r22400 - in /desktop/unstable/gnome-keyring/debian: changelog patches/10_whitelist_system.patch

joss at users.alioth.debian.org joss at users.alioth.debian.org
Fri Nov 20 17:14:58 UTC 2009 

Author: joss
Date: Fri Nov 20 17:14:57 2009
New Revision: 22400

URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=22400
Log:
10_whitelist_system.patch: new patch. Whitelist some system 
directories (/usr/bin and /usr/lib) to avoid drowning the user under 
useless dialogs. If anything evil can be installed in these 
directories, all users on the system are doomed and we can give up 
on any kind of security.

Added:
    desktop/unstable/gnome-keyring/debian/patches/10_whitelist_system.patch
Modified:
    desktop/unstable/gnome-keyring/debian/changelog

Modified: desktop/unstable/gnome-keyring/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/gnome-keyring/debian/changelog?rev=22400&op=diff
==============================================================================
--- desktop/unstable/gnome-keyring/debian/changelog [utf-8] (original)
+++ desktop/unstable/gnome-keyring/debian/changelog [utf-8] Fri Nov 20 17:14:57 2009
@@ -1,3 +1,13 @@
+gnome-keyring (2.28.1-2) unstable; urgency=low
+
+  * 10_whitelist_system.patch: new patch. Whitelist some system 
+    directories (/usr/bin and /usr/lib) to avoid drowning the user under 
+    useless dialogs. If anything evil can be installed in these 
+    directories, all users on the system are doomed and we can give up 
+    on any kind of security.
+
+ -- Josselin Mouette <joss at debian.org>  Fri, 20 Nov 2009 18:09:05 +0100
+
 gnome-keyring (2.28.1-1) unstable; urgency=low
 
   [ Josselin Mouette ]

Added: desktop/unstable/gnome-keyring/debian/patches/10_whitelist_system.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/gnome-keyring/debian/patches/10_whitelist_system.patch?rev=22400&op=file
==============================================================================
--- desktop/unstable/gnome-keyring/debian/patches/10_whitelist_system.patch (added)
+++ desktop/unstable/gnome-keyring/debian/patches/10_whitelist_system.patch [utf-8] Fri Nov 20 17:14:57 2009
@@ -1,0 +1,43 @@
+--- daemon/gkr-daemon-ops.c.orig	2009-11-20 17:52:12.459466388 +0100
++++ daemon/gkr-daemon-ops.c	2009-11-20 18:03:48.779465649 +0100
+@@ -129,6 +129,27 @@
+ 	return FALSE;
+ }
+ 
++
++static gchar *whitelist_paths[] = {
++	"/usr/lib/",
++	"/usr/bin/",
++	NULL
++};
++
++static gboolean
++acl_check_whitelist (GnomeKeyringApplicationRef *app)
++{
++	int i;
++	
++	for (i=0; whitelist_paths[i]; i++) {
++		if (g_str_has_prefix (app->pathname, whitelist_paths[i])) {
++			return TRUE;
++		}
++	}
++	
++	return FALSE;
++}
++
+ static void
+ add_item_acl (GkrKeyringItem *item,
+ 	      GnomeKeyringApplicationRef *app_ref,
+@@ -171,6 +192,12 @@
+ 		return GKR_ASK_STOP_REQUEST;
+ 	}
+ 	
++	/* Whitelist applications that are installed by the system */
++	if (acl_check_whitelist (app)) {
++		ask->response = GKR_ASK_RESPONSE_ALLOW;
++		return GKR_ASK_STOP_REQUEST;
++	}
++	
+ 	/* See if this application already has access to this item */
+ 	if (acl_check_access (item, app, access_type, secret)) {
+ 		ask->response = GKR_ASK_RESPONSE_ALLOW;

More information about the pkg-gnome-commits mailing list