Clean up and clarify default system policy

The former was too reliant on old bugs and was generally unclear.
This one makes explicit exactly what is allowed and not.

2 files changed, 46 insertions, 47 deletions

diff --git a/bus/system.conf.in b/bus/system.conf.in
index 1b6e716a..677ffdff 100644
--- a/bus/system.conf.in
+++ b/bus/system.conf.in
@@ -39,33 +39,29 @@
   <listen>@DBUS_SYSTEM_BUS_DEFAULT_ADDRESS@</listen>
 
   <policy context="default">
-    <!-- Deny everything then punch holes -->
-    <deny send_interface="*"/>
-    <deny receive_interface="*"/>
-    <deny own="*"/>
-    <!-- But allow all users to connect -->
+    <!-- All users can connect to system bus -->
     <allow user="*"/>
-    <!-- Allow anyone to talk to the message bus -->
-    <!-- FIXME I think currently these allow rules are always implicit 
-         even if they aren't in here -->
-    <allow send_destination="org.freedesktop.DBus"/>
-    <allow receive_sender="org.freedesktop.DBus"/>
-    <!-- Allow all signals to be sent by default -->
+
+    <!-- Holes must be punched in service configuration files for
+         name ownership and sending method calls -->
+    <deny own="*"/>
+    <deny send_type="method_call"/>
+
+    <!-- Signals and reply messages (method returns, errors) are allowed
+         by default -->
     <allow send_type="signal"/>
-    <!-- allow sending valid replies -->
     <allow send_requested_reply="true" send_type="method_return"/>
     <allow send_requested_reply="true" send_type="error"/>
-    <!-- allow receiving valid replies -->
-    <allow receive_requested_reply="true"/>
-    <!-- Note: the rule above also allows receiving of all non-reply messages
-         that are not denied later.  See:
-         https://bugs.freedesktop.org/show_bug.cgi?id=18229
-         Potentially this will be replaced in the future by the
-         following two rules:
-    <allow receive_requested_reply="true" receive_type="method_return"/>
-    <allow receive_requested_reply="true" receive_type="error"/>
-    -->
-    <!-- disallow changing the activation environment of system services -->
+
+    <!-- All messages may be received by default -->
+    <allow receive_type="method_call"/>
+    <allow receive_type="method_return"/>
+    <allow receive_type="error"/>
+    <allow receive_type="signal"/>
+
+    <!-- Allow anyone to talk to the message bus -->
+    <allow send_destination="org.freedesktop.DBus"/>
+    <!-- But disallow some specific bus services -->
     <deny send_destination="org.freedesktop.DBus"
           send_interface="org.freedesktop.DBus"
           send_member="UpdateActivationEnvironment"/>
diff --git a/test/name-test/tmp-session-like-system.conf b/test/name-test/tmp-session-like-system.conf
index 96bbf764..b3d9caea 100644
--- a/test/name-test/tmp-session-like-system.conf
+++ b/test/name-test/tmp-session-like-system.conf
@@ -18,27 +18,40 @@
 
   <!-- intended to match system bus -->
   <policy context="default">
-    <!-- Deny everything then punch holes -->
-    <deny send_interface="*"/>
-    <deny receive_interface="*"/>
-    <deny own="*"/>
-    <!-- But allow all users to connect -->
+    <!-- All users can connect to system bus -->
     <allow user="*"/>
-    <!-- Allow anyone to talk to the message bus -->
-    <!-- FIXME I think currently these eallow rules are always implicit 
-         even if they aren't in here -->
-    <allow send_destination="org.freedesktop.DBus"/>
-    <allow receive_sender="org.freedesktop.DBus"/>
-    <!-- Allow all signals to be sent by default -->
+
+    <!-- Holes must be punched in service configuration files for
+         name ownership and sending method calls -->
+    <deny own="*"/>
+    <deny send_type="method_call"/>
+
+    <!-- Signals and reply messages (method returns, errors) are allowed
+         by default -->
     <allow send_type="signal"/>
-    <!-- valid replies are always allowed -->
     <allow send_requested_reply="true" send_type="method_return"/>
     <allow send_requested_reply="true" send_type="error"/>
-    <allow receive_requested_reply="true"/>
-    <!-- disallow changing the activation environment of system services -->
+
+    <!-- All messages may be received by default -->
+    <allow receive_type="method_call"/>
+    <allow receive_type="method_return"/>
+    <allow receive_type="error"/>
+    <allow receive_type="signal"/>
+
+    <!-- Allow anyone to talk to the message bus -->
+    <allow send_destination="org.freedesktop.DBus"/>
+    <!-- But disallow some specific bus services -->
     <deny send_destination="org.freedesktop.DBus"
           send_interface="org.freedesktop.DBus"
           send_member="UpdateActivationEnvironment"/>
+
+    <!-- Specific to the test suite -->
+    <allow own="org.freedesktop.DBus.TestSuiteEchoService"/>
+    <allow send_destination="org.freedesktop.DBus.TestSuiteEchoService"
+           send_interface="org.freedesktop.DBus.Introspectable"/>
+    <allow send_destination="org.freedesktop.DBus.TestSuiteEchoService"
+           send_interface="org.freedesktop.TestSuite"
+           send_member="EmitFoo"/>
   </policy>
 
   <policy context="default">
@@ -50,16 +63,6 @@
             send_member="EmitFoo"/>
   </policy>
 
-  <!-- Config files are placed here that among other things, 
-       further restrict the above policy for specific services. -->
-  <includedir>session.d</includedir>
-
-  <!-- This is included last so local configuration can override what's 
-       in this standard file -->
-  <include ignore_missing="yes">session-local.conf</include>
-
-  <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
-
   <!-- For the session bus, override the default relatively-low limits 
        with essentially infinite limits, since the bus is just running 
        as the user anyway, using up bus resources is not something we need