The Plan for CVE-2008-4311

Colin Walters walters at verbum.org
Tue Jan 13 07:08:53 PST 2009 

On Wed, Dec 24, 2008 at 2:23 AM, Scott James Remnant
<scott at canonical.com> wrote:

>> The problem is that regardless, one needs to check the message sender
>> on the recipient side for generic interfaces; e.g. the
>> "PropertiesChanged" signal that IIRC was proposed as an addition to
>> the standard.  So, it is a binding/application issue.
>>
> Sure, but this is analogous to filling in the destination bus name when
> making a method call from a client.
>
> Fill in the bus name when sending, check the bus name when receiving
> signals (ie. put it in the match).

Fill in what bus name when sending?  Signals are (typically) emitted
to everyone.

And yes, receiving applications should use the match rule.

> If deny is the default for signals, then services simply do:
>
> <allow sender="org.freedesktop.Hal"
>       send_interface="org.freedesktop.Hal"/>

Yes, but again regardless - every signal recipient still needs to
check the origin of signals.  Or more precisely, the best approach is
for bindings/apps to use the match rules and so the process will never
even see malicious or misdirected/buggy signals.

So denying signals isn't improving security, and thus it's not clear
to me what we're gaining by it.

The other argument is that we've already released dbus 1.2.6+, and in
Fedora we've been modifying service files.  I'm *really* hesitant to
change the story again for questionable gain.

> This means all services do two symmetrical things, and all clients do
> two symmetrical things.  Policy and ACLs are much easier to understand
> when they're symmetrical.

Well, if the goal is to make the policy easier to understand, I pretty
strongly think we should design a new config subset actually targeted
for services.  Something like:

<service name="org.freedesktop.Hal">
  <context user="root">
    <allow send_interface="org.freedesktop.Hal.EraseMyDisks"/>
  </context>
  <context default="true">
    <allow send_interface="org.freedesktop.Hal.GetDiskGeometry"/>
  </context>
</service>

This would expand to:

<policy user="root">
  <allow send_destination="org.freedesktop.Hal"
send_interface="org.freedesktop.Hal.EraseMyDisks"/>
</policy>
<policy context="default">
  <allow send_destination="org.freedesktop.Hal"
send_interface="org.freedesktop.Hal.GetDiskGeometry"/>
</policy>

This seems trivial, but when applied to say ConsoleKit having the
destination be implicit in all the rules would reduce the size of the
policy file by half, easily.

Oh and the service language would *not* have <deny>.  I think SELinux
really got it right by not having both <allow> and <deny> rules.

More information about the dbus mailing list