On Wed, 2016-01-27 at 17:02 +0100, Lubomir Rintel wrote: > It does more than intended; apart from denying messages to that > particular > interface it also denies all messages non-qualified with an interface > globally. > This blocks messages completely unrelated to wpa_supplicant, such as > NetworkManager communication with the VPN plugins. Hmm, not sure why that should happen. But anyway, yes, these were a mistake in the original rules, and the send_destination denies are all that is required to protect the supplicant from unauthorized users. Dan > From the dbus-daemon manual: > > Be careful with send_interface/receive_interface, because the > interface field in messages is optional. In particular, do NOT > specify <deny send_interface="org.foo.Bar"/>! This will cause > no-interface messages to be blocked for all services, which is > almost > certainly not what you intended. Always use rules of the form: > <deny > send_interface="org.foo.Bar" send_destination="org.foo.Service"/> > > We can just safely remove those rules, since we're sufficiently > protected > by the send_destination matches and method calls are disallowed by > default > anyway. > > Signed-off-by: Lubomir Rintel <lkundrak@xxxxx> > --- > > Clarified the commit message a bit compared to the previous posting. > > wpa_supplicant/dbus/dbus-wpa_supplicant.conf | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf > b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf > index c091234..382dcb3 100644 > --- a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf > +++ b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf > @@ -17,11 +17,9 @@ > <policy context="default"> > <deny own="fi.epitest.hostap.WPASupplicant"/> > <deny > send_destination="fi.epitest.hostap.WPASupplicant"/> > - <deny > send_interface="fi.epitest.hostap.WPASupplicant"/> > > <deny own="fi.w1.wpa_supplicant1"/> > <deny send_destination="fi.w1.wpa_supplicant1"/> > - <deny send_interface="fi.w1.wpa_supplicant1"/> > <deny receive_sender="fi.w1.wpa_supplicant1" > receive_type="signal"/> > </policy> > </busconfig> _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap