Bug 1215873

Summary:	AUDIT-WHITELIST: thermald: review of D-Bus file /usr/share/dbus-1/system.d/org.freedesktop.thermald.conf
Product:	[openSUSE] openSUSE Tumbleweed	Reporter:	Thomas Renninger <trenn>
Component:	Security	Assignee:	Matthias Gerstner <matthias.gerstner>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P5 - None	CC:	aschnell, jcheung, matthias.gerstner, trenn, wolfgang.frisch
Version:	Current
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Thomas Renninger 2023-10-02 12:49:43 UTC

Latest thermald package seem to have dbus API modifications which need review by the security team.
The package is intended to be submitted to SLE 15 SP6/ALP afterwards.
You may want to keep this in mind when looking at this:
[SUSE-JIRA] (PED-5716) Impl: Enable support for Thermal Controls on platform
https://jira.suse.com/browse/PED-5716

The submit request for factory showing the dbus security review need is here:
https://build.opensuse.org/request/show/1113687#comment-1827588

Thanks in advance.

Comment 1 Matthias Gerstner 2023-10-02 13:20:28 UTC

Thanks for the review bug. We will schedule the review and report back.

Comment 2 Matthias Gerstner 2023-10-06 12:26:58 UTC

The reason for the badness is that the D-Bus service file has been moved from
/etc/dbus-1 to /usr/share/dbus-1.

Generally it would be a formal change to the whitelisting only. The last
review has been quite a while ago, though, so we should at least look a bit
closer at the current D-Bus implementation if anything problematic is around
these days.

Comment 3 Matthias Gerstner 2023-10-06 13:44:14 UTC

The thermald D-Bus interface is only accessible to root and to members of the
"power" group. By default there are no members of the power group.

In the original audit bug is has been pointed out that it is important that
this stays this way, because some of the API endpoints are not suitable for
access by everybody.

The new whitelisting will be coupled to the D-Bus configuration content, so if
it changes we will notice, thus the danger that something worseness here
without us noticing is reduced.

Comment 4 Matthias Gerstner 2023-10-09 11:55:30 UTC

The whitelisting process has been started.

Comment 5 Wolfgang Frisch 2023-10-10 11:57:44 UTC

Factory:
https://build.opensuse.org/request/show/1116656

ALP: 
https://build.suse.de/request/show/309945

Comment 6 OBSbugzilla Bot 2023-10-12 19:15:04 UTC

This is an autogenerated message for OBS integration:
This bug (1215873) was mentioned in
https://build.opensuse.org/request/show/1117522 Factory / thermald

Comment 7 Matthias Gerstner 2023-10-16 13:04:45 UTC

The whitelisting is now in Factory and should be effective. Closing as FIXED.

Comment 8 Thomas Renninger 2023-11-20 13:16:16 UTC

Can this change/whitelist also be applied for SLE 15 SP6, please:
https://jira.suse.com/browse/PED-5716

Be aware that thermald does not exist there as a package yet.
The submitrequest to get this in is here:
https://build.suse.de/request/show/312532

Thanks!

Comment 9 Matthias Gerstner 2023-11-20 14:40:40 UTC

(In reply to trenn@suse.com from comment #8)
> Can this change/whitelist also be applied for SLE 15 SP6, please:
> https://jira.suse.com/browse/PED-5716

Actually, since the basename of the D-Bus configuration files didn't change,
there shouldn't be a new whitelisting necessary for SLE-15. The rpmlint in
SLE-15 does not check full paths.

I couldn't find any rpmlint badness in your SLE-15-SP6 package build, can you
confirm, please?

Comment 10 Matthias Gerstner 2023-11-23 15:19:28 UTC

Can you please give an update regarding comment 9? Thanks!

Comment 11 Matthias Gerstner 2023-12-08 12:13:12 UTC

No reply received to my question. As I see it no whitelisting backport is
necessary for this. Closing again as fixed.