[Bug 2015538] Re: [MIR] dbus-broker
Lukas Märdian
2015538 at bugs.launchpad.net
Tue Apr 25 13:47:18 UTC 2023
Review for Package: src:dbus-broker
[Summary]
dbus-broker can be considered a drop-in replacement for dbus-daemon, the
reference implementation of the DBus protocol. It is supposed a more modern,
faster and safer alternative.
MIR team ACK
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: dbus-broker
Specific binary packages built, but NOT to be promoted to main: None
Notes:
- This needs security review because of data-structure parsing, out-of-tree
patch (see below), usage of setuid & embedded sources (which can be considered
part of the project, though).
Required TODOs:
- None
Recommended TODOs:
- consider dropping privileges via systemd unit configuration instead of setuid
- dbus-broker is supposed to be a drop in replacement; try copying/migrating
some autopkgtests from src:dbus (especially the apparmor one, as we will
carry some related modifications)
[Duplication]
There is no other package in main providing the same functionality, BUT src:dbus
which we're trying replace.
Other (deprecated) alternatives include kdbus and bus1 kernel-space
implementations of the broker daemon or gdbus-daemon.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- SRCPKG checked with `check-mir`
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no static linking (but embedded subprojects, see below)
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Includes vendored code, the package has documented how to refresh this
code at: https://mesonbuild.com/Subprojects.html
Problems:
- embedded source present (several tiny C utils, which are not otherwise
part of the Ubuntu archive): https://github.com/c-util
$ tree -d subprojects/ | grep "[libc|subprojects]"
subprojects/
├── libcdvar-1
│ ├── src
│ └── subprojects
├── libcini-1
│ ├── src
│ └── subprojects
├── libclist-3
│ └── src
├── libcrbtree-3
│ ├── src
│ │ └── docs
│ └── subprojects
├── libcshquote-1
│ ├── src
│ └── subprojects
├── libcstdaux-1
│ └── src
│ └── docs
└── libcutf8-1
├── src
└── subprojects
21 directories
But, quoting ./NEWS.md (CHANGES WITH v30):
All subprojects are still statically linked and considered part of
dbus-broker. Any critical update to any subproject will cause a new
release of dbus-broker, as it always did. Distributions are not
required to monitor the subprojects manually."
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root (it uses the "messagebus" user)
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)
Problems:
- parses data formats (structures) from an untrusted source.
- opens a port/socket
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
Problems: None
[Packaging red flags]
OK:
- Ubuntu does not carry a delta (currently)
- we expect an additional distro patch, until merged upstream:
https://github.com/bus1/dbus-broker/pull/286
- symbols tracking not applicable for this kind of code.
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems:
- we expect an additional distro patch, until merged upstream:
https://github.com/bus1/dbus-broker/pull/286
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user nobody
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?
Problems:
- usage of setuid (prefer systemd to set those for services)
** Changed in: dbus-broker (Ubuntu)
Assignee: Lukas Märdian (slyon) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus-broker in Ubuntu.
https://bugs.launchpad.net/bugs/2015538
Title:
[MIR] dbus-broker
Status in dbus-broker package in Ubuntu:
New
Bug description:
[Availability]
The package dbus-broker is already in Ubuntu universe.
The package dbus-broker build for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/dbus-broker
[Rationale]
- The package dbus-broker is required in Ubuntu main to replace dbus-daemon.
- The package dbus-broker will generally from server to desktop.
- Package dbus-broker covers the same use case as dbus-daemon but is a better alternative for the reason described in https://dvdhrm.github.io/rethinking-the-dbus-message-bus/. Other distributions are using it for years, Fedora for example, https://fedoraproject.org/wiki/Changes/DbusBrokerAsTheDefaultDbusImplementation
- There is no other/better way to solve this that is already in main or
should go universe->main instead of this.
- The package dbus-broker is required in Ubuntu main no later than
august due to FF, ideally we would like land it earlier in the cycle
[Security]
- Had 2 security issues in the past
1.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212
https://ubuntu.com/security/CVE-2022-31212
https://security-tracker.debian.org/tracker/CVE-2022-31212
2.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31213
https://ubuntu.com/security/CVE-2022-31213
https://security-tracker.debian.org/tracker/CVE-2022-31212
Those reports seem to have been fixed in timelined fashion upstream.
The issues are resolved in Ubuntu in series > Kinetic
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does install services, timers or recurring jobs
/lib/systemd/system/dbus-broker.service
/usr/lib/systemd/user/dbus-broker.service
The system unit use the following systemd security features
OOMScoreAdjust=-900
LimitNOFILE=16384
ProtectSystem=full
PrivateTmp=true
PrivateDevices=true
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail
https://launchpadlibrarian.net/650445725/buildlog_ubuntu-lunar-
amd64.dbus-broker_33-1_BUILDING.txt.gz
Ok: 46
Expected Fail: 0
Fail: 0
Unexpected Pass: 0
Skipped: 0
Timeout: 0
- The package runs an autopkgtest, and is currently passing on
amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
https://autopkgtest.ubuntu.com/packages/dbus-broker
- The package does have not failing autopkgtests right now
- The autopkgtest is the running the upstream testsuite so is not trivial
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer since it's in sync from
Debian
- The package has no lintian warnings
# lintian --pedantic
#
- Please link to a recent build log of the package
https://launchpadlibrarian.net/650445725/buildlog_ubuntu-lunar-amd64.dbus-broker_33-1_BUILDING.txt.gz
`lintian --pedantic` as an extra post to this bug.
- Lintian overrides are present
# dbus-broker only supports systemd
dbus-broker: maintainer-script-calls-systemctl
dbus-broker: package-supports-alternative-init-but-no-init.d-script [lib/systemd/system/dbus-broker.service]
# need to override dh_installsystemd
dbus-broker: maintainer-script-empty [prerm]
dbus-broker: maintainer-script-ignores-errors [prerm]
# matches dbus-daemon package, activated by socket
dbus-broker: systemd-service-file-missing-install-key [lib/systemd/system/dbus-broker.service]
Those have to do with the fact that package is set to work only with systemd, that's not an issue in Ubuntu since we don't support alternative init systems anyway
Also the service shouldn't be stopped on package removal to avoid seeing the user session close
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980541
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions
- Packaging and build is easy, https://salsa.debian.org/utopia-
team/dbus-broker/-/blob/debian/sid/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Teams will be foundations and desktop
- desktop-packages is already subscribed to the package, we will get foundations added
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package successfully built during the most recent test rebuild
[Background information]
The Package description explains the package well
Upstream Name is dbus-broker
Link to upstream project https://github.com/bus1/dbus-broker
The apparmor integration patch in review upstream on
https://github.com/bus1/dbus-broker/pull/286 has got a +1 from our
security team, we will include the change either by distro patching or
through a newer upstream version since that's required for our
confinement story, especially in snaps.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538/+subscriptions
More information about the foundations-bugs
mailing list