Thank You Sven
I did see the dbus conf, but it allows only robust security
configuration at the level of interfaces and already defined users.
I would like to have more granularity and that is why I analyzed
security plugins.
Let me give an example:
I would like to allow only some users to configure wifi. Users can be
created at runtime of a system. I would have to change connman-dbus.conf
every time a user is created, removed or I just want to limit his/her
privileges. With polkit working I can change or add rules that can
distinguish users and methods not only interfaces.
I just wonder if anyone uses it or is interested in maintaining that
mechanism or is it just a relict of the past.
Best regards
Lukasz
W dniu 2015-04-28 o 13:02, Sven Schwedas pisze:
On 2015-04-28 12:42, Lukasz Wojciechowski wrote:
Hi
I'm studying connman's code and I'm interested in limiting access to
some API.
I found that there is a mechanism for defining security plugins, that
set GDBusSecurityTable by calling g_dbus_register_security().
There is only one such plugin implemented - polkit plugin.
However IMO it seems to be dead.
It registers polkit checks for privileges: CONNMAN_PRIVILEGE_MODIFY and
CONNMAN_PRIVILEGE_SECRET,
but all gdbus methods registered with GDBUS_*_METHOD macros do not set
privilege field in GDBusMethodTable structure.
Because of that security checks are never run, because method->privilege
never equals security->privilege (check_privilege() function in
gdbus/object.c).
So I have few questions:
* What am I missing? How this security works ?
* Are there any plans for defining privileges for methods ?
Connman uses DBus' bus policies to limit access, cf.
http://git.kernel.org/cgit/network/connman/connman.git/tree/src/connman-dbus.conf
and the respective file for connman-vpn. Distributions seem to tweak
those to limit/grant access.
No idea what the other code is for.
_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman
_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman