Starting the kdbus discussions
Lennart Poettering
mzqohf at 0pointer.de
Fri Jan 3 15:25:46 PST 2014
On Sat, 04.01.14 00:21, Lennart Poettering (mzqohf at 0pointer.de) wrote:
>
> On Fri, 03.01.14 13:34, Simon McVittie (simon.mcvittie at collabora.co.uk) wrote:
>
> >
> > On 02/01/14 14:40, Daniel J Walsh wrote:
> > > What we would be interested in is controlling which process can
> > > assume the service name. IE NetworkManager_t could assume the
> > > NetworkManager Service, and be blocked from assuming the
> > > AccountsDaemon Service name.
> >
> > If kdbus doesn't know how to do this for uids, then that's a very
> > major security regression compared with dbus-daemon; so I would hope
> > that it can do this in-kernel. If it can do that for uids, presumably
> > it can (be enhanced to) do that for any other security label.
>
> The policy kdbus currently enforces in the kernel is a simple list that
> grants send/recv/own rights to specific UIDs. It sounds like a natural
^^
should say "to specific UIDs for specific names" here...
> extension for this to allow tagging names with selinux security labels.
>
> Lennart
>
Lennart
--
Lennart Poettering, Red Hat
More information about the dbus
mailing list