Commit dc77c213 authored by Colin Walters's avatar Colin Walters

Clean up and clarify default system policy

The former was too reliant on old bugs and was generally unclear.
This one makes explicit exactly what is allowed and not.
parent 3af94cf2
......@@ -42,33 +42,29 @@
<listen>@DBUS_SYSTEM_BUS_DEFAULT_ADDRESS@</listen>
<policy context="default">
<!-- Deny everything then punch holes -->
<deny send_interface="*"/>
<deny receive_interface="*"/>
<deny own="*"/>
<!-- But allow all users to connect -->
<!-- All users can connect to system bus -->
<allow user="*"/>
<!-- Allow anyone to talk to the message bus -->
<!-- FIXME I think currently these allow rules are always implicit
even if they aren't in here -->
<allow send_destination="org.freedesktop.DBus"/>
<allow receive_sender="org.freedesktop.DBus"/>
<!-- Allow all signals to be sent by default -->
<!-- Holes must be punched in service configuration files for
name ownership and sending method calls -->
<deny own="*"/>
<deny send_type="method_call"/>
<!-- Signals and reply messages (method returns, errors) are allowed
by default -->
<allow send_type="signal"/>
<!-- allow sending valid replies -->
<allow send_requested_reply="true" send_type="method_return"/>
<allow send_requested_reply="true" send_type="error"/>
<!-- allow receiving valid replies -->
<allow receive_requested_reply="true"/>
<!-- Note: the rule above also allows receiving of all non-reply messages
that are not denied later. See:
https://bugs.freedesktop.org/show_bug.cgi?id=18229
Potentially this will be replaced in the future by the
following two rules:
<allow receive_requested_reply="true" receive_type="method_return"/>
<allow receive_requested_reply="true" receive_type="error"/>
-->
<!-- disallow changing the activation environment of system services -->
<!-- All messages may be received by default -->
<allow receive_type="method_call"/>
<allow receive_type="method_return"/>
<allow receive_type="error"/>
<allow receive_type="signal"/>
<!-- Allow anyone to talk to the message bus -->
<allow send_destination="org.freedesktop.DBus"/>
<!-- But disallow some specific bus services -->
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus"
send_member="UpdateActivationEnvironment"/>
......
......@@ -20,27 +20,40 @@
<!-- intended to match system bus -->
<policy context="default">
<!-- Deny everything then punch holes -->
<deny send_interface="*"/>
<deny receive_interface="*"/>
<deny own="*"/>
<!-- But allow all users to connect -->
<!-- All users can connect to system bus -->
<allow user="*"/>
<!-- Allow anyone to talk to the message bus -->
<!-- FIXME I think currently these eallow rules are always implicit
even if they aren't in here -->
<allow send_destination="org.freedesktop.DBus"/>
<allow receive_sender="org.freedesktop.DBus"/>
<!-- Allow all signals to be sent by default -->
<!-- Holes must be punched in service configuration files for
name ownership and sending method calls -->
<deny own="*"/>
<deny send_type="method_call"/>
<!-- Signals and reply messages (method returns, errors) are allowed
by default -->
<allow send_type="signal"/>
<!-- valid replies are always allowed -->
<allow send_requested_reply="true" send_type="method_return"/>
<allow send_requested_reply="true" send_type="error"/>
<allow receive_requested_reply="true"/>
<!-- disallow changing the activation environment of system services -->
<!-- All messages may be received by default -->
<allow receive_type="method_call"/>
<allow receive_type="method_return"/>
<allow receive_type="error"/>
<allow receive_type="signal"/>
<!-- Allow anyone to talk to the message bus -->
<allow send_destination="org.freedesktop.DBus"/>
<!-- But disallow some specific bus services -->
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus"
send_member="UpdateActivationEnvironment"/>
<!-- Specific to the test suite -->
<allow own="org.freedesktop.DBus.TestSuiteEchoService"/>
<allow send_destination="org.freedesktop.DBus.TestSuiteEchoService"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="org.freedesktop.DBus.TestSuiteEchoService"
send_interface="org.freedesktop.TestSuite"
send_member="EmitFoo"/>
</policy>
<policy context="default">
......@@ -52,16 +65,6 @@
send_member="EmitFoo"/>
</policy>
<!-- Config files are placed here that among other things,
further restrict the above policy for specific services. -->
<includedir>session.d</includedir>
<!-- This is included last so local configuration can override what's
in this standard file -->
<include ignore_missing="yes">session-local.conf</include>
<include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
<!-- For the session bus, override the default relatively-low limits
with essentially infinite limits, since the bus is just running
as the user anyway, using up bus resources is not something we need
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment