[OE-core] [PATCH 2/2] connman: Don't use a blanket "allow" D-Bus policy
Andreas Oberritter
obi at opendreambox.org
Fri Sep 25 16:06:00 UTC 2015
On 25.09.2015 13:14, Jussi Kukkonen wrote:
> There are already "allow" rules for root and conditionally xuser to
> send messages to connman: there should be no reason for a default
> allow policy.
>
> Also, conditionally add a policy to allow xuser to send to the
> connman vpn service (similar to main service).
>
> Signed-off-by: Jussi Kukkonen <jussi.kukkonen at intel.com>
> ---
> meta/recipes-connectivity/connman/connman.inc | 6 -----
> .../connman/add_xuser_dbus_permission.patch | 28 +++++++++++++++++++---
> 2 files changed, 25 insertions(+), 9 deletions(-)
>
> diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
> index 6c062ae..1712af3 100644
> --- a/meta/recipes-connectivity/connman/connman.inc
> +++ b/meta/recipes-connectivity/connman/connman.inc
> @@ -70,13 +70,7 @@ SYSTEMD_SERVICE_${PN} = "connman.service"
> SYSTEMD_SERVICE_${PN}-vpn = "connman-vpn.service"
> SYSTEMD_WIRED_SETUP = "ExecStartPre=-${libdir}/connman/wired-setup"
>
> -# This allows *everyone* to access ConnMan over DBus, without any access
> -# control. Really the at_console flag should work, which would mean that
> -# both this and the xuser patch can be dropped.
> do_compile_append() {
> - sed -i -e s:deny:allow:g ${S}/src/connman-dbus.conf
> - sed -i -e s:deny:allow:g ${S}/vpn/vpn-dbus.conf
> -
> sed -i "s#ExecStart=#${SYSTEMD_WIRED_SETUP}\nExecStart=#" ${B}/src/connman.service
> }
>
> diff --git a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
> index 707b3ca..15a191d 100644
> --- a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
> +++ b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
> @@ -1,9 +1,14 @@
> -Because Poky doesn't support at_console we need to special-case the session
> -user.
> +Because Poky doesn't support at_console we need to
> +special-case the session user.
Here you can see that it really is poky's distro policy that slipped
into OE-Core. How about removing ROOTLESS_X and xuser from OE-Core and
putting it into a layer that actually sets the variable?
Regards,
Andreas
>
> Upstream-Status: Inappropriate [configuration]
>
> -Signed-off-by: Ross Burton <ross.burton at intel.com>
> +Signed-off-by: Jussi Kukkonen <jussi.kukkonen at intel.com>
> +
> +---
> + src/connman-dbus.conf | 3 +++
> + vpn/vpn-dbus.conf | 3 +++
> + 2 files changed, 6 insertions(+)
>
> diff --git a/src/connman-dbus.conf b/src/connman-dbus.conf
> index 98a773e..466809c 100644
> @@ -19,3 +24,20 @@ index 98a773e..466809c 100644
> <policy at_console="true">
> <allow send_destination="net.connman"/>
> </policy>
> +diff --git a/vpn/vpn-dbus.conf b/vpn/vpn-dbus.conf
> +index 0f0c8da..9ad05b9 100644
> +--- a/vpn/vpn-dbus.conf
> ++++ b/vpn/vpn-dbus.conf
> +@@ -6,6 +6,9 @@
> + <allow send_destination="net.connman.vpn"/>
> + <allow send_interface="net.connman.vpn.Agent"/>
> + </policy>
> ++ <policy user="xuser">
> ++ <allow send_destination="net.connman.vpn"/>
> ++ </policy>
> + <policy at_console="true">
> + <allow send_destination="net.connman.vpn"/>
> + </policy>
> +--
> +2.1.4
> +
>
More information about the Openembedded-core
mailing list