dbus proxy: Tight down what is allowed to send to the bus

Make sure we can only send message calls (not e.g. unicast signals) to the bus. Also, whitelist the list of allowed interfaces to org.freedesktop.DBus and org.freedesktop.DBus.Introspectable See https://github.com/flatpak/flatpak/issues/343 for the origin discussion of this.
2016-10-17 12:17:13 +02:00 · 2016-10-17 12:17:13 +02:00 · b337c95d78
parent 4cb3f7fd79
commit b337c95d78
1 changed files with 59 additions and 34 deletions
--- a/dbus-proxy/flatpak-proxy.c
+++ b/dbus-proxy/flatpak-proxy.c
@ -1330,15 +1330,29 @@ typedef enum {
  HANDLE_VALIDATE_TALK,
 } BusHandler;

+static gboolean
+is_for_bus (Header *header)
+{
+  return g_strcmp0 (header->destination, "org.freedesktop.DBus") == 0;
+}
+
 static gboolean
 is_dbus_method_call (Header *header)
 {
  return
+    is_for_bus (header) &&
    header->type == G_DBUS_MESSAGE_TYPE_METHOD_CALL &&
-    g_strcmp0 (header->destination, "org.freedesktop.DBus") == 0 &&
    g_strcmp0 (header->interface, "org.freedesktop.DBus") == 0;
 }

+static gboolean
+is_introspection_call (Header *header)
+{
+  return
+    header->type == G_DBUS_MESSAGE_TYPE_METHOD_CALL &&
+    g_strcmp0 (header->interface, "org.freedesktop.DBus.Introspectable") == 0;
+}
+
 static BusHandler
 get_dbus_method_handler (FlatpakProxyClient *client, Header *header)
 {
@ -1362,50 +1376,61 @@ get_dbus_method_handler (FlatpakProxyClient *client, Header *header)
  if (policy < FLATPAK_POLICY_TALK)
    return HANDLE_DENY;

-  if (!is_dbus_method_call (header))
+  if (!is_for_bus (header))
    return HANDLE_PASS;

-  method = header->member;
-  if (method == NULL)
-    return HANDLE_DENY;
+  if (is_introspection_call (header))
+    {
+      return HANDLE_PASS;
+    }
+  else if (is_dbus_method_call (header))
+    {
+      method = header->member;
+      if (method == NULL)
+        return HANDLE_DENY;

-  if (strcmp (method, "Hello") == 0 ||
-      strcmp (method, "AddMatch") == 0 ||
-      strcmp (method, "RemoveMatch") == 0 ||
-      strcmp (method, "GetId") == 0)
-    return HANDLE_PASS;
+      if (strcmp (method, "Hello") == 0 ||
+          strcmp (method, "AddMatch") == 0 ||
+          strcmp (method, "RemoveMatch") == 0 ||
+          strcmp (method, "GetId") == 0)
+        return HANDLE_PASS;

-  if (strcmp (method, "UpdateActivationEnvironment") == 0 ||
-      strcmp (method, "BecomeMonitor") == 0)
-    return HANDLE_DENY;
+      if (strcmp (method, "UpdateActivationEnvironment") == 0 ||
+          strcmp (method, "BecomeMonitor") == 0)
+        return HANDLE_DENY;

-  if (strcmp (method, "RequestName") == 0 ||
-      strcmp (method, "ReleaseName") == 0 ||
-      strcmp (method, "ListQueuedOwners") == 0)
-    return HANDLE_VALIDATE_OWN;
+      if (strcmp (method, "RequestName") == 0 ||
+          strcmp (method, "ReleaseName") == 0 ||
+          strcmp (method, "ListQueuedOwners") == 0)
+        return HANDLE_VALIDATE_OWN;

-  if (strcmp (method, "NameHasOwner") == 0)
-    return HANDLE_FILTER_HAS_OWNER_REPLY;
+      if (strcmp (method, "NameHasOwner") == 0)
+        return HANDLE_FILTER_HAS_OWNER_REPLY;

-  if (strcmp (method, "GetNameOwner") == 0)
-    return HANDLE_FILTER_GET_OWNER_REPLY;
+      if (strcmp (method, "GetNameOwner") == 0)
+        return HANDLE_FILTER_GET_OWNER_REPLY;

-  if (strcmp (method, "GetConnectionUnixProcessID") == 0 ||
-      strcmp (method, "GetConnectionCredentials") == 0 ||
-      strcmp (method, "GetAdtAuditSessionData") == 0 ||
-      strcmp (method, "GetConnectionSELinuxSecurityContext") == 0 ||
-      strcmp (method, "GetConnectionUnixUser") == 0)
-    return HANDLE_VALIDATE_SEE;
+      if (strcmp (method, "GetConnectionUnixProcessID") == 0 ||
+          strcmp (method, "GetConnectionCredentials") == 0 ||
+          strcmp (method, "GetAdtAuditSessionData") == 0 ||
+          strcmp (method, "GetConnectionSELinuxSecurityContext") == 0 ||
+          strcmp (method, "GetConnectionUnixUser") == 0)
+        return HANDLE_VALIDATE_SEE;

-  if (strcmp (method, "StartServiceByName") == 0)
-    return HANDLE_VALIDATE_TALK;
+      if (strcmp (method, "StartServiceByName") == 0)
+        return HANDLE_VALIDATE_TALK;

-  if (strcmp (method, "ListNames") == 0 ||
-      strcmp (method, "ListActivatableNames") == 0)
-    return HANDLE_FILTER_NAME_LIST_REPLY;
+      if (strcmp (method, "ListNames") == 0 ||
+          strcmp (method, "ListActivatableNames") == 0)
+        return HANDLE_FILTER_NAME_LIST_REPLY;

-  g_warning ("Unknown bus method %s\n", method);
-  return HANDLE_DENY;
+      g_warning ("Unknown bus method %s\n", method);
+      return HANDLE_DENY;
+    }
+  else
+    {
+      return HANDLE_DENY;
+    }
 }

 static FlatpakPolicy