security: Make D-Bus policy rules only affect SensorProxy itself

smcv · hadess · commit e2d81f21413d · 2017-02-02T16:12:52.000+01:00
D-Bus policy XML files are generic configuration for the bus daemon: they are conventionally named like a bus name, but there is nothing that inherently limits their application to that bus name. In particular this means that a rule like <policy context="default"> <allow send_interface="org.freedesktop.DBus.Properties"/> allows any process on the system bus to send an org.freedesktop.DBus.Properties.Set() call to any other process on the system bus, even if the destination process expected to be only accessible by root. Closes: #41
diff --git a/data/net.hadess.SensorProxy.conf b/data/net.hadess.SensorProxy.conf
@@ -12,22 +12,22 @@
 
   <!-- Only Geoclue can access the compass -->
   <policy user="geoclue">
-    <allow send_interface="net.hadess.SensorProxy.Compass" send_path="/net/hadess/SensorProxy/Compass"/>
-    <allow send_interface="org.freedesktop.DBus.Introspectable" send_path="/net/hadess/SensorProxy/Compass"/>
-    <allow send_interface="org.freedesktop.DBus.Properties" send_path="/net/hadess/SensorProxy/Compass"/>
-    <allow send_interface="org.freedesktop.DBus.Peer" send_path="/net/hadess/SensorProxy/Compass"/>
+    <allow send_destination="net.hadess.SensorProxy" send_interface="net.hadess.SensorProxy.Compass" send_path="/net/hadess/SensorProxy/Compass"/>
+    <allow send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Introspectable" send_path="/net/hadess/SensorProxy/Compass"/>
+    <allow send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Properties" send_path="/net/hadess/SensorProxy/Compass"/>
+    <allow send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Peer" send_path="/net/hadess/SensorProxy/Compass"/>
   </policy>
 
   <!-- Anyone can talk to the main interface -->
   <policy context="default">
-    <allow send_interface="net.hadess.SensorProxy"/>
-    <allow send_interface="org.freedesktop.DBus.Introspectable"/>
-    <allow send_interface="org.freedesktop.DBus.Properties"/>
-    <allow send_interface="org.freedesktop.DBus.Peer"/>
-    <deny send_interface="org.freedesktop.DBus.Introspectable" send_path="/net/hadess/SensorProxy/Compass"/>
-    <deny send_interface="org.freedesktop.DBus.Properties" send_path="/net/hadess/SensorProxy/Compass"/>
-    <deny send_interface="org.freedesktop.DBus.Peer" send_path="/net/hadess/SensorProxy/Compass"/>
-    <!-- <deny send_interface="net.hadess.SensorProxy.Compass"/> -->
+    <allow send_destination="net.hadess.SensorProxy" send_interface="net.hadess.SensorProxy"/>
+    <allow send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Introspectable"/>
+    <allow send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Properties"/>
+    <allow send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Peer"/>
+    <deny send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Introspectable" send_path="/net/hadess/SensorProxy/Compass"/>
+    <deny send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Properties" send_path="/net/hadess/SensorProxy/Compass"/>
+    <deny send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Peer" send_path="/net/hadess/SensorProxy/Compass"/>
+    <!-- <deny send_destination="net.hadess.SensorProxy" send_interface="net.hadess.SensorProxy.Compass"/> -->
   </policy>
 
 </busconfig>
