[RESEND PATCH] wpa_supplicant: don't do <deny send_interface="..." /> in dbus service file

Dan Williams dcbw at redhat.com
Wed Jan 27 09:13:05 PST 2016 

On Wed, 2016-01-27 at 17:02 +0100, Lubomir Rintel wrote:
> It does more than intended; apart from denying messages to that
> particular
> interface it also denies all messages non-qualified with an interface
> globally.
> This blocks messages completely unrelated to wpa_supplicant, such as
> NetworkManager communication with the VPN plugins.

Hmm, not sure why that should happen.  But anyway, yes, these were a
mistake in the original rules, and the send_destination denies are all
that is required to protect the supplicant from unauthorized users.

Dan

> From the dbus-daemon manual:
> 
>   Be careful with send_interface/receive_interface, because the
>   interface field in messages is optional. In particular, do NOT
>   specify <deny send_interface="org.foo.Bar"/>! This will cause
>   no-interface messages to be blocked for all services, which is
> almost
>   certainly not what you intended. Always use rules of the form:
> <deny
>   send_interface="org.foo.Bar" send_destination="org.foo.Service"/>
> 
> We can just safely remove those rules, since we're sufficiently
> protected
> by the send_destination matches and method calls are disallowed by
> default
> anyway.
> 
> Signed-off-by: Lubomir Rintel <lkundrak at v3.sk>
> ---
> 
> Clarified the commit message a bit compared to the previous posting.
> 
>  wpa_supplicant/dbus/dbus-wpa_supplicant.conf | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
> b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
> index c091234..382dcb3 100644
> --- a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
> +++ b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
> @@ -17,11 +17,9 @@
>          <policy context="default">
>                  <deny own="fi.epitest.hostap.WPASupplicant"/>
>                  <deny
> send_destination="fi.epitest.hostap.WPASupplicant"/>
> -                <deny
> send_interface="fi.epitest.hostap.WPASupplicant"/>
>  
>                  <deny own="fi.w1.wpa_supplicant1"/>
>                  <deny send_destination="fi.w1.wpa_supplicant1"/>
> -                <deny send_interface="fi.w1.wpa_supplicant1"/>
>                  <deny receive_sender="fi.w1.wpa_supplicant1"
> receive_type="signal"/>
>          </policy>
>  </busconfig>

More information about the Hostap mailing list