tags 510639 + patch thanks "Normal" use of hal (gnome-power-manager and NetworkManager) seems to need some additional permissions; these might be enough? Hopefully you know hal's capabilities better than I do...
Simon
From 38d3d2276ad6cc99819595dc0bb3948dbb048313 Mon Sep 17 00:00:00 2001 From: Simon McVittie <s...@debian.org> Date: Sun, 4 Jan 2009 17:47:29 +0000 Subject: [PATCH] hal.conf.in: qualify all send_interface="..." with send_destination="...Hal" D-Bus tracking bug for non-deterministic allow/deny for messages with no interface: http://bugs.freedesktop.org/show_bug.cgi?id=18961 --- hal.conf.in | 78 +++++++++++++++++++++++++++++++++++++++------------------- 1 files changed, 52 insertions(+), 26 deletions(-) diff --git a/hal.conf.in b/hal.conf.in index 90590a7..ebef3fe 100644 --- a/hal.conf.in +++ b/hal.conf.in @@ -16,17 +16,23 @@ <!-- Allow anyone to invoke methods on the Manager and Device interfaces --> <policy context="default"> - <allow send_interface="org.freedesktop.Hal.Manager"/> - <allow send_interface="org.freedesktop.Hal.Device"/> + <allow send_interface="org.freedesktop.Hal.Manager" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device" + send_destination="org.freedesktop.Hal"/> <allow receive_interface="org.freedesktop.Hal.Manager" receive_sender="org.freedesktop.Hal"/> <allow receive_interface="org.freedesktop.Hal.Device" receive_sender="org.freedesktop.Hal"/> - <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/> - <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/> - <allow send_interface="org.freedesktop.Hal.Device.Volume"/> - <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/> + <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.Volume" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto" + send_destination="org.freedesktop.Hal"/> <allow receive_interface="org.freedesktop.Hal.Device.SystemPowerManagement" receive_sender="org.freedesktop.Hal"/> <allow receive_interface="org.freedesktop.Hal.Device.LaptopPanel" @@ -40,40 +46,60 @@ <!-- Default policy for the exported interfaces; if PolicyKit is not used for access control you will need to modify this --> <policy context="default"> - <deny send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/> - <deny send_interface="org.freedesktop.Hal.Device.VideoAdapterPM"/> - <deny send_interface="org.freedesktop.Hal.Device.LaptopPanel"/> - <deny send_interface="org.freedesktop.Hal.Device.Volume"/> - <deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/> + <deny send_interface="org.freedesktop.Hal.Device.SystemPowerManagement" + send_destination="org.freedesktop.Hal"/> + <deny send_interface="org.freedesktop.Hal.Device.VideoAdapterPM" + send_destination="org.freedesktop.Hal"/> + <deny send_interface="org.freedesktop.Hal.Device.LaptopPanel" + send_destination="org.freedesktop.Hal"/> + <deny send_interface="org.freedesktop.Hal.Device.Volume" + send_destination="org.freedesktop.Hal"/> + <deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto" + send_destination="org.freedesktop.Hal"/> </policy> <!-- This will not work if consolekit is not enabled --> <policy at_console="true"> - <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/> - <allow send_interface="org.freedesktop.Hal.Device.VideoAdapterPM"/> - <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/> - <allow send_interface="org.freedesktop.Hal.Device.Volume"/> - <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/> + <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.VideoAdapterPM" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.Volume" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto" + send_destination="org.freedesktop.Hal"/> </policy> <!-- Debian groups policies --> <policy group="powerdev"> - <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/> - <allow send_interface="org.freedesktop.Hal.Device.VideoAdapterPM"/> - <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/> + <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.VideoAdapterPM" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel" + send_destination="org.freedesktop.Hal"/> </policy> <policy group="plugdev"> - <allow send_interface="org.freedesktop.Hal.Device.Volume"/> - <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/> + <allow send_interface="org.freedesktop.Hal.Device.Volume" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto" + send_destination="org.freedesktop.Hal"/> </policy> <!-- You can change this to a more suitable user, or make per-group --> <policy user="root"> - <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/> - <allow send_interface="org.freedesktop.Hal.Device.VideoAdapterPM"/> - <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/> - <allow send_interface="org.freedesktop.Hal.Device.Volume"/> - <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/> + <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.VideoAdapterPM" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.Volume" + send_destination="org.freedesktop.Hal"/> + <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto" + send_destination="org.freedesktop.Hal"/> </policy> </busconfig> -- 1.5.6.5
From de7455197130955d8d58e1127f06412aaaaf3c7b Mon Sep 17 00:00:00 2001 From: Simon McVittie <s...@debian.org> Date: Sun, 4 Jan 2009 17:50:48 +0000 Subject: [PATCH] Allow anyone to introspect the hal daemon, even with CVE-2008-4311 fixed Part of Colin's patch from <https://bugs.freedesktop.org/attachment.cgi?id=21326> --- hal.conf.in | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/hal.conf.in b/hal.conf.in index ebef3fe..cf2bcb5 100644 --- a/hal.conf.in +++ b/hal.conf.in @@ -16,6 +16,8 @@ <!-- Allow anyone to invoke methods on the Manager and Device interfaces --> <policy context="default"> + <allow send_interface="org.freedesktop.DBus.Introspectable" + send_destination="org.freedesktop.Hal"/> <allow send_interface="org.freedesktop.Hal.Manager" send_destination="org.freedesktop.Hal"/> <allow send_interface="org.freedesktop.Hal.Device" -- 1.5.6.5
From b95b7e53f9d8f6014ceba9e2ebecb9a306cd1a4c Mon Sep 17 00:00:00 2001
From: Simon McVittie <s...@debian.org>
Date: Sun, 4 Jan 2009 17:53:27 +0000
Subject: [PATCH] Let root call any hal method
This matches reasonable expectations about root, and allows (for
instance) NetworkManager to access the KillSwitch interface and
powersaved to access the CPUFreq interface.
---
hal.conf.in | 16 +++++-----------
1 files changed, 5 insertions(+), 11 deletions(-)
diff --git a/hal.conf.in b/hal.conf.in
index cf2bcb5..8fc21c2 100644
--- a/hal.conf.in
+++ b/hal.conf.in
@@ -90,18 +90,12 @@
send_destination="org.freedesktop.Hal"/>
</policy>
- <!-- You can change this to a more suitable user, or make per-group -->
+ <!-- Allow root to call any method, for instance:
+ * NetworkManager access to KillSwitch interface
+ * powersaved access to CPUFreq interface
+ -->
<policy user="root">
- <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"
- send_destination="org.freedesktop.Hal"/>
- <allow send_interface="org.freedesktop.Hal.Device.VideoAdapterPM"
- send_destination="org.freedesktop.Hal"/>
- <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"
- send_destination="org.freedesktop.Hal"/>
- <allow send_interface="org.freedesktop.Hal.Device.Volume"
- send_destination="org.freedesktop.Hal"/>
- <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"
- send_destination="org.freedesktop.Hal"/>
+ <allow send_destination="org.freedesktop.Hal"/>
</policy>
</busconfig>
--
1.5.6.5
commit f16e4f82f33a759583622bf7aafb36828027c3ac
Author: Simon McVittie <s...@debian.org>
Date: 2009-01-04 20:10:44 +0000
hal.conf.in: allow powerdev group to modify cpufreq, and use the DockingStation and WakeOnLan interfaces
The first is needed for gnome-power-manager, and the others seem
reasonably in-scope for powerdev.
diff --git a/hal.conf.in b/hal.conf.in
index 8fc21c2..7692587 100644
--- a/hal.conf.in
+++ b/hal.conf.in
@@ -82,6 +82,12 @@
send_destination="org.freedesktop.Hal"/>
<allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"
send_destination="org.freedesktop.Hal"/>
+ <allow send_interface="org.freedesktop.Hal.Device.CPUFreq"
+ send_destination="org.freedesktop.Hal"/>
+ <allow send_interface="org.freedesktop.Hal.Device.WakeOnLan"
+ send_destination="org.freedesktop.Hal"/>
+ <allow send_interface="org.freedesktop.Hal.Device.DockStation"
+ send_destination="org.freedesktop.Hal"/>
</policy>
<policy group="plugdev">
<allow send_interface="org.freedesktop.Hal.Device.Volume"
signature.asc
Description: Digital signature
