Privilege escalation via com.ubuntu.Upstart.EmitEvent |
||||
Issue descriptionSpin-off from issue 884917 and issue 884511. Our DBus config allows shill to emit arbitrary upstart events. This means it can trigger any jobs that are gated on events. I don't know whether the DBus interface also allows upstart-internal events to be injected - if so, essentially any job in the system can potentially be triggered. Being able to trigger jobs and pass parameters potentially allows privilege escalation, see original bug for an example. We should make sure that shill (and other signal emitters, e.g. session_manager) can only trigger the jobs they need to be able to trigger. The bus config files unfortunately don't allow filtering based on parameters (job name in this case). So we'll have to do something else. An approach that would work is to create a "trampoline" job that generates the actual upstart event.
,
Oct 9
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/40d151aec7e1ede1aab82ad3a1f7b323ca8e9dad commit 40d151aec7e1ede1aab82ad3a1f7b323ca8e9dad Author: Mattias Nissler <mnissler@chromium.org> Date: Tue Oct 09 14:29:16 2018 chromeos-base/shill: Add shill-event init job Install the new shill-event init script. CQ-DEPEND=CL:1252383 BUG= chromium:889709 TEST=None Change-Id: Iad9566be34cc562ee851a6587763c1a4d8eb2df8 Reviewed-on: https://chromium-review.googlesource.com/1256845 Commit-Ready: Mattias Nissler <mnissler@chromium.org> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/40d151aec7e1ede1aab82ad3a1f7b323ca8e9dad/chromeos-base/shill/shill-9999.ebuild
,
Oct 9
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/cb3d20a8fc8e9a2ef1655a848bfcb1cd3087f3dd commit cb3d20a8fc8e9a2ef1655a848bfcb1cd3087f3dd Author: Mattias Nissler <mnissler@chromium.org> Date: Tue Oct 09 14:29:17 2018 shill: Bump upstart events through a helper job This allows us to restrict which upstart events shill can generate. CQ-DEPEND=CL:1256845 BUG= chromium:889709 TEST=connect-disconnect, watch upstart events Change-Id: Ibb2dd6dbf923f68a52c4893fb0d0af4095b2e125 Reviewed-on: https://chromium-review.googlesource.com/1252383 Commit-Ready: Mattias Nissler <mnissler@chromium.org> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/cb3d20a8fc8e9a2ef1655a848bfcb1cd3087f3dd/shill/shims/org.chromium.flimflam.conf [modify] https://crrev.com/cb3d20a8fc8e9a2ef1655a848bfcb1cd3087f3dd/shill/dbus/chromeos_upstart_proxy.cc [modify] https://crrev.com/cb3d20a8fc8e9a2ef1655a848bfcb1cd3087f3dd/shill/BUILD.gn [add] https://crrev.com/cb3d20a8fc8e9a2ef1655a848bfcb1cd3087f3dd/shill/dbus_bindings/upstart-job-shill-event.dbus-xml [add] https://crrev.com/cb3d20a8fc8e9a2ef1655a848bfcb1cd3087f3dd/shill/init/shill-event.conf [modify] https://crrev.com/cb3d20a8fc8e9a2ef1655a848bfcb1cd3087f3dd/shill/dbus_bindings/upstart.dbus-xml [add] https://crrev.com/cb3d20a8fc8e9a2ef1655a848bfcb1cd3087f3dd/shill/init/shill-event.sh [modify] https://crrev.com/cb3d20a8fc8e9a2ef1655a848bfcb1cd3087f3dd/shill/dbus/chromeos_upstart_proxy.h
,
Oct 9
,
Oct 11
,
Jan 15
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by vapier@chromium.org
, Oct 3