Containers message filtering/policy (#101902): SEE access control
Submitted by Simon McVittie
Assigned to Simon McVittie
Link to original bug (#105658)
Description
+++ This bug was initially created as a clone of Bug #101902 +++
Implement the SEE access-control model as a step towards Bug #101902.
- Allow list can contain tuples with SEE flag and bus name
- If a contained peer calls ListActivatableNames, ListNames, NameHasOwner or GetNameOwner, names that it can SEE are not treated as if they didn't exist
- A contained peer can see NameOwnerChanged signals where the name in question is one that it can SEE
- If a contained peer can SEE a well-known name, then it can SEE the unique name that owns that well-known name too (the primary owner)
- If a contained peer receives a method call or unicast signal from outside the container, then it receives SEE access to the sender's unique name
- Add a named parameter or a special allow rule that lets the contained peer SEE every unique name
- Bus name can be "" to match anything
- Bus name can be combined with BUS_NAME_IS_SUBTREE flag to match like arg0namespace
- Object path is ignored for SEE checks
- Interface is ignored for SEE checks
To be designed
One of these:
* If a contained peer can SEE a well-known name, then it can SEE every
unique name in the queue for that well-known name
* If a contained peer can SEE a well-known name, this does not affect
whether it can SEE unique names that are in the queue for the
well-known name but are not the primary ownerVersion: git master