New policy type to check client credentials?

[Colin Walters]

On Fri, Jan 30, 2009 at 5:17 AM, Markku Savela <msa at moth.iki.fi> wrote:
>
> - there are large number of services using the DBus, none of which
>  makes any access control (does Telepathy framework do any nowadays?)

Telepathy is a session service, and as far as I'm aware no one is
doing access control on the session bus, at least in scale.  Since
everything runs as the same uid, the only option is SELinux policy.

Many services on the system bus do make use of the current dbus policy
language and/or PolicyKit.

Is your goal mainly to increase session bus security?  You also
mention small devices and policy automation.

I guess I'd like to step back and just ask what are the high level
problems we're trying to solve?  What specific programs would need to
be modified?  Are there any other, simpler ways we could address these
problems?

> Yes this would work, but the solution is more prone to race
> conditions. At least, when the DBus makes the credentials retrieval
> (at client connect time), the socket exists and it is more likely that
> the associated PID is still valid.

If the pid is invalid, then you can just deny the request.  In the
case where the process exits and another pid takes its place, you can
reverify by looking up the connection number of the pid.  Aside from
this, one modification we could make to the bus to make life easier
would be to send the credentials in the header of the first message.