deny send_destination policy also blocking signals ?

Havoc Pennington hp at redhat.com
Thu Jun 22 15:06:06 PDT 2006



Sjoerd Simons wrote:
> Hi,
> 
>   When debugging a problem with NetworkManager on debian (or rather why a
>   certian work-around fixed the problem) we encountered a strange issue.
> 
>   As most of you will know NM listens on the system bus to hal signal to detect
>   device additions and removals. For some reason it never got those signals
>   though. Now NM also registers a service on the system bus and the policy for
>   that service is to only allow a certain set of users to send messages to it
>   (depending on your distribution)
>   
>   Now it seems that the policy for send_destination=<network manager service>
>   is also applied to signals coming from hal (which don't have a specific 
>   destination)..  Which is kinda weird and unwanted imho..
> 

If you have <deny send_destination="foo"/> I think you could just add 
after it <allow send_destination="foo" send_type="signal"/> to punch 
signals through the rule.

This kind of defeats the point of the security policy though; there's 
nothing necessarily more secure about signals than about method calls.
So if it's OK it might also be OK to just drop the policy. You would 
need to then audit NM to be sure it does not trust method callers / 
signal emitters.

It is probably more correct to do
<allow
    receive_sender="whatever bus name hal owns"
    send_destination="whatever network manager owns"/>

which would allow through only signals from HAL, instead of allowing any 
user to send any signal to NM.

Havoc



More information about the dbus mailing list