Merge branch 'jb48107' into 'master'

[security] Narrow access policy to privileged group only. JB#48107 See merge request mer-core/PackageKit!23
sailfishos · Jan 17, 2020 · 33b8069 · 33b8069
2 parents 967fa21 + dc4d4ad
commit 33b8069
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 49 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -1,3 +1,3 @@
 [submodule "upstream"]
 	path = upstream
-	url = https://github.com/hughsie/PackageKit.git
+	url = https://git.sailfishos.org/mirror/PackageKit
diff --git a/rpm/0006-Builtin-policy-whitelist-and-dbus-conf.-Contributes-.patch b/rpm/0006-Builtin-policy-whitelist-and-dbus-conf.-Contributes-.patch
@@ -1,7 +1,7 @@
 From 4d71e9e7d543eed526058ed3ea0a9f682a00b47b Mon Sep 17 00:00:00 2001
 From: Pekka Vuorela <pekka.vuorela@jollamobile.com>
 Date: Thu, 12 Oct 2017 14:45:09 +0300
-Subject: [PATCH 05/38] Builtin policy, whitelist, and dbus conf. Contributes
+Subject: [PATCH 05/38] Builtin policy and dbus conf. Contributes
  to JB#14776
 
 Require sailfish-system group to access PackageKit via D-Bus. Contributes to JB#47958
@@ -43,7 +43,7 @@ index 1d006c782..f9cf35167 100644
 
  #include <glib/gstdio.h>
  #include <glib/gi18n.h>
-@@ -2391,6 +2392,87 @@ out:
+@@ -2391,6 +2392,45 @@ out:
  	g_free (data);
  }
 
@@ -57,27 +57,6 @@ index 1d006c782..f9cf35167 100644
 +	GError *error = NULL;
 +	gboolean result = FALSE;
 +	gchar *path = g_strdup_printf ("/proc/%u", pid);
-+	gchar *exec = g_strdup_printf ("/proc/%u/exe", pid);
-+	const gchar *exec_whitelist[] = {
-+		// For system upgrades (remove this one once new systemd lands)
-+		"/usr/bin/store-client",
-+
-+		// For devel dist upgrading
-+		"/usr/bin/rnd-dist-upgrade",
-+
-+		// For deploying RPMs from the SDK
-+		"/usr/bin/sdk-deploy-rpm",
-+
-+		NULL,
-+	};
-+	const gchar *egid_whitelist[] = {
-+		// Privileged applications
-+		"privileged",
-+
-+		NULL,
-+	};
-+	int i = 0;
-+	gchar *app = NULL;
 +
 +	// Check if a systemd-style system update is in progress
 +	// http://www.freedesktop.org/wiki/Software/systemd/SystemUpdates/
@@ -87,40 +66,19 @@ index 1d006c782..f9cf35167 100644
 +		result = TRUE;
 +	}
 +
-+	// Check application executable path of sender process
-+	app = g_file_read_link (exec, &error);
-+	if (app) {
-+		g_debug ("Executable of sender process: '%s'", app);
-+		for (i=0; exec_whitelist[i]; i++) {
-+			if (g_strcmp0 (app, exec_whitelist[i]) == 0) {
-+				g_debug ("Allowing from exec whitelist");
-+				result = TRUE;
-+				break;
-+			}
-+		}
-+		g_free (app);
-+	} else {
-+		g_warning ("Could not get executable of sender process: %s",
-+				error->message);
-+		g_error_free (error);
-+	}
-+
 +	// Check effective group ID of sender process
 +	struct stat sender_stat;
 +	if (stat(path, &sender_stat) == 0) {
 +		struct group *sender_group = getgrgid (sender_stat.st_gid);
 +		if (sender_group) {
 +			g_debug ("Group of sender process: '%s'", sender_group->gr_name);
-+                        for (i=0; egid_whitelist[i]; i++) {
-+				if (g_strcmp0 (sender_group->gr_name, egid_whitelist[i]) == 0) {
-+					g_debug ("Allowing from egid whitelist");
-+					result = TRUE;
-+				}
++			if (g_strcmp0 (sender_group->gr_name, "privileged") == 0) {
++				g_debug ("Allowing from privileged process");
++				result = TRUE;
 +			}
 +		}
 +	}
 +
-+	g_free (exec);
 +	g_free (path);
 +
 +	g_debug ("%s -> %s", __func__, result ? "true" : "false");
@@ -131,7 +89,7 @@ index 1d006c782..f9cf35167 100644
  /**
   * pk_transaction_authorize_actions:
   *
-@@ -2625,6 +2707,8 @@ pk_transaction_obtain_authorization (PkTransaction *transaction,
+@@ -2625,6 +2665,8 @@ pk_transaction_obtain_authorization (PkTransaction *transaction,
  				 PK_TRANSACTION_FLAG_ENUM_ONLY_DOWNLOAD) ||
  			pk_bitfield_contain (transaction->priv->cached_transaction_flags,
  				 PK_TRANSACTION_FLAG_ENUM_SIMULATE) ||