[Bug 1233295] New: systemd: Please review the new DBUS /polkit stuff brought by v257
https://bugzilla.suse.com/show_bug.cgi?id=1233295 Bug ID: 1233295 Summary: systemd: Please review the new DBUS /polkit stuff brought by v257 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: fbui@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 878529 --> https://bugzilla.suse.com/attachment.cgi?id=878529&action=edit Build logs of v257-rc1 Hi, The new major version of systemd (v257) is coming with its share of new DBus methods and new polkit authorization policies. Could you please review them ? Here are the relevant parts of the build logs:
[ 430s] systemd-homed.i586: E: polkit-user-privilege (Badness: 10000) org.freedesktop.home1.update-home-by-owner (auth_admin_keep:auth_admin_keep:yes) ... [ 430s] systemd-container.i586: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.machine1.create-machine (auth_admin:auth_admin:auth_admin_keep) [ 430s] systemd-network.i586: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.subscribe-query-results (auth_admin:auth_admin:auth_admin_keep) [ 430s] systemd-network.i586: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.dump-cache (auth_admin:auth_admin:auth_admin_keep) [ 430s] systemd-network.i586: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.dump-server-state (auth_admin:auth_admin:auth_admin_keep) [ 430s] systemd-network.i586: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.dump-statistics (auth_admin:auth_admin:auth_admin_keep) [ 430s] systemd-network.i586: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.resolve1.reset-statistics (auth_admin:auth_admin:auth_admin_keep)
The full build logs can be found at https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:M... but I'm not sure how long these logs will remain available, so I'll attach them just in case. Please note that the integration of v257 is still in its early stages and has been submitted to Factory ahead of time to proactively identify any issues that OBS/openQA tests might uncover. This is not the final submission. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233295 https://bugzilla.suse.com/show_bug.cgi?id=1233295#c1 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|systemd: Please review the |AUDIT-0: systemd: new |new DBUS /polkit stuff |polkit actions in v257 |brought by v257 |(machine1, resolve1) --- Comment #1 from Matthias Gerstner <matthias.gerstner@suse.com> --- We will have a look. There is currently some backlog in our queue and also HackWeek ahead, so it could take a bit before we finish this. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233295 https://bugzilla.suse.com/show_bug.cgi?id=1233295#c2 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |matthias.gerstner@suse.com Status|NEW |IN_PROGRESS --- Comment #2 from Matthias Gerstner <matthias.gerstner@suse.com> --- I'm looking into the additions. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233295 https://bugzilla.suse.com/show_bug.cgi?id=1233295#c3 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: systemd: new |AUDIT-WHITELIST: systemd: |polkit actions in v257 |new polkit actions in v257 |(machine1, resolve1) |(machine1, resolve1; for | |varlink methods) --- Comment #3 from Matthias Gerstner <matthias.gerstner@suse.com> --- These additions are actually for varlink. It seems upstream switched some of their services over from D-Bus to varlink already, but we didn't notice it, because they re-used the existing Polkit actions as known from D-Bus. I took the time to dig a bit into the varlink <-> Polkit interfacing. It's a bit complex (as Polkit always is) but should be okay. We can whitelisting the new actions. Following are some detailed notes about the added actions:
systemd-homed.x86_64: E: polkit-user-privilege (Badness: 10) org.freedesktop.home1.update-home-by-owner (auth_admin_keep:auth_admin_keep:yes)
This is an extension of the already whitelisted update-home method/action. They now allow certain configuration fields to be changed by the owner. This is checked by logic involving a set of whitelisted JSON configuration entries. It looks okay, if a bit complex.
systemd-container.x86_64: E: polkit-untracked-privilege (Badness: 10) org.freedesktop.machine1.create-machine (auth_admin :auth_admin :auth_admin_keep)
Allows to create a new virtual machine. This is actually running over varlink, not D-Bus. Thus I digged a bit deeper into varlink and its Polkit authentication. It looks good, although it is pretty complex as well. It uses Polkit's UNIX process subject, which used to be deprecated, but Polkit has added support for passing a pidfd of the to-be-authenticated process, which is what happens here. Also the UID passed to the UNIX process subject is safely obtained via the varlink socket / the kernel.
systemd-network.x86_64: E: polkit-untracked-privilege (Badness: 10) org.freedesktop.resolve1.subscribe-query-results (auth_admin :auth_admin :auth_admin_keep)
Kind of an event listening method, clients will receive information about future queries seen by resoled.
systemd-network.x86_64: E: polkit-untracked-privilege (Badness: 10) org.freedesktop.resolve1.dump-cache (auth_admin :auth_admin :auth_admin_keep)
Pretty straight forwared implementation, if auth succeeds the caller will receive a JSON dump of the resolved cache.
systemd-network.x86_64: E: polkit-untracked-privilege (Badness: 10) org.freedesktop.resolve1.dump-server-state (auth_admin :auth_admin :auth_admin_keep)
Similar to dump-cache, straightforward JSON dump of server configuration and status.
systemd-network.x86_64: E: polkit-untracked-privilege (Badness: 10) org.freedesktop.resolve1.dump-statistics (auth_admin :auth_admin :auth_admin_keep)
Another JSON dump for statistics.
systemd-network.x86_64: E: polkit-untracked-privilege (Badness: 10) org.freedesktop.resolve1.reset-statistics (auth_admin :auth_admin :auth_admin_keep)
Simply resets the statistics in the resolved. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233295 https://bugzilla.suse.com/show_bug.cgi?id=1233295#c5 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #5 from Matthias Gerstner <matthias.gerstner@suse.com> --- the whitelisting is now in place in Factory, closing as fixed -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233295 https://bugzilla.suse.com/show_bug.cgi?id=1233295#c6 --- Comment #6 from Franck Bui <fbui@suse.com> --- Thanks a lot Matthias! -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com