Hello, I reviewed bolt version 0.1-0ubuntu1 as packaged in bionic. This should not be considered a full security review but rather a quick gauge of maintainability.
- There are no CVEs in our database - Bolt provides an interface to authorize Thunderbolt devices on a computer; Thunderbolt devices have immense power over the safety of the computer. - Build-Depends: debhelper, meson, libglib2.0-dev, libudev-dev, libumockdev-dev, libpolkit-gobject-1-dev, systemd, udev - boltd runs as a daemon (but does not daemonize) - boltd owns the org.freedesktop.bolt name and similar path, interface, and device interface names, on dbus - boltctl connects to the daemon via dbus and provides subcommands: authorize, enroll, forget, info, list, and monitor - pre/post init/rm scripts automatically generated - bolt.service file is Type=dbus and uses systemd Protect* and Restrict* fields - dbus activation file - no setuid files - only boltctl in PATH -- boltd is in /usr/lib/x86_64-linux-gnu/boltd - no sudo fragments - udev configuration, starts bolt service via systemd on subsystem==thunderbolt - No subprocesses spawned - sysfs files are opened and written to for authorizing and providing keys - logging looked careful - Three environment variables used, TERM, BOLT_DBPATH, GIO_USE_VFS, appeared to be used safely - No cryptography - No networking - No privileged portions of code - No temporary files - No WebKit - No JavaScript - Clean cppcheck - Uses polkit polkit_authority_check_authorization_sync() bolt is perhaps more complex than it needs to be due to using GObject and glib extensively; it can be difficult to track the flow of execution through the layers of indirection. That said, error returns are checked extensively, and code quality is high. I'm concerned that using polkit's auth_admin_keep rule may allow a malicious device to add new, unexpected, capabilities after an initial authorization: https://github.com/gicmo/bolt/issues/73 There's a warning during the build: https://github.com/gicmo/bolt/issues/74 meson.build:355: WARNING: Trying to compare values of different types (str, bool) using !=. Security team ACK for promoting bolt to main. Thanks ** Bug watch added: github.com/gicmo/bolt/issues #73 https://github.com/gicmo/bolt/issues/73 ** Bug watch added: github.com/gicmo/bolt/issues #74 https://github.com/gicmo/bolt/issues/74 ** Changed in: bolt (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752056 Title: [MIR] bolt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bolt/+bug/1752056/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs