Bug 1193310

Summary: AUDIT-0: fwupd 1.7.2: new polkit rules to audit
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dominique Leuenberger <dimstar>
Component: SecurityAssignee: Wolfgang Frisch <wolfgang.frisch>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P2 - High CC: wolfgang.frisch
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dominique Leuenberger 2021-12-02 08:21:04 UTC 
fwupd is prepared to be upgraded to version 1.7.2 (in Base:System)

There are new polkit warnings in rpmlint:

fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10) org.freedesktop.fwupd.downgrade-internal-trusted (auth_admin:no:auth_admin_keep)
fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10) org.freedesktop.fwupd.downgrade-hotplug-trusted (auth_admin:no:auth_admin_keep)

Package can be found at https://build.opensuse.org/package/show/Base:System/fwupd
Comment 1 Wolfgang Frisch 2021-12-06 11:22:38 UTC 
Thank you for opening the audit bug. Since this is only an addition to an existing package that has already been audited, I should be able to finish it in a reasonable amount of time.
Comment 2 Wolfgang Frisch 2021-12-09 19:40:31 UTC 
The new polkit privileges for downgrades, introduced with commit 2d5c5b868eee315bf0cf5c3e3c1bc6788511bda8, are not referring to any new functionality, but only make existing behavior more granular, with separate privileges for signed (trusted) firmware.

This allows us to forgo user confirmation for signed downgrades in our easy and standard profiles. Good idea. I will whitelist this.
Comment 4 OBSbugzilla Bot 2021-12-09 20:30:09 UTC 
This is an autogenerated message for OBS integration:
This bug (1193310) was mentioned in
https://build.opensuse.org/request/show/938268 Factory / polkit-default-privs
Comment 5 Matthias Gerstner 2021-12-10 09:35:34 UTC 
(In reply to wolfgang.frisch@suse.com from comment #2)
> This allows us to forgo user confirmation for signed downgrades in our easy and standard profiles. Good idea. I will whitelist this.

Is this really such a good idea? If I remember right from PackageKit then
there downgrading even of signed packages still requires special
authorization. The reasoning behind that is to prevent unauthenticated
downgrades to package versions that contain security issues. Couldn't this
also apply to firmware?
Comment 6 Wolfgang Frisch 2021-12-13 09:59:11 UTC 
(In reply to Matthias Gerstner from comment #5)
> (In reply to wolfgang.frisch@suse.com from comment #2)
> > This allows us to forgo user confirmation for signed downgrades in our easy and standard profiles. Good idea. I will whitelist this.
> 
> Is this really such a good idea? If I remember right from PackageKit then
> there downgrading even of signed packages still requires special
> authorization. The reasoning behind that is to prevent unauthenticated
> downgrades to package versions that contain security issues. Couldn't this
> also apply to firmware?

Fair point. We should consider tightening the permissions.
Comment 7 Wolfgang Frisch 2021-12-14 16:51:14 UTC 
After some deliberation, I changed the downgrade rules in all profiles to `auth_admin_keep`.

https://build.opensuse.org/request/show/940529