diff options
| author | Jussi Kukkonen <jussi.kukkonen@intel.com> | 2015-09-25 14:14:01 +0300 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-09-28 11:58:24 +0100 |
| commit | 7c75981944e92b5534b054058407d19de2a8a78c (patch) | |
| tree | 0dc9c90e9d731029488cad59acb7a913b57b7d3e /meta/recipes-connectivity/connman | |
| parent | b791b8f1d175a73fcb9e48b3fcd56ebbc6bf6de1 (diff) | |
| download | openembedded-core-7c75981944e92b5534b054058407d19de2a8a78c.tar.gz openembedded-core-7c75981944e92b5534b054058407d19de2a8a78c.tar.bz2 openembedded-core-7c75981944e92b5534b054058407d19de2a8a78c.zip | |
connman: Don't use a blanket "allow" D-Bus policy
There are already "allow" rules for root and conditionally xuser to
send messages to connman: there should be no reason for a default
allow policy.
Also, conditionally add a policy to allow xuser to send to the
connman vpn service (similar to main service).
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-connectivity/connman')
| -rw-r--r-- | meta/recipes-connectivity/connman/connman.inc | 6 | ||||
| -rw-r--r-- | meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch | 28 |
2 files changed, 25 insertions, 9 deletions
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc index 6c062ae7a1..1712af3016 100644 --- a/meta/recipes-connectivity/connman/connman.inc +++ b/meta/recipes-connectivity/connman/connman.inc @@ -70,13 +70,7 @@ SYSTEMD_SERVICE_${PN} = "connman.service" SYSTEMD_SERVICE_${PN}-vpn = "connman-vpn.service" SYSTEMD_WIRED_SETUP = "ExecStartPre=-${libdir}/connman/wired-setup" -# This allows *everyone* to access ConnMan over DBus, without any access -# control. Really the at_console flag should work, which would mean that -# both this and the xuser patch can be dropped. do_compile_append() { - sed -i -e s:deny:allow:g ${S}/src/connman-dbus.conf - sed -i -e s:deny:allow:g ${S}/vpn/vpn-dbus.conf - sed -i "s#ExecStart=#${SYSTEMD_WIRED_SETUP}\nExecStart=#" ${B}/src/connman.service } diff --git a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch index 707b3cafba..15a191da55 100644 --- a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch +++ b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch @@ -1,9 +1,14 @@ -Because Poky doesn't support at_console we need to special-case the session -user. +Because Poky doesn't support at_console we need to +special-case the session user. Upstream-Status: Inappropriate [configuration] -Signed-off-by: Ross Burton <ross.burton@intel.com> +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> + +--- + src/connman-dbus.conf | 3 +++ + vpn/vpn-dbus.conf | 3 +++ + 2 files changed, 6 insertions(+) diff --git a/src/connman-dbus.conf b/src/connman-dbus.conf index 98a773e..466809c 100644 @@ -19,3 +24,20 @@ index 98a773e..466809c 100644 <policy at_console="true"> <allow send_destination="net.connman"/> </policy> +diff --git a/vpn/vpn-dbus.conf b/vpn/vpn-dbus.conf +index 0f0c8da..9ad05b9 100644 +--- a/vpn/vpn-dbus.conf ++++ b/vpn/vpn-dbus.conf +@@ -6,6 +6,9 @@ + <allow send_destination="net.connman.vpn"/> + <allow send_interface="net.connman.vpn.Agent"/> + </policy> ++ <policy user="xuser"> ++ <allow send_destination="net.connman.vpn"/> ++ </policy> + <policy at_console="true"> + <allow send_destination="net.connman.vpn"/> + </policy> +-- +2.1.4 + |