Starting the kdbus discussions
Lennart Poettering
mzqohf at 0pointer.de
Fri Jan 3 15:21:44 PST 2014
On Fri, 03.01.14 13:34, Simon McVittie (simon.mcvittie at collabora.co.uk) wrote:
>
> On 02/01/14 14:40, Daniel J Walsh wrote:
> > What we would be interested in is controlling which process can
> > assume the service name. IE NetworkManager_t could assume the
> > NetworkManager Service, and be blocked from assuming the
> > AccountsDaemon Service name.
>
> If kdbus doesn't know how to do this for uids, then that's a very
> major security regression compared with dbus-daemon; so I would hope
> that it can do this in-kernel. If it can do that for uids, presumably
> it can (be enhanced to) do that for any other security label.
The policy kdbus currently enforces in the kernel is a simple list that
grants send/recv/own rights to specific UIDs. It sounds like a natural
extension for this to allow tagging names with selinux security labels.
Lennart
--
Lennart Poettering, Red Hat
More information about the dbus
mailing list