Containers message filtering/policy (#101902): control over messages leaving container
Submitted by Simon McVittie
Assigned to D-Bus Maintainers
Link to original bug (#105659)
Description
+++ This bug was initially created as a clone of Bug #101902 +++
[ ] Can add rules to give a contained app permission to send method calls [ ] ... to any bus name [ ] ... to specified bus names [ ] ... only if they are to a specified object path [ ] ... only if they are to a specified object path hierarchy (OBJECT_PATH_IS_SUBTREE flag) [ ] ... only if they are on a specified interface [ ] ... only if they are a specified member of a specified interface [ ] Sending Unix fds is only allowed if a rule with the SEND_UNIX_FDS flag allows it [ ] Can add rules to give a contained app permission to send unicast signals [ ] ... to any bus name [ ] ... to specified bus names [ ] ... only if they are from a specified object path [ ] ... only if they are from a specified object path hierarchy [ ] ... only if they are from a specified interface [ ] ... only if they are a specified member of a specified interface (INTERFACE_IS_REALLY_MEMBER flag, or some better name) [ ] Can add rules to give a contained app permission to send broadcast signals outside its own container instance [ ] ... only if they are from a specified object path [ ] ... only if they are from a specified object path hierarchy [ ] ... only if they are from a specified interface [ ] ... only if they are a specified member of a specified interface [ ] Failing to send a broadcast does not return an error to the caller at all [ ] Failing to send a broadcast to an interested connection does notify monitors [ ] Each method call sent can have exactly 1 reply, unless it has NO_REPLY_EXPECTED [ ] If the sender cannot even SEE the proposed destination, the error returned does not allow discovery of whether the destination was even present (ideally check this before even finding out whether the destination exists) [ ] Unit tests
To be designed
One of these:
* ACTIVATE flag controls StartServiceByName()
* You can StartServiceByName(foo) if there is any method call that
you would be allowed to send to foo
Out of scope
- Receiving non-reply messages
Version: git master