105658 – Containers message filtering/policy (#101902): SEE access control

Bug 105658 - Containers message filtering/policy (#101902): SEE access control

Summary: Containers message filtering/policy (#101902): SEE access control

Status:	RESOLVED MOVED

Alias:	None

Product:	dbus
Classification:	Unclassified
Component:	core (show other bugs)
Version:	git master
Hardware:	All All

Importance:	medium enhancement
Assignee:	Simon McVittie
QA Contact:	D-Bus Maintainers

URL:
Whiteboard:
Keywords:

Depends on:	105656
Blocks:	101902 105659 105660
	Show dependency tree / graph

Reported:	2018-03-21 12:45 UTC by Simon McVittie
Modified:	2018-10-12 21:34 UTC (History)
CC List:	5 users (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Simon McVittie 2018-03-21 12:45:16 UTC

+++ This bug was initially created as a clone of Bug #101902 +++

Implement the SEE access-control model as a step towards Bug #101902.

* Allow list can contain tuples with SEE flag and bus name
* If a contained peer calls ListActivatableNames, ListNames,
  NameHasOwner or GetNameOwner, names that it can SEE are not
  treated as if they didn't exist
* A contained peer can see NameOwnerChanged signals where the
  name in question is one that it can SEE
* If a contained peer can SEE a well-known name, then it can SEE the unique
  name that owns that well-known name too (the primary owner)
* If a contained peer receives a method call or unicast signal from
  outside the container, then it receives SEE access to the sender's unique name
* Add a named parameter or a special allow rule that lets the contained peer SEE every unique name
* Bus name can be "" to match anything
* Bus name can be combined with BUS_NAME_IS_SUBTREE flag to match like arg0namespace
* Object path is ignored for SEE checks
* Interface is ignored for SEE checks

To be designed
==============

One of these:

    * If a contained peer can SEE a well-known name, then it can SEE every
      unique name in the queue for that well-known name
    * If a contained peer can SEE a well-known name, this does not affect
      whether it can SEE unique names that are in the queue for the
      well-known name but are not the primary owner

Comment 1 Simon McVittie 2018-06-01 19:00:01 UTC

(In reply to Simon McVittie from comment #0)
> * If a contained peer receives a method call or unicast signal from
>   outside the container, then it receives SEE access to the sender's unique
> name

I'm implementing this part first.

Comment 2 Simon McVittie 2018-08-29 19:24:43 UTC

On Bug #105656 there is missing coverage for a contained connection inspecting an uncontained connection ("inspecting" means GetConnectionCredentials etc.). I can't actually test that until this feature is implemented: the caller needs to be allowed to SEE the other connection, but not inspect it.

Comment 3 GitLab Migration User 2018-10-12 21:34:19 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/dbus/dbus/issues/203.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.