commit e34e1bbb9728e034ecd86d55c0ac4184907cf88e
author Prashant Malani <pmalani@chromium.org> Mon Dec 28 13:47:12 2020 -0800
committer Commit Bot <commit-bot@chromium.org> Wed Dec 30 13:15:41 2020 +0000
tree 0d233cc8cc8b7310d65132fda1c603e9ac2a0f28
parent 56b6eb406235c05398bb9c440593b0d0c2665c57

debugd: Restrict EC Type C commands to typecd

The EcTypeCTool commands are meant for use by typecd exclusively. Add
D-Bus policy configuration to enforce this.

BUG=b:171725237
TEST=- Run debugd unit tests and ensure they pass.
     - Call the D-Bus command using dbus-send from command line. Verify
       that:
       * Called by itself, the command fails.
       * Called by using '/sbin/minijail0 -u typecd -g typecd', the
       command succeeds and the mode is entered. The command is
       dbus-send --system --dest=org.chromium.debugd
       --print-reply /org/chromium/debugd
       org.chromium.debugd.EcTypeCEnterMode uint32:1 uint32:1
       (Tested on a volteer with a Thunderbolt dock connected on port
       1).

Cq-Depend: chromium:2601785
Change-Id: I536ab4222e373d90e584aa6a7ed2a668c55f0b3d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2605624
Commit-Queue: Prashant Malani <pmalani@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Prashant Malani <pmalani@chromium.org>

debugd/share/org.chromium.debugd.conf

diff --git a/debugd/share/org.chromium.debugd.conf b/debugd/share/org.chromium.debugd.conf
index d737f53..3e52f40 100644
--- a/debugd/share/org.chromium.debugd.conf
+++ b/debugd/share/org.chromium.debugd.conf
@@ -16,6 +16,13 @@
     <deny send_destination="org.chromium.debugd"
           send_interface="org.chromium.debugd"
           send_member="EvaluateProbeFunction" />
+    <!-- Only typecd should access the following commands. -->
+    <deny send_destination="org.chromium.debugd"
+          send_interface="org.chromium.debugd"
+          send_member="EcGetInventory" />
+    <deny send_destination="org.chromium.debugd"
+          send_interface="org.chromium.debugd"
+          send_member="EcTypeCEnterMode" />
   </policy>
 
   <policy user="debugd">
@@ -47,5 +54,14 @@
            send_member="EvaluateProbeFunction" />
   </policy>
 
+  <policy user="typecd">
+    <allow send_destination="org.chromium.debugd"
+           send_interface="org.chromium.debugd"
+           send_member="EcGetInventory" />
+    <allow send_destination="org.chromium.debugd"
+           send_interface="org.chromium.debugd"
+           send_member="EcTypeCEnterMode" />
+  </policy>
+
   <limit name="max_replies_per_connection">512</limit>
 </busconfig>