[Dev] D-Bus + Cynara

Jacek Bukarewicz j.bukarewicz at samsung.com
Fri Oct 31 18:17:35 GMT 2014


Hi,

As you might know there is an idea to integrate Cynara checks into 
dbus-daemon. Its implementation has been started by Patrick Ohly. I 
continued this task and a version of dbus-daemon with this feature 
implemented is available in my dbus sandbox.
git://review.tizen.org/platform/upstream/dbus 
(sandbox/jacekbe/cynara-integration branch)

I believe that all the features that services need are implemented. 
There are a few things that I need to do but these are rather minor. I 
will also need to do more testing.

The idea is to extend D-Bus daemon XML policy language with <check ... 
privilege="name_of_privilege" /> tag so when message matches <check> 
rule Cynara is consulted. Attributes that can be put in this tag are the 
same as in <allow> and <deny> tags (apart from user, group and own 
attributes) so we can enforce policy checks with method/signal name, 
interface, bus name, object path granularity.

For example in order to secure calling methods that are part of 
"org.bluez.Device1" interface of service owning name 
"org.bluez.Adapter1" one can put following lines in configuration file. 
DBus daemon will take care of allowing only applications having 
"http://tizen.org/privilege/bluetooth" privilege.

<policy context="default">
     <check send_interface="org.bluez.Device1" 
send_destination="org.bluez.Adapter1" 
privilege="http://tizen.org/privilege/bluetooth " />
</policy>

It would be nice to get feedback from service developers whether you 
find it useful and sufficient to secure your services.
Ideally, service developers could try this version of D-Bus and see if 
they notice any problems. I'm not sure if other parts of security 
infrastructure are ready so such tests can be performed though.

Additionally, I'd like to know whether we also need to support such 
construct:
    <check own="com.example.name" privilege="example.privilege" />
That is: allow only applications/services having given privilege to own 
given name.
It would be if services weren't trusted or applications would like to 
request some well known name on the bus. I'm not sure if that's the case.

Also, are there resources that need multiple privileges or we can assume 
that every resource maps to a single privilege?

Best regards,

-- 
Jacek Bukarewicz
Samsung R&D Institute Poland
Samsung Electronics
j.bukarewicz at samsung.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tizen.org/pipermail/dev/attachments/20141031/e0d07fcc/attachment-0001.html>


More information about the Dev mailing list