[sugar] DOS via D-Bus

[John J5 Palmieri]

On Thu, 2007-03-22 at 00:14 +0100, Bert Freudenberg wrote:
> On Mar 20, 2007, at 19:08 , John (J5) Palmieri wrote:
> 

> Well, SJ asked for simple etoy project launching by clicking on a  
> link in a web page. And when that project is run, it can execute  
> arbitrary Squeak code, so without specific counter-measures it could  
> freely access d-bus. It's pretty much as if you'd download and  
> execute arbitrary Python code.
> 
> Before loading a foreign project we enable the squeak sandbox, which  
> for example limits file access to one specific scratch directory. A  
> project is considered foreign if it was not signed with the users  
> private key (this is the key that is generated when running etoys for  
> the first time). So if you're saying restricting d-bus access would  
> still be valuable, we could arrange that only a specific set of d-bus  
> messages could be sent or received once the sandbox is enabled.

If we used SELinux this would be easy.  We would simply confine any
remote app and define system wide rules to what dbus interfaces and
names they could access.  This should not be done by the squeak sandbox.
If we have vserver and the vserver guys get me the patch to D-Bus this
should be possible also.

-- 
John (J5) Palmieri <johnp at redhat.com>