Recommendations for system services

Colin Walters walters at verbum.org
Mon Dec 8 10:06:41 PST 2008 

After studying all of the current policy files, I think there are some
simple recommendations to be made.

First, system services should be in separate processes.  If you merge
together multiple services into a single process, it will invalidate
the advice below.

Once you have a separate process, the bottom line recommendation is:
Use the send_destination rule.

Let's take the simplest case of a service which uses PolicyKit - i.e.
it wants to receive all messages.  The policy should be as simple as:

  <policy user="root">
    <allow own="org.freedesktop.PackageKit"/>
  </policy>
  <policy context="default">
    <allow send_destination="org.freedesktop.PackageKit"/>
  </policy>

That's it.  This will allow any uid to send any message to the owner
of that name, which is pretty much what's desired.  Including
introspection.

Now, let's suppose that you want to restrict access to your service
via UID, GID, or the at_console rule.  I don't recommend this -
PolicyKit is a better solution.  But short of changing to PolicyKit,
here's what your service file should look like:

   <policy user="root">
     <allow own="org.bluez"/>
     <allow send_destination="org.bluez"/>
   </policy>
   <policy at_console="true">
     <allow send_destination="org.bluez"/>
   </policy>
   <policy context="default">
     <deny send_destination="org.bluez"/>
   </policy>

Now, suppose you want the bus to do per-interface filtering. Let's
take the NM system settings service.  The current one is a bit
complex, but I believe a lot of it is redundant.

	<policy user="root">
		<allow own="org.freedesktop.NetworkManagerSystemSettings"/>
                <allow
send_interface="org.freedesktop.NetworkManagerSettings.Secrets"/>
	</policy>
	<policy context="default">
                <allow
send_destination="org.freedesktop.NetworkManagerSystemSettings"/>
		<!-- Only root can get secrets -->
		<deny send_interface="org.freedesktop.NetworkManagerSettings.Secrets"/>
	</policy>

Note here that we selectively denied just a single interface.

There are probably more complicated cases - but I would urge everyone
to keep it simple.  You should ideally provide a targeted service that
does just one thing.  If you need finer grained permissions, then
investigate PolicyKit.  If you don't want a dependency on PolicyKit,
<deny send_interface> is probably the best.

More information about the dbus mailing list