summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity
diff options
context:
space:
mode:
authorJussi Kukkonen <jussi.kukkonen@intel.com>2015-09-25 14:14:01 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-09-28 12:00:23 +0100
commitadeba9a4cbe5c2fbcdbbcd59d559b6c3432ef4e4 (patch)
tree2a3cbe510b71e6b60819eb8e85f3b254418bd8ed /meta/recipes-connectivity
parent907c8a7068791fb466867a29e881361b1639eae5 (diff)
downloadpoky-adeba9a4cbe5c2fbcdbbcd59d559b6c3432ef4e4.tar.gz
connman: Don't use a blanket "allow" D-Bus policy
There are already "allow" rules for root and conditionally xuser to send messages to connman: there should be no reason for a default allow policy. Also, conditionally add a policy to allow xuser to send to the connman vpn service (similar to main service). (From OE-Core rev: 7c75981944e92b5534b054058407d19de2a8a78c) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r--meta/recipes-connectivity/connman/connman.inc6
-rw-r--r--meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch28
2 files changed, 25 insertions, 9 deletions
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index 6c062ae7a1..1712af3016 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -70,13 +70,7 @@ SYSTEMD_SERVICE_${PN} = "connman.service"
70SYSTEMD_SERVICE_${PN}-vpn = "connman-vpn.service" 70SYSTEMD_SERVICE_${PN}-vpn = "connman-vpn.service"
71SYSTEMD_WIRED_SETUP = "ExecStartPre=-${libdir}/connman/wired-setup" 71SYSTEMD_WIRED_SETUP = "ExecStartPre=-${libdir}/connman/wired-setup"
72 72
73# This allows *everyone* to access ConnMan over DBus, without any access
74# control. Really the at_console flag should work, which would mean that
75# both this and the xuser patch can be dropped.
76do_compile_append() { 73do_compile_append() {
77 sed -i -e s:deny:allow:g ${S}/src/connman-dbus.conf
78 sed -i -e s:deny:allow:g ${S}/vpn/vpn-dbus.conf
79
80 sed -i "s#ExecStart=#${SYSTEMD_WIRED_SETUP}\nExecStart=#" ${B}/src/connman.service 74 sed -i "s#ExecStart=#${SYSTEMD_WIRED_SETUP}\nExecStart=#" ${B}/src/connman.service
81} 75}
82 76
diff --git a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
index 707b3cafba..15a191da55 100644
--- a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
+++ b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
@@ -1,9 +1,14 @@
1Because Poky doesn't support at_console we need to special-case the session 1Because Poky doesn't support at_console we need to
2user. 2special-case the session user.
3 3
4Upstream-Status: Inappropriate [configuration] 4Upstream-Status: Inappropriate [configuration]
5 5
6Signed-off-by: Ross Burton <ross.burton@intel.com> 6Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
7
8---
9 src/connman-dbus.conf | 3 +++
10 vpn/vpn-dbus.conf | 3 +++
11 2 files changed, 6 insertions(+)
7 12
8diff --git a/src/connman-dbus.conf b/src/connman-dbus.conf 13diff --git a/src/connman-dbus.conf b/src/connman-dbus.conf
9index 98a773e..466809c 100644 14index 98a773e..466809c 100644
@@ -19,3 +24,20 @@ index 98a773e..466809c 100644
19 <policy at_console="true"> 24 <policy at_console="true">
20 <allow send_destination="net.connman"/> 25 <allow send_destination="net.connman"/>
21 </policy> 26 </policy>
27diff --git a/vpn/vpn-dbus.conf b/vpn/vpn-dbus.conf
28index 0f0c8da..9ad05b9 100644
29--- a/vpn/vpn-dbus.conf
30+++ b/vpn/vpn-dbus.conf
31@@ -6,6 +6,9 @@
32 <allow send_destination="net.connman.vpn"/>
33 <allow send_interface="net.connman.vpn.Agent"/>
34 </policy>
35+ <policy user="xuser">
36+ <allow send_destination="net.connman.vpn"/>
37+ </policy>
38 <policy at_console="true">
39 <allow send_destination="net.connman.vpn"/>
40 </policy>
41--
422.1.4
43