Comment # 3 on bug 1225317 from Wolfgang Frisch 
I went through the new D-Bus and Varlink methods, their respective
authorization policies, the Polkit check implementations, and had a
*cursory* look at the actual method implementations.

D-Bus methods:
- org.freedesktop.import1.cancel
  - Implemented in: src/import/importd.c
- org.freedesktop.home1.activate-home
  - Implemented in: src/home/homed-home-bus.c
  - Explained in commit 336b1f1936ffbc62fa2cb189d8f86fbd982dcf15

Varlink [1] methods:
- io.systemd.credentials.encrypt
  io.systemd.credentials.decrypt
  - Implemented in: src/creds/creds.c
- io.systemd.mount-file-system.mount-image
  io.systemd.mount-file-system.mount-image-privately
  io.systemd.mount-file-system.mount-untrusted-image
  io.systemd.mount-file-system.mount-untrusted-image-privately
  - Implemented in: src/mountfsd/mountwork.c
- org.freedesktop.network1.set-persistent-storage
  - Implemented in: src/network/networkd-manager-varlink.c
  - Specifies whether persistent storage for systemd-networkd is
        available


Regarding the image mounting functions, the terminology was a bit
unclear to me at first. Trusted vs untrusted refers to the location of
the image, i.e. there's a set of trusted directories, defined in
`src/shared/discover-image.c`.

Likewise, the presence/absence of the "-privately" suffix refers to the
namespace the image is mounted in. "mount-*image" mounts into the host
ns and "mount-*image-privately" mounts into a private user ns. The
latter functions have a more relaxed authorization policy.

All in all I see no obvious problem with any of this and we can
whitelist it.

[1] https://lwn.net/Articles/742675/

You are receiving this mail because: