[Bug 1215873] New: AUDIT-0: thermald: review of D-Bus file /usr/share/dbus-1/system.d/org.freedesktop.thermald.conf
https://bugzilla.suse.com/show_bug.cgi?id=1215873 Bug ID: 1215873 Summary: AUDIT-0: thermald: review of D-Bus file /usr/share/dbus-1/system.d/org.freedesktop.thermald.co nf Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: trenn@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Latest thermald package seem to have dbus API modifications which need review by the security team. The package is intended to be submitted to SLE 15 SP6/ALP afterwards. You may want to keep this in mind when looking at this: [SUSE-JIRA] (PED-5716) Impl: Enable support for Thermal Controls on platform https://jira.suse.com/browse/PED-5716 The submit request for factory showing the dbus security review need is here: https://build.opensuse.org/request/show/1113687#comment-1827588 Thanks in advance. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215873 https://bugzilla.suse.com/show_bug.cgi?id=1215873#c1 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matthias.gerstner@suse.com --- Comment #1 from Matthias Gerstner <matthias.gerstner@suse.com> --- Thanks for the review bug. We will schedule the review and report back. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215873 https://bugzilla.suse.com/show_bug.cgi?id=1215873#c2 --- Comment #2 from Matthias Gerstner <matthias.gerstner@suse.com> --- The reason for the badness is that the D-Bus service file has been moved from /etc/dbus-1 to /usr/share/dbus-1. Generally it would be a formal change to the whitelisting only. The last review has been quite a while ago, though, so we should at least look a bit closer at the current D-Bus implementation if anything problematic is around these days. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215873 https://bugzilla.suse.com/show_bug.cgi?id=1215873#c3 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |matthias.gerstner@suse.com Status|NEW |IN_PROGRESS --- Comment #3 from Matthias Gerstner <matthias.gerstner@suse.com> --- The thermald D-Bus interface is only accessible to root and to members of the "power" group. By default there are no members of the power group. In the original audit bug is has been pointed out that it is important that this stays this way, because some of the API endpoints are not suitable for access by everybody. The new whitelisting will be coupled to the D-Bus configuration content, so if it changes we will notice, thus the danger that something worseness here without us noticing is reduced. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215873 https://bugzilla.suse.com/show_bug.cgi?id=1215873#c4 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: thermald: review |AUDIT-WHITELIST: thermald: |of D-Bus file |review of D-Bus file |/usr/share/dbus-1/system.d/ |/usr/share/dbus-1/system.d/ |org.freedesktop.thermald.co |org.freedesktop.thermald.co |nf |nf --- Comment #4 from Matthias Gerstner <matthias.gerstner@suse.com> --- The whitelisting process has been started. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215873 https://bugzilla.suse.com/show_bug.cgi?id=1215873#c5 Wolfgang Frisch <wolfgang.frisch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wolfgang.frisch@suse.com --- Comment #5 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- Factory: https://build.opensuse.org/request/show/1116656 ALP: https://build.suse.de/request/show/309945 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215873 https://bugzilla.suse.com/show_bug.cgi?id=1215873#c7 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #7 from Matthias Gerstner <matthias.gerstner@suse.com> --- The whitelisting is now in Factory and should be effective. Closing as FIXED. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215873 Jeffrey Cheung <jcheung@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jcheung@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215873 https://bugzilla.suse.com/show_bug.cgi?id=1215873#c8 Thomas Renninger <trenn@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |--- Status|RESOLVED |REOPENED CC| |aschnell@suse.com --- Comment #8 from Thomas Renninger <trenn@suse.com> --- Can this change/whitelist also be applied for SLE 15 SP6, please: https://jira.suse.com/browse/PED-5716 Be aware that thermald does not exist there as a package yet. The submitrequest to get this in is here: https://build.suse.de/request/show/312532 Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215873 https://bugzilla.suse.com/show_bug.cgi?id=1215873#c9 --- Comment #9 from Matthias Gerstner <matthias.gerstner@suse.com> --- (In reply to trenn@suse.com from comment #8)
Can this change/whitelist also be applied for SLE 15 SP6, please: https://jira.suse.com/browse/PED-5716
Actually, since the basename of the D-Bus configuration files didn't change, there shouldn't be a new whitelisting necessary for SLE-15. The rpmlint in SLE-15 does not check full paths. I couldn't find any rpmlint badness in your SLE-15-SP6 package build, can you confirm, please? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215873 https://bugzilla.suse.com/show_bug.cgi?id=1215873#c10 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(trenn@suse.com) CC| |trenn@suse.com --- Comment #10 from Matthias Gerstner <matthias.gerstner@suse.com> --- Can you please give an update regarding comment 9? Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215873 https://bugzilla.suse.com/show_bug.cgi?id=1215873#c11 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |FIXED --- Comment #11 from Matthias Gerstner <matthias.gerstner@suse.com> --- No reply received to my question. As I see it no whitelisting backport is necessary for this. Closing again as fixed. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1215873 Thomas Renninger <trenn@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(trenn@suse.com) | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com