the dbus-daemon manual: > > Be careful with send_interface/receive_interface, because the > interface field in messages is optional. In particular, do NOT > specify <deny send_interface="org.foo.Bar"/>! This will cause > no-interface messages to be blocked for all services, which is > almost > certainly not what you intended. Always use rules of the form: > <deny > send_interface="org.foo.Bar" send_destination="org.foo.Service"/> > > We can just safely remove those rules, since we're sufficiently > protected > by the send_destination matches and method calls are disallowed by > default > anyway. > > Signed-off-by: Lubomir Rintel <lkundrak@v3.sk> > --- > > Clarified the commit message a bit compared to the previous posting. > > wpa_supplicant/dbus/dbus-wpa_supplicant.conf | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf > b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf > index c091234..382dcb3 100644 > --- a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf > +++ b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf > @@ -17,11 +17,9 @@ > <policy context="default"> > <deny own="fi.epitest.hostap.WPASupplicant"/> > <deny > send_destination="fi.epitest.hostap.WPASupplicant"/> > - <deny > send_interface="fi.epitest.hostap.WPASupplicant"/> > > <deny own="fi.w1.wpa_supplicant1"/> > <deny send_destination="fi.w1.wpa_supplicant1"/> > - <deny send_interface="fi.w1.wpa_supplicant1"/> > <deny receive_sender="fi.w1.wpa_supplicant1" > receive_type="signal"/> > </policy> > </busconfig>
On Wed, Jan 27, 2016 at 05:02:07PM +0100, Lubomir Rintel wrote: > It does more than intended; apart from denying messages to that particular > interface it also denies all messages non-qualified with an interface globally. > This blocks messages completely unrelated to wpa_supplicant, such as > NetworkManager communication with the VPN plugins. > > From the dbus-daemon manual: > > Be careful with send_interface/receive_interface, because the > interface field in messages is optional. In particular, do NOT > specify <deny send_interface="org.foo.Bar"/>! This will cause > no-interface messages to be blocked for all services, which is almost > certainly not what you intended. Always use rules of the form: <deny > send_interface="org.foo.Bar" send_destination="org.foo.Service"/> > > We can just safely remove those rules, since we're sufficiently protected > by the send_destination matches and method calls are disallowed by default > anyway. Thanks, applied.
diff --git a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf index c091234..382dcb3 100644 --- a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf +++ b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf @@ -17,11 +17,9 @@ <policy context="default"> <deny own="fi.epitest.hostap.WPASupplicant"/> <deny send_destination="fi.epitest.hostap.WPASupplicant"/> - <deny send_interface="fi.epitest.hostap.WPASupplicant"/> <deny own="fi.w1.wpa_supplicant1"/> <deny send_destination="fi.w1.wpa_supplicant1"/> - <deny send_interface="fi.w1.wpa_supplicant1"/> <deny receive_sender="fi.w1.wpa_supplicant1" receive_type="signal"/> </policy> </busconfig>
It does more than intended; apart from denying messages to that particular interface it also denies all messages non-qualified with an interface globally. This blocks messages completely unrelated to wpa_supplicant, such as NetworkManager communication with the VPN plugins. From the dbus-daemon manual: Be careful with send_interface/receive_interface, because the interface field in messages is optional. In particular, do NOT specify <deny send_interface="org.foo.Bar"/>! This will cause no-interface messages to be blocked for all services, which is almost certainly not what you intended. Always use rules of the form: <deny send_interface="org.foo.Bar" send_destination="org.foo.Service"/> We can just safely remove those rules, since we're sufficiently protected by the send_destination matches and method calls are disallowed by default anyway. Signed-off-by: Lubomir Rintel <lkundrak@v3.sk> --- Clarified the commit message a bit compared to the previous posting. wpa_supplicant/dbus/dbus-wpa_supplicant.conf | 2 -- 1 file changed, 2 deletions(-)