Bug 1215873 - AUDIT-WHITELIST: thermald: review of D-Bus file /usr/share/dbus-1/system.d/org.freedesktop.thermald.conf
Summary: AUDIT-WHITELIST: thermald: review of D-Bus file /usr/share/dbus-1/system.d/or...
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Matthias Gerstner
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-02 12:49 UTC by Thomas Renninger
Modified: 2024-02-19 14:57 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Renninger 2023-10-02 12:49:43 UTC 
Latest thermald package seem to have dbus API modifications which need review by the security team.
The package is intended to be submitted to SLE 15 SP6/ALP afterwards.
You may want to keep this in mind when looking at this:
[SUSE-JIRA] (PED-5716) Impl: Enable support for Thermal Controls on platform
https://jira.suse.com/browse/PED-5716

The submit request for factory showing the dbus security review need is here:
https://build.opensuse.org/request/show/1113687#comment-1827588

Thanks in advance.
Comment 1 Matthias Gerstner 2023-10-02 13:20:28 UTC 
Thanks for the review bug. We will schedule the review and report back.
Comment 2 Matthias Gerstner 2023-10-06 12:26:58 UTC 
The reason for the badness is that the D-Bus service file has been moved from
/etc/dbus-1 to /usr/share/dbus-1.

Generally it would be a formal change to the whitelisting only. The last
review has been quite a while ago, though, so we should at least look a bit
closer at the current D-Bus implementation if anything problematic is around
these days.
Comment 3 Matthias Gerstner 2023-10-06 13:44:14 UTC 
The thermald D-Bus interface is only accessible to root and to members of the
"power" group. By default there are no members of the power group.

In the original audit bug is has been pointed out that it is important that
this stays this way, because some of the API endpoints are not suitable for
access by everybody.

The new whitelisting will be coupled to the D-Bus configuration content, so if
it changes we will notice, thus the danger that something worseness here
without us noticing is reduced.
Comment 4 Matthias Gerstner 2023-10-09 11:55:30 UTC 
The whitelisting process has been started.
Comment 6 OBSbugzilla Bot 2023-10-12 19:15:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1215873) was mentioned in
https://build.opensuse.org/request/show/1117522 Factory / thermald
Comment 7 Matthias Gerstner 2023-10-16 13:04:45 UTC 
The whitelisting is now in Factory and should be effective. Closing as FIXED.
Comment 8 Thomas Renninger 2023-11-20 13:16:16 UTC 
Can this change/whitelist also be applied for SLE 15 SP6, please:
https://jira.suse.com/browse/PED-5716

Be aware that thermald does not exist there as a package yet.
The submitrequest to get this in is here:
https://build.suse.de/request/show/312532

Thanks!
Comment 9 Matthias Gerstner 2023-11-20 14:40:40 UTC 
(In reply to trenn@suse.com from comment #8)
> Can this change/whitelist also be applied for SLE 15 SP6, please:
> https://jira.suse.com/browse/PED-5716

Actually, since the basename of the D-Bus configuration files didn't change,
there shouldn't be a new whitelisting necessary for SLE-15. The rpmlint in
SLE-15 does not check full paths.

I couldn't find any rpmlint badness in your SLE-15-SP6 package build, can you
confirm, please?
Comment 10 Matthias Gerstner 2023-11-23 15:19:28 UTC 
Can you please give an update regarding comment 9? Thanks!
Comment 11 Matthias Gerstner 2023-12-08 12:13:12 UTC 
No reply received to my question. As I see it no whitelisting backport is
necessary for this. Closing again as fixed.