Fixed: https://chromium-review.googlesource.com/c/585669/ (private CL)

Maybe overly paranoid but I'm being intentionally vague in the CL commit message since it will land publicly somewhat before it ships to CrOS...

Thanks! I'll update the "D-Bus best practices" doc to mention this unless you get to it first.

Context for others: Chrome now exports multiple services (for  https://crbug.com/692246 ), and <allow send_destination=.../> rules referencing one service apparently also match all other services exported by Chrome. Adding send_interface appears to limit the rules as desired.

I don't know if there are any other processes on Chrome OS that own multiple service names.

I have the doc change ready, but since it describes the problem, I'll hold off on uploading it until someone offers an opinion about how big of a deal this is. I'm not sure that there's anything interesting one can do by making method calls to a Chrome service from some unauthorized user.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c56edc06a1b24e3eb2483cedeaefeb1504b0bfaf

commit c56edc06a1b24e3eb2483cedeaefeb1504b0bfaf
Author: Lann Martin <lannm@chromium.org>
Date: Wed Jul 26 16:23:52 2017

dbus: Fix dbus policies for ChromeOS services

BUG= chromium:748695 
TEST=deploy to pyro, confirm policy with dbus-send

Change-Id: I7f2afcb7764ac08e043e01260e6b9f4a5261c5e4
Reviewed-on: https://chromium-review.googlesource.com/585669
Reviewed-by: Dan Erat <derat@chromium.org>
Commit-Queue: Lann Martin <lannm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#489663}
[modify] https://crrev.com/c56edc06a1b24e3eb2483cedeaefeb1504b0bfaf/chromeos/dbus/services/org.chromium.KioskAppService.conf
[modify] https://crrev.com/c56edc06a1b24e3eb2483cedeaefeb1504b0bfaf/chromeos/dbus/services/org.chromium.LibCrosService.conf
[modify] https://crrev.com/c56edc06a1b24e3eb2483cedeaefeb1504b0bfaf/chromeos/dbus/services/org.chromium.LivenessService.conf
[modify] https://crrev.com/c56edc06a1b24e3eb2483cedeaefeb1504b0bfaf/chromeos/dbus/services/org.chromium.NetworkProxyService.conf

I'm not super worried about malicious messages flowing *to* Chrome as opposed to *from* Chrome I don't think, but this could be a problem for other Chrome OS services as mentioned. Filed crbug.com/750139 to track.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/docs/+/6cafa6980096f44a96a9d267ac02a81cfe0601c8

commit 6cafa6980096f44a96a9d267ac02a81cfe0601c8
Author: Daniel Erat <derat@chromium.org>
Date: Wed Jul 26 01:43:19 2017

docs: Mention send_destination gotcha in D-Bus doc.

Make the D-Bus best practices doc mention that using <allow
send_destination="..."/> inadvertently grants permission to
call methods on other services exported by the same client.

BUG= chromium:748695 
TEST=none

Change-Id: I49253b34c93f194a45bb9474cf520194fc6c52bb

[modify] https://crrev.com/6cafa6980096f44a96a9d267ac02a81cfe0601c8/dbus_best_practices.md

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot