Bug 1206756

Summary:	AUDIT-WHITELIST: NetworkManager-iodine: move dbus system.d file to /usr
Product:	[openSUSE] openSUSE Tumbleweed	Reporter:	Callum Farmer <gmbr3>
Component:	Security	Assignee:	Wolfgang Frisch <wolfgang.frisch>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P5 - None	CC:	matthias.gerstner, security-team, wolfgang.frisch
Version:	Current
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Callum Farmer 2022-12-31 12:14:36 UTC

Move /etc/dbus-1/system.d/nm-iodine-service.conf to /usr/share/dbus-1/system.d/nm-iodine-service.conf

Comment 1 Callum Farmer 2022-12-31 12:15:46 UTC

https://build.opensuse.org/request/show/1045903

Comment 2 Matthias Gerstner 2023-01-02 11:03:23 UTC

This was reviewed ages ago in bug 781071. Having a quick look at the current
situation of the service as part of the path move might be a good idea.

Comment 3 Wolfgang Frisch 2023-01-03 15:25:00 UTC

I will be working on this.

Upstream:
https://honk.sigxcpu.org/piki/projects/network-manager-iodine/
https://gitlab.gnome.org/GNOME/network-manager-iodine

openSUSE Factory packages:
https://build.opensuse.org/package/show/openSUSE:Factory/iodine
https://build.opensuse.org/package/show/openSUSE:Factory/NetworkManager-iodine

Comment 4 Wolfgang Frisch 2023-01-05 09:46:11 UTC

This package integrates the `iodine` IPv4-over-DNS client with NetworkManager.
It is comprised of two parts, a GTK UI and a D-Bus service. Both are only
accessible with root credentials.

The D-Bus service `nm-iodine-service` runs under a separate system user account
(`nm-iodine`) without any special privileges, no shell and no home directory.
The service itself is written in glib-style C, of decent quality, in less than
1 kLOC.  It interacts with the iodine binary, executing it asynchronously and
parsing its output.  Subprocess execution is performed with a proper
argv-array. Its output is parsed with low level string manipulation with
sufficient checks and range-checked glib functions.

All good, as far as I can see. The underlying `iodine` package might be a
different matter but that's outside the scope of this review.

I will proceed with the whitelisting.

Comment 5 OBSbugzilla Bot 2023-01-05 18:45:04 UTC

This is an autogenerated message for OBS integration:
This bug (1206756) was mentioned in
https://build.opensuse.org/request/show/1056248 Factory / rpmlint

Comment 6 OBSbugzilla Bot 2023-01-06 09:25:04 UTC

This is an autogenerated message for OBS integration:
This bug (1206756) was mentioned in
https://build.opensuse.org/request/show/1056345 Factory / rpmlint

Comment 7 OBSbugzilla Bot 2023-01-06 14:35:04 UTC

This is an autogenerated message for OBS integration:
This bug (1206756) was mentioned in
https://build.opensuse.org/request/show/1056406 Factory / rpmlint

Comment 8 OBSbugzilla Bot 2023-01-06 15:35:04 UTC

This is an autogenerated message for OBS integration:
This bug (1206756) was mentioned in
https://build.opensuse.org/request/show/1056412 Factory / rpmlint

Comment 9 OBSbugzilla Bot 2023-01-10 11:05:04 UTC

This is an autogenerated message for OBS integration:
This bug (1206756) was mentioned in
https://build.opensuse.org/request/show/1057595 Factory / rpmlint

Comment 10 OBSbugzilla Bot 2023-01-11 10:45:04 UTC

This is an autogenerated message for OBS integration:
This bug (1206756) was mentioned in
https://build.opensuse.org/request/show/1057745 Factory / rpmlint

Comment 11 OBSbugzilla Bot 2023-01-11 14:45:04 UTC

This is an autogenerated message for OBS integration:
This bug (1206756) was mentioned in
https://build.opensuse.org/request/show/1057792 Factory / rpmlint

Comment 12 Wolfgang Frisch 2023-01-17 17:05:11 UTC

The whitelisting has finally arrived in Factory. Closing.