Fix dbus policy

This patch places the check rule into the default context.
<check send_destination="org.tizen.activationd" send_type="method_call"
privilege="http://tizen.org/privilege/internal/sysadmin"/>

This might make processes with System::Privileged, System, User bypass the <check> rule,
but with this cynara rule we apply default DENY rule for http://tizen.org/privilege/internal/sysadmin.
So, applications only with the privilege can be allowed by the <check> rule.

https://review.tizen.org/gerrit/#/c/platform/core/security/security-manager/+/212942

cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="$client" --user="*"
--privilege="http://tizen.org/privilege/internal/sysadmin" --type=DENY

Change-Id: Ie1d05cc24c368e22cbc2f2d5015db11cefbccdd0
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

diff --git a/org.tizen.activationd.conf b/org.tizen.activationd.conf
index 97b369b9847fa4a2fbb37d0ee59ad296af53d4d3..98fd8e23170d8fcb2d4e00a6f3d46c10297674c2 100644 (file)
--- a/org.tizen.activationd.conf
+++ b/org.tizen.activationd.conf
@@ -5,9 +5,19 @@
        <policy user="root">
                <allow own="org.tizen.activationd"/>
        </policy>
+
+       <policy user="system_fw">
+               <allow send_destination="org.tizen.activationd" send_type="method_call"/>
+       </policy>
+
+       <policy user="network_fw">
+               <allow send_destination="org.tizen.activationd" send_type="method_call"/>
+       </policy>
+
        <policy context="default">
                <deny own="org.tizen.activationd"/>
                <deny send_destination="org.tizen.activationd" send_type="method_call"/>
-               <allow send_destination="org.tizen.activationd"/>
+               <check send_destination="org.tizen.activationd" send_type="method_call"
+                       privilege="http://tizen.org/privilege/internal/sysadmin"/>
        </policy>
 </busconfig>