From 763eaa49343acdda5ff359012e8cc49c9ffc8e81 Mon Sep 17 00:00:00 2001

From: Vincent Bernat <vincent@bernat.ch>

Date: Tue, 23 Nov 2021 06:50:59 +0100

Subject: [PATCH] dbus: fix policy to not be overly broad

The DBus policy did not restrict the message destination, allowing any

user to inspect and manipulate any property.

Signed-off-by: Vincent Bernat <vincent@bernat.ch>

---

 keepalived/dbus/org.keepalived.Vrrp1.conf | 13 ++++++++-----

 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/keepalived/dbus/org.keepalived.Vrrp1.conf b/keepalived/dbus/org.keepalived.Vrrp1.conf

index 2b78a575..b5ced608 100644

--- a/keepalived/dbus/org.keepalived.Vrrp1.conf

+++ b/keepalived/dbus/org.keepalived.Vrrp1.conf

@@ -3,12 +3,15 @@

  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

 <busconfig>

 	<policy user="root">

-		<allow own="org.keepalived.Vrrp1"/>

-		<allow send_destination="org.keepalived.Vrrp1"/>

+		<allow own="org.keepalived.Vrrp1" />

+		<allow send_destination="org.keepalived.Vrrp1" />

 	</policy>

 	<policy context="default">

-		<allow send_interface="org.freedesktop.DBus.Introspectable" />

-		<allow send_interface="org.freedesktop.DBus.Peer" />

-		<allow send_interface="org.freedesktop.DBus.Properties" />

+		

+		       send_interface="org.freedesktop.DBus.Introspectable" />

+		

+		       send_interface="org.freedesktop.DBus.Peer" />

+		

+		       send_interface="org.freedesktop.DBus.Properties" />

 	</policy>

 </busconfig>

-- 

2.33.1