[PATCH] wpa_supplicant: don't do <deny send_interface="..." /> in dbus service file
Lubomir Rintel
lkundrak at v3.sk
Sat Dec 12 03:49:07 PST 2015
On Wed, 2015-10-28 at 22:46 +0200, Jouni Malinen wrote:
> On Fri, Oct 23, 2015 at 06:03:22PM +0200, Lubomir Rintel wrote:
> > It does more than intended; apart from denying messages to that particular
> > interface it also denies all messages non-qualified with an interface globally.
> > From the dbus-daemon manual:
> >
> > Be careful with send_interface/receive_interface, because the
> > interface field in messages is optional. In particular, do NOT
> > specify ! This will cause
> > no-interface messages to be blocked for all services, which is almost
> > certainly not what you intended. Always use rules of the form:
> > send_interface="org.foo.Bar" send_destination="org.foo.Service"/>
> >
> > We can just safely remove those rules, since we're sufficiently protected
> > by the send_destination matches and method calls are disallowed by default
> > anyway.
>
> Could you please describe what is the issue that this is fixing? It
> looks like the policy for context="default" denies everything while the
> user="root" allows the items. Does the "deny send_interface" cause some
> harm in the case where every operation is supposed to be disallowed?
This issue is fixing the case where the policy shipped by
wpa_supplicant disallowed messages that are completely unrelated to
wpa_supplicant (essentially *all* messages without an interface). This
includes responses to NetworkManager's communication to VPN plugins.
Lubo
More information about the Hostap
mailing list