Starting the kdbus discussions
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 6 08:23:23 PST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/03/2014 06:25 PM, Lennart Poettering wrote:
> On Sat, 04.01.14 00:21, Lennart Poettering (mzqohf at 0pointer.de) wrote:
>
>>
>> On Fri, 03.01.14 13:34, Simon McVittie (simon.mcvittie at collabora.co.uk)
>> wrote:
>>
>>>
>>> On 02/01/14 14:40, Daniel J Walsh wrote:
>>>> What we would be interested in is controlling which process can
>>>> assume the service name. IE NetworkManager_t could assume the
>>>> NetworkManager Service, and be blocked from assuming the
>>>> AccountsDaemon Service name.
>>>
>>> If kdbus doesn't know how to do this for uids, then that's a very major
>>> security regression compared with dbus-daemon; so I would hope that it
>>> can do this in-kernel. If it can do that for uids, presumably it can
>>> (be enhanced to) do that for any other security label.
>>
>> The policy kdbus currently enforces in the kernel is a simple list that
>> grants send/recv/own rights to specific UIDs. It sounds like a natural
> ^^ should say "to specific UIDs for specific names" here...
>
>> extension for this to allow tagging names with selinux security labels.
>>
>> Lennart
>>
>
>
> Lennart
>
Yes that sounds good to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLK2HsACgkQrlYvE4MpobMihQCg5xMslJP9bLD1Yr2tjPSBIyEs
Z38AoJ163D7AePgcyeImRqGVY+iqv5Zt
=sskZ
-----END PGP SIGNATURE-----
More information about the dbus
mailing list