eavesdrop in dbus policy

Aubert Malek (MM) malek.aubert at external.magnetimarelli.com
Wed Mar 25 02:33:25 PDT 2015 

>><policy user="logging"><allow eavesdrop="true"/> means the (dbus-monitor that was run by) the "logging" user may receive any message from anywhere, even if it is considered to be eavesdropping (the message is not a broadcast and is intended for someone else).
Isn't that what we want? We need to make monitor application see everything on DBus.

Why do I get all the messages, with this policy, on session Dbus and not on system Dbus. What is blocking on system Dbus?
Sorry for insisting but we have 1.6.8 version of Dbus (so, no Become Monitor solution especially that we need to avoid more CPU load consumption) and I need to find a way to make it work.
Thanks again for your cooperation.
M.

-----Message d'origine-----
De : Simon McVittie [mailto:simon.mcvittie at collabora.co.uk]
Envoyé : lundi 23 mars 2015 15:57
À : Aubert Malek (MM); dbus at lists.freedesktop.org
Objet : Re: eavesdrop in dbus policy

On 23/03/15 14:42, Aubert Malek (MM) wrote:
> I just need to understand this. Running the user that uses dbus_daemon
> as root and give it eavesdrop=true causes conflicts with security
> policy but what if I run it as logging for example (usr=logging) and
> make dbus policy changes only for this user (logging). I'll be having
> this in my
system_local.conf:
> <policy user="logging">
>                 <allow eavesdrop="true"/>
>                 <allow send_destination="*" eavesdrop="true"/>
> </policy>

I thought that sort of approach might work, but later realised it didn't, and implemented BecomeMonitor instead.

> You are saying that this shouldn't work. Why shouldn't this work?

The fundamental problem is that a message is only delivered if both of these are true:

* the sender is allowed to send to the recipient;
* the recipient is allowed to receive from the sender.

<policy user="logging"><allow eavesdrop="true"/> means the (dbus-monitor that was run by) the "logging" user may receive any message from anywhere, even if it is considered to be eavesdropping (the message is not a broadcast and is intended for someone else).

<policy user="logging"><allow send_destination="*" eavesdrop="true"/> means the logging user may send any message to anywhere (which in practice probably makes it root-equivalent, a security vulnerability, unless you are already treating "logging" as root-equivalent) - but this does not actually do anything to solve your problem, because you're interested in other things sending messages to logging, and not in logging sending messages to other things.

<policy user="logging"><allow send_destination="*" eavesdrop="true"/> does *not* mean other processes are allowed to send messages to the dbus-monitor that was run by the "logging" user! So you don't get all the messages.

What you want here is something like this pseudocode:

<policy context="default">
  <allow send_if_recipient_uid_is="logging" eavesdrop="true"/>

but there is no send_if_recipient_uid_is attribute in any current version of dbus, so you can't do that.

I could have solved this by adding that attribute in a 1.9.x version; if I'd done that, you still wouldn't be able to eavesdrop on these messages in dbus 1.8.x. I added BecomeMonitor() instead, because I think that model is much easier to understand / harder to get wrong.

    S

VISITEZ NOTRE NOUVEAU SITE WEB! - VISIT OUR NEW WEB SITE!   www.magnetimarelli.com

Confidential Notice: This message - including its attachments - may contain proprietary, confidential and/or legally protected information and is intended solely for the use of the designated addressee(s) above. If you are not the intended recipient be aware that any downloading, copying, disclosure, distribution or use of the contents of the above information is strictly prohibited.
If you have received this communication by mistake, please forward the message back to the sender at the email address above, delete the message from all mailboxes and any other electronic storage medium and destroy all copies.
Disclaimer Notice: Internet communications cannot be guaranteed to be safe or error-free. Therefore we do not assure that this message is complete or accurate and we do not accept liability for any errors or omissions in the contents of this message.

 Remarque de confidentialité : Ce message – et ses pièces jointes – peut contenir des informations confidentielles et/ou protégées par la loi, destinées uniquement à l'usage du destinataire désigné ci-dessus. Si vous n'êtes pas le destinataire prévu,  soyez conscient que tout téléchargement, copie,  divulgation,  distribution ou utilisation du contenu de l'information ci-dessus sont strictement interdits.
Si vous avez reçu cette communication par erreur, merci de retourner le message à l'expéditeur à l'adresse email ci-dessus, de le supprimer de toutes les boîtes aux lettres, de tous supports électroniques de stockage et  d’en détruire toutes les copies.
 Avis de non-responsabilité : les communications Internet ne peuvent être assurées authentiques ou sans erreur. C'est pourquoi nous ne garantissons pas l’intégralité ni l’exactitude de ce message et nous n'acceptons aucune responsabilité pour toute erreur ou omission dans le contenu de ce message.

More information about the dbus mailing list