1211978 – AUDIT-0: systemd: new polkit action org.freedesktop.systemd1.bypass-dump-ratelimit

Bug 1211978 - AUDIT-0: systemd: new polkit action org.freedesktop.systemd1.bypass-dump-ratelimit

Summary: AUDIT-0: systemd: new polkit action org.freedesktop.systemd1.bypass-dump-rate...

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Wolfgang Frisch
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-06-03 10:29 UTC by Franck Bui
Modified:	2024-03-13 09:21 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Franck Bui 2023-06-03 10:29:55 UTC

Hello Secteam,

Could you review the new polkit action introduced by 253.5 ?

Thanks.

Comment 1 Franck Bui 2023-06-03 10:30:41 UTC

FTR it's currently blocking the following submission:  https://build.opensuse.org/request/show/1090446

Comment 2 Matthias Gerstner 2023-06-05 07:38:03 UTC

We will have a look. These polkit additions to systemd usually don't take long
to check.

Comment 3 Wolfgang Frisch 2023-06-05 09:14:57 UTC

I will work on this.

Comment 4 Wolfgang Frisch 2023-06-06 09:22:36 UTC

systemd offers a number of D-Bus methods to dump/serialize various information:

- Dump()
- DumpUnitsMatchingPatterns()
- DumpByFileDescriptor()
- DumpUnitsMatchingPatternsByFileDescriptor()

Previously, these methods had been freely accessible to unprivileged users.
Since they consume a significant amount of CPU time, it was possible to stall
systemd system-wide with a simple loop:

```
while((1)); do
	dbus-send --print-reply --session --dest=org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager.Dump >/dev/null
done
```

This behavior constituted a local DoS vector, which was was then mitigated by
introducing rate-limiting:

> commit d936595672cf3ee7c1c547f8fd30512f82be8784
> Author: Luca Boccassi <bluca@debian.org>
> Date:   Thu Apr 27 23:23:30 2023 +0100
> 
>     manager: restrict Dump*() to privileged callers or ratelimit
>     
>     Dump*() methods can take quite some time due to the amount of data to
>     serialize, so they can potentially stall the manager. Make them
>     privileged, as they are debugging tools anyway. Use a new 'dump'
>     capability for polkit, and the 'reload' capability for SELinux, as
>     that's also non-destructive but slow.
>     
>     If the caller is not privileged, allow it but rate limited to 10 calls
>     every 10 minutes.


Finally, this new Polkit action allows *only* admins to bypass the recently
introduced rate-limiting:

> <allow_any>auth_admin</allow_any>
> <allow_inactive>auth_admin</allow_inactive>
> <allow_active>auth_admin_keep</allow_active>

Good.

Comment 5 Wolfgang Frisch 2023-06-06 10:02:20 UTC

Reviewed and submitted. The changes should hit Factory soon.
https://build.opensuse.org/request/show/1091064

Comment 6 Wolfgang Frisch 2023-06-07 07:27:45 UTC

Released.

Comment 9 Wolfgang Frisch 2023-06-13 15:55:48 UTC

My previous request had the wrong target. Still learning the ropes with regards to ALP. This one should be OK:
https://build.suse.de/request/show/301103

Comment 10 Wolfgang Frisch 2023-06-19 07:36:59 UTC

The ALP submission has been accepted.