[PATCH] wpa_supplicant: don't do <deny send_interface="..." /> in dbus service file

Lubomir Rintel lkundrak at v3.sk
Sat Dec 12 03:49:07 PST 2015

On Wed, 2015-10-28 at 22:46 +0200, Jouni Malinen wrote:
> On Fri, Oct 23, 2015 at 06:03:22PM +0200, Lubomir Rintel wrote:
> > It does more than intended; apart from denying messages to that particular
> > interface it also denies all messages non-qualified with an interface globally.
> > From the dbus-daemon manual:
> > 
> >   Be careful with send_interface/receive_interface, because the
> >   interface field in messages is optional. In particular, do NOT
> >   specify ! This will cause
> >   no-interface messages to be blocked for all services, which is almost
> >   certainly not what you intended. Always use rules of the form: 
> >   send_interface="org.foo.Bar" send_destination="org.foo.Service"/>
> > 
> > We can just safely remove those rules, since we're sufficiently protected
> > by the send_destination matches and method calls are disallowed by default
> > anyway.
> Could you please describe what is the issue that this is fixing? It
> looks like the policy for context="default" denies everything while the
> user="root" allows the items. Does the "deny send_interface" cause some
> harm in the case where every operation is supposed to be disallowed?

This issue is fixing the case where the policy shipped by
wpa_supplicant disallowed messages that are completely unrelated to
wpa_supplicant (essentially *all* messages without an interface). This
includes responses to NetworkManager's communication to VPN plugins.


More information about the Hostap mailing list