[OE-core] [PATCH 2/2] connman: Don't use a blanket "allow" D-Bus policy

Fri Sep 25 11:14:01 UTC 2015

There are already "allow" rules for root and conditionally xuser to
send messages to connman: there should be no reason for a default
allow policy.

Also, conditionally add a policy to allow xuser to send to the
connman vpn service (similar to main service).

Signed-off-by: Jussi Kukkonen <jussi.kukkonen at intel.com>
---
 meta/recipes-connectivity/connman/connman.inc      |  6 -----
 .../connman/add_xuser_dbus_permission.patch        | 28 +++++++++++++++++++---
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index 6c062ae..1712af3 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -70,13 +70,7 @@ SYSTEMD_SERVICE_${PN} = "connman.service"
 SYSTEMD_SERVICE_${PN}-vpn = "connman-vpn.service"
 SYSTEMD_WIRED_SETUP = "ExecStartPre=-${libdir}/connman/wired-setup"
 
-# This allows *everyone* to access ConnMan over DBus, without any access
-# control.  Really the at_console flag should work, which would mean that
-# both this and the xuser patch can be dropped.
 do_compile_append() {
-	sed -i -e s:deny:allow:g ${S}/src/connman-dbus.conf
-	sed -i -e s:deny:allow:g ${S}/vpn/vpn-dbus.conf
-
 	sed -i "s#ExecStart=#${SYSTEMD_WIRED_SETUP}\nExecStart=#" ${B}/src/connman.service
 }
 
diff --git a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
index 707b3ca..15a191d 100644
--- a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
+++ b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
@@ -1,9 +1,14 @@
-Because Poky doesn't support at_console we need to special-case the session
-user.
+Because Poky doesn't support at_console we need to
+special-case the session user.
 
 Upstream-Status: Inappropriate [configuration]
 
-Signed-off-by: Ross Burton <ross.burton at intel.com>
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen at intel.com>
+
+---
+ src/connman-dbus.conf | 3 +++
+ vpn/vpn-dbus.conf     | 3 +++
+ 2 files changed, 6 insertions(+)
 
 diff --git a/src/connman-dbus.conf b/src/connman-dbus.conf
 index 98a773e..466809c 100644
@@ -19,3 +24,20 @@ index 98a773e..466809c 100644
      <policy at_console="true">
          <allow send_destination="net.connman"/>
      </policy>
+diff --git a/vpn/vpn-dbus.conf b/vpn/vpn-dbus.conf
+index 0f0c8da..9ad05b9 100644
+--- a/vpn/vpn-dbus.conf
++++ b/vpn/vpn-dbus.conf
+@@ -6,6 +6,9 @@
+         <allow send_destination="net.connman.vpn"/>
+         <allow send_interface="net.connman.vpn.Agent"/>
+     </policy>
++    <policy user="xuser">
++        <allow send_destination="net.connman.vpn"/>
++    </policy>
+     <policy at_console="true">
+         <allow send_destination="net.connman.vpn"/>
+     </policy>
+-- 
+2.1.4
+
-- 
2.1.4


