On Wed, 2015-10-28 at 22:46 +0200, Jouni Malinen wrote: > On Fri, Oct 23, 2015 at 06:03:22PM +0200, Lubomir Rintel wrote: > > It does more than intended; apart from denying messages to that particular > > interface it also denies all messages non-qualified with an interface globally. > > From the dbus-daemon manual: > > > > Be careful with send_interface/receive_interface, because the > > interface field in messages is optional. In particular, do NOT > > specify ! This will cause > > no-interface messages to be blocked for all services, which is almost > > certainly not what you intended. Always use rules of the form: > > send_interface="org.foo.Bar" send_destination="org.foo.Service"/> > > > > We can just safely remove those rules, since we're sufficiently protected > > by the send_destination matches and method calls are disallowed by default > > anyway. > > Could you please describe what is the issue that this is fixing? It > looks like the policy for context="default" denies everything while the > user="root" allows the items. Does the "deny send_interface" cause some > harm in the case where every operation is supposed to be disallowed? This issue is fixing the case where the policy shipped by wpa_supplicant disallowed messages that are completely unrelated to wpa_supplicant (essentially *all* messages without an interface). This includes responses to NetworkManager's communication to VPN plugins. Lubo _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
