Bug 1219916

Summary: AUDIT-WHITELIST: systemd: additional D-Bus method org.freedesktop.home1.DeactivateAllHomes
Product: [openSUSE] openSUSE Tumbleweed Reporter: Franck Bui <fbui>
Component: SecurityAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Franck Bui 2024-02-14 12:29:19 UTC 
This dbus method was forgotten and added to the access policy since systemd v254.9.

Coud you please review it ?

Thanks.
Comment 1 Matthias Gerstner 2024-02-14 14:32:10 UTC 
The rpmlint error message in Base:System/systemd is:

systemd-homed.x86_64: E: dbus-file-digest-mismatch (Badness: 10) /usr/share/dbus-1/system.d/org.freedesktop.home1.conf expected sha256:c47cf4b450df384104c2b66dddff75098def43c17feaa3b9f455d96336530868, has:8bfb27085d0f465591b56f17b33c0f9100b917a0a592fe662eed52b039ac6737

So this seems to be about D-Bus only, no? I see no polkit problems.
Comment 2 Franck Bui 2024-02-14 14:35:24 UTC 
Not sure how I ended up writing polkit in $title... you're right it's about dbus only.
Comment 3 Matthias Gerstner 2024-02-14 14:40:20 UTC 
This is from upstream commit 72bbd740a0d:

> homed: add missing bus call to homed access policy
>
>  diff --git a/src/home/org.freedesktop.home1.conf
>b/src/home/org.freedesktop.home1.conf
>  index de1fb93cc0..5af1a68607 100644
>  --- a/src/home/org.freedesktop.home1.conf
>  +++ b/src/home/org.freedesktop.home1.conf
>  @@ -125,6 +125,10 @@
>                          send_interface="org.freedesktop.home1.Manager"
>                          send_member="LockAllHomes"/>
>
>  +                <allow send_destination="org.freedesktop.home1"
>  +                       send_interface="org.freedesktop.home1.Manager"
>  +                       send_member="DeactivateAllHomes"/>
>  +
>                   <allow send_destination="org.freedesktop.home1"
>                          send_interface="org.freedesktop.home1.Manager"
>                          send_member="Rebalance"/>

So it is only this one additional method. We will look into it.
Comment 4 Franck Bui 2024-02-14 14:45:13 UTC 
(In reply to Matthias Gerstner from comment #3)
> This is from upstream commit 72bbd740a0d:

Yes and it's been backported to v254 stable tree (currently used by Factory).

> So it is only this one additional method. We will look into it.

Thanks.

SLE15-SP6 received the same change so it will need the same policy access update. Can you please make sure that SP6 is also updated ?
Comment 5 Matthias Gerstner 2024-02-15 09:27:48 UTC 
yes we will also take care of the SLE-15-SP6 backport, no problem.
Comment 6 Franck Bui 2024-02-15 09:32:45 UTC 
Don't forget ALP ;)
Comment 7 Matthias Gerstner 2024-02-15 12:09:20 UTC 
Slowly but steadily this whole systemd-homed component is growing into an ever
more complex system that is hard to keep track of.

The short (!) story about DeactivateAllHomes is as follows:

- during system shutdown this D-Bus method is called to deactivate all
  systemd-homed managed homes.
- the homed daemon will iterate over all homes it knows about. Even just
  determining whether some /home/<dir> is a mount point is a short bible story
  of its own.
- once homed is positive that some /home/<dir> is a mount point that is managed
  by it, it invokes systemd-homework which is passed a JSON data structure via
  stdin describing which home directory to operate on.
- systemd-homework will split-off a separate mount namespace, will create a
  private mount on /run/homework, bind-mount the /home/<dir> there, unmount
  /home/<dir>, then potentially runs some additional LUKS auto trim or auto
  shrink on the still mounted dir on /run/homework and *finally* unmounts even
  that one.

Just from reading that I guess everybody gets the picture that there is much
complexity going on. From what I could find in the code that I followed so far
nothing too terrible should happen at least. Likely local attack vectors could
be denial-of-service if a user manages to somehow get systemd-homed into a
blocking state. The worst would likely be tricking systemd-homed into
operating on a /home/<dir> that is not actually managed by it.

The file system operations are very cautious though, but also ever more
complex. I will whitelist this but the whole homed affair might be worth a
more in-depth follow-up review in the future.
Comment 8 Matthias Gerstner 2024-02-16 13:35:02 UTC 
The whitelisting for Factory is already on its way.

(In reply to matthias.gerstner@suse.com from comment #5)
> yes we will also take care of the SLE-15-SP6 backport, no problem.

For SLE-15 I believe there is no changed whitelisting necessary at all. This
still uses rpmlint1 which doesn't check the file contents i.e. it doesn't
notice this added D-Bus method. Can you please verify that the package build
does not fail there?
Comment 9 Franck Bui 2024-02-16 15:32:52 UTC 
I'll let you know as soon as I'll submit SP6 (hopefully earl next week).
Comment 11 Matthias Gerstner 2024-02-28 11:12:41 UTC 
I believe all whitelistings should be taken care of. Should it not work on
SLE-15 then reopen please.