Split UDisk2 permissions, Use disable-mnt to control data storage perms.

sailfishos / sailjail-permissions

Other

5 stars 17 forks source link

Split UDisk2 permissions, Use disable-mnt to control data storage perms. #66

Closed LaakkonenJussi closed 3 years ago

LaakkonenJussi commented 3 years ago

[permissions] Use disable-mnt to control data storage perms, move udisk2 include. OMP#JOLLA-49

Block access to any media mount with disable-mnt in Base.permissions. Grant permissions to all media when DataStorages permission is used, including UDisks2 D-Bus.

Move the UDisks permission include away from Base.permissions. This is to be included separately or via DataStorages permission.

rainemak commented 3 years ago

Nice! Need to check in more detail but that goes tomorrow.

Please combine references to one single line:

[permissions] Use disable-mnt to control data storage perms, move udisks2 include. JB#53818 OMP#JOLLA-49

LaakkonenJussi commented 3 years ago

Also please fill in description of DataStorages to README. I think this could be also moved from internal list to "public" list.

BTW, if you can think of a better name than DataStorages, that could be also changed now.

Yeah well functionality first, documentation second. Early review gets the bugs etc. On it!

LaakkonenJussi commented 3 years ago

The format that needs to be used is:
dbus.system.[call|broadcast] <NAME>[.*]=<INTERFACE>[.*][@<OBJECT>[/*]]
There is no '=' in any of these call rules -> invalid rules for never-going-to-exist names / stte.

The documentation / even code is not always very clear, but you can do at least format checking with e.g.:
$ xdg-dbus-proxy 3>/dev/null --fd=3 fooname barsocket --call=org.freedesktop.UDisks2.Block.Format
'org.freedesktop.UDisks2.Block.Format' is not a valid name + rule
= not ok
$ xdg-dbus-proxy 3>/dev/null --fd=3 fooname barsocket --call=org.freedesktop.UDisks2.Block=org.freedesktop.UDisks2.Block.Format
^C
= ok

Thanks for clarifying my head with this as the documentation did not. Fixed these issues in the files.

LaakkonenJussi commented 3 years ago

Updated the PR and squashed the changes to two separate commits, one for UDisks2 and one for the RemovableMedia. @Tomin1 @spiiroin @okodron I guess this is ready for final review. Checked with sailjail --trace that D-Bus log did not anymore contain any DENIED lines when trying to access removable media.

LaakkonenJussi commented 3 years ago

@okodron waiting for review on your side as well.