Bug 1211978

Summary: AUDIT-0: systemd: new polkit action org.freedesktop.systemd1.bypass-dump-ratelimit
Product: [openSUSE] openSUSE Tumbleweed Reporter: Franck Bui <fbui>
Component: SecurityAssignee: Wolfgang Frisch <wolfgang.frisch>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: wolfgang.frisch
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Franck Bui 2023-06-03 10:29:55 UTC 
Hello Secteam,

Could you review the new polkit action introduced by 253.5 ?

Thanks.
Comment 1 Franck Bui 2023-06-03 10:30:41 UTC 
FTR it's currently blocking the following submission:  https://build.opensuse.org/request/show/1090446
Comment 2 Matthias Gerstner 2023-06-05 07:38:03 UTC 
We will have a look. These polkit additions to systemd usually don't take long
to check.
Comment 3 Wolfgang Frisch 2023-06-05 09:14:57 UTC 
I will work on this.
Comment 4 Wolfgang Frisch 2023-06-06 09:22:36 UTC 
systemd offers a number of D-Bus methods to dump/serialize various information:

- Dump()
- DumpUnitsMatchingPatterns()
- DumpByFileDescriptor()
- DumpUnitsMatchingPatternsByFileDescriptor()

Previously, these methods had been freely accessible to unprivileged users.
Since they consume a significant amount of CPU time, it was possible to stall
systemd system-wide with a simple loop:

```
while((1)); do
	dbus-send --print-reply --session --dest=org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager.Dump >/dev/null
done
```

This behavior constituted a local DoS vector, which was was then mitigated by
introducing rate-limiting:

> commit d936595672cf3ee7c1c547f8fd30512f82be8784
> Author: Luca Boccassi <bluca@debian.org>
> Date:   Thu Apr 27 23:23:30 2023 +0100
> 
>     manager: restrict Dump*() to privileged callers or ratelimit
>     
>     Dump*() methods can take quite some time due to the amount of data to
>     serialize, so they can potentially stall the manager. Make them
>     privileged, as they are debugging tools anyway. Use a new 'dump'
>     capability for polkit, and the 'reload' capability for SELinux, as
>     that's also non-destructive but slow.
>     
>     If the caller is not privileged, allow it but rate limited to 10 calls
>     every 10 minutes.


Finally, this new Polkit action allows *only* admins to bypass the recently
introduced rate-limiting:

> <allow_any>auth_admin</allow_any>
> <allow_inactive>auth_admin</allow_inactive>
> <allow_active>auth_admin_keep</allow_active>

Good.
Comment 5 Wolfgang Frisch 2023-06-06 10:02:20 UTC 
Reviewed and submitted. The changes should hit Factory soon.
https://build.opensuse.org/request/show/1091064
Comment 6 Wolfgang Frisch 2023-06-07 07:27:45 UTC 
Released.
Comment 9 Wolfgang Frisch 2023-06-13 15:55:48 UTC 
My previous request had the wrong target. Still learning the ropes with regards to ALP. This one should be OK:
https://build.suse.de/request/show/301103
Comment 10 Wolfgang Frisch 2023-06-19 07:36:59 UTC 
The ALP submission has been accepted.