Security/Tizen 2.X dbus

Introduction

This page describes how to configure D-BUS for Smack access control.

When dbus-daemon is launched, it reads configuration files from /etc/dbus-1/system.conf or from /etc/dbus-1/session.conf, depending on its launch option --system or --session. In Tizen, the configuration file /etc/dbus-1/system.conf will include the configuration files of the sub-directory /etc/dbus-1/system.d and the configuration file /etc/dbus-1/session.conf will include the configuration files of the sub-directory /etc/dbus-1/session.d. Services running on D-BUS may (or should) provide a configuration file into on of these 2 sub-directories. That is the normal configuration process of D-BUS services. The details of the configuration files is given in the manual pages of dbus-daemon.

This page is intended to an undocumented feature; the mechanism of Smack security rules and their setting.

The Smack aware D-Bus daemon

You can't rely on Smack LSM(Loadable Security Module) to check policy of D-Bus connections because there is only 1 physical connection exists to the D-Bus daemon no matter how many logical D-Bus connections are created in a process. Therefore, if an application is allowed to talk to D-Bus daemon, then it is allowed for all D-Bus communication. This does not make use of fine control of D-Bus communication.

In February 2012 Brian McGillion added support of Smack into D-Bus. He tried to push this change to upstream version 1.5, on a freedesktop.org issue #47581, which is still open. This work has been rebased on D-Bus 1.6.12 (note than D-Bus is now -Apr 2014- at version 1.8.0). He added a new message bus message in D-Bus daemon, similar to org.freedesktop.DBus.GetConnectionSELinuxSecurityContext, which named as org.freedesktop.DBus.GetConnectionSmackContext:

• It gets an argument as type string: The unique or well-known bus name of the connection to query (such as :12.34);
• It returns a type string: the Smack context of the connection as retrieved using getsockopt SO_PEERSEC.

For each Smack label, a service can decide to allow or to deny a client by Smack configuration file which is described in section below.

When an application establishes a connection to D-Bus daemon, D-Bus daemon checks the policies in configuration files and caches the set of allowed/denied pairings for the connection. The policy supports a few types, which are Group ID, User ID and Smack ID(Label). The resulting set of pairing is the union of the 3 policies.

The policy check of Smack can be shown by setting DBUS_VERBOSE=1 and looking for strings of kind "permission request subject (%s) -> object (%s) : %s".

Setting configuration files

In Tizen 2.x, service packages providing D-Bus service sets D-Bus configuration file by the Smack manifest file. RPM automatically creates a D-Bus configuration file based on the manifest entry and drops the file into the directory mentioned above. In Tizen 2.3, we only use system bus.

How to build your manifest

Service package can assign a Smack label to an interface, method or signal in the manifest file.
Let's try to assign Smack label on a camera service. First, D-Bus service components(dbus name, own, bus type) are described on dbus-session.

• dbus name - D-Bus object name
• own - domain name defining dbus-service
• bus type - "system” or “session”

<assign>
  <dbus name="org.tizen.camera" own="camera" bus="system">
     <!-- Here we can specify the interface, method and signal based on the requirement -->
  </dbus>
</assign>

And then, Smack label is assigned to each managed units, which is variable through service contents. The managed unit can be interface or method or signal or combination. Example for each case is shown below:

Assigning smack label to each methods in a interface.

<assign>
  <dbus name="org.tizen.camera" own="camera" bus="system">
   <node name="/org/tizen/camera">
     <interface name="org.tizen.camera.setting">
         <method name="getSettings">
           <annotation name="org.tizen.smack" value="camera::get"/>
         </method>
         <method name="setSettings">
           <annotation name="org.tizen.smack" value="camera::set"/>
         </method>
     </interface>
   </node>
  </dbus>
</assign>

Assigning same smack label to methods in a interface. This is equivalent to assign a Smack label to an interface including methods.

<assign>
  <dbus name="org.tizen.camera" own="camera" bus="system">
   <node name="/org/tizen/camera">
     <interface name="org.tizen.camera.setting">
         <annotation name="org.tizen.smack" value="camera::setting"/>
     </interface>
   </node>
  </dbus>
</assign>

Assigning smack label as combination.

<assign>
  <dbus name="org.tizen.camera" own="camera" bus="system">
   <node name="/org/tizen/camera">
     <interface name="org.tizen.camera.setting">
         <method name="getSettings">
           <annotation name="org.tizen.smack" value="camera::get"/>
         </method>
         <method name="setSettings">
           <annotation name="org.tizen.smack" value="camera::set"/>
         </method>
     </interface>
     <interface name="org.tizen.camera.capture">
         <annotation name="org.tizen.smack" value="camera::capture"/>
     </interface>
   </node>
  </dbus>
</assign>

D-Bus denial log

D-Bus daemon prints out "Rejected send message" in /var/log/messages. If you want to check D-Bus Smack denial you can simply use command below, and here is a example.

cat /var/log/messages | grep Rejected

Jan  1 09:03:25 TRATS2 auth.notice dbus[2135]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.188" (uid=5000 pid=3130
comm="/usr/apps/org.tizen.setting/bin/setting-display-") interface="org.tizen.system.deviced.display" member="SetBrightness" 
error name="(unset)" requested_reply="0" destination="org.tizen.system.deviced" (uid=0 pid=404 comm="/usr/bin/deviced ")

Rejected send message contains explicit description about a client, service daemon and dbus service requested from the client.

• client - uid=5000 pid=3130 comm="/usr/apps/org.tizen.setting/bin/setting-display-"
• dbus service - interface="org.tizen.system.deviced.display" member="SetBrightness
• service daemon - uid=0 pid=404 comm="/usr/bin/deviced

How to know a requested SMACK rule from log

Subject label

sh-4.1# cat /proc/3130/attr/current 
ui-gadget::client

Object label - Find assigned smack label in dbus configuration files

grep -rn {interface or method name} /etc/dbus-1/session.d
 or
grep -rn {interface or method name} /etc/dbus-1/system.d

sh-4.1# grep -rn org.tizen.system.deviced.display /etc/dbus-1/system.d | grep SetBrightness
/etc/dbus-1/system.d/manifest.deviced.conf:149: <deny send_destination="org.tizen.system.deviced" send_interface="org.tizen.system.deviced.display" send_member="SetBrightness"/>
/etc/dbus-1/system.d/manifest.deviced.conf:152: <allow send_destination="org.tizen.system.deviced" send_interface="org.tizen.system.deviced.display" send_member="SetBrightness"/>

Assigned smack label was "deviced::display".

Access type - For sending message to dbus service, client need write permission, and for receive message from dbus service, client need read permission. Therefore permission is rw for sending and receiving message.
You can add a Smack rule by smackload command. See example below.

sh-4.1# echo "[subject_label] [object_label] [access_type]" | smackload
 or
sh-4.1# echo "[subject_label] [object_label] [access_type]" > /smack/load2

sh-4.1# cat /smack/load2 | grep "ui-gadget::client deviced::display"
sh-4.1# 
sh-4.1# echo "ui-gadget::client deviced::display rw" | smackload
sh-4.1# cat /smack/load2 | grep "ui-gadget::client deviced::display"
ui-gadget::client deviced::display rw
sh-4.1#

FAQ