From 7977fec0be89ae6fe87405b3f8da2f0b5e415e3d Mon Sep 17 00:00:00 2001
From: Vincent Bernat <vincent@bernat.ch>
Date: Tue, 23 Nov 2021 06:50:59 +0100
Subject: [PATCH] dbus: fix policy to not be overly broad
The DBus policy did not restrict the message destination, allowing any
user to inspect and manipulate any property.
CVE-2021-44225
https://nvd.nist.gov/vuln/detail/CVE-2021-44225
Reference:https://github.com/acassen/keepalived/commit/7977fec0be89ae6fe87405b3f8da2f0b5e415e3d.patch
Conflict:NA
Signed-off-by: Vincent Bernat <vincent@bernat.ch>
---
 keepalived/dbus/org.keepalived.Vrrp1.conf | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/keepalived/dbus/org.keepalived.Vrrp1.conf b/keepalived/dbus/org.keepalived.Vrrp1.conf
index 2b78a575c..b5ced6085 100644
--- a/keepalived/dbus/org.keepalived.Vrrp1.conf
+++ b/keepalived/dbus/org.keepalived.Vrrp1.conf
@@ -3,12 +3,15 @@
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
 	<policy user="root">
-		<allow own="org.keepalived.Vrrp1"/>
-		<allow send_destination="org.keepalived.Vrrp1"/>
+		<allow own="org.keepalived.Vrrp1" />
+		<allow send_destination="org.keepalived.Vrrp1" />
 	</policy>
 	<policy context="default">
-		<allow send_interface="org.freedesktop.DBus.Introspectable" />
-		<allow send_interface="org.freedesktop.DBus.Peer" />
-		<allow send_interface="org.freedesktop.DBus.Properties" />
+		<allow send_destination="org.keepalived.Vrrp1"
+		       send_interface="org.freedesktop.DBus.Introspectable" />
+		<allow send_destination="org.keepalived.Vrrp1"
+		       send_interface="org.freedesktop.DBus.Peer" />
+		<allow send_destination="org.keepalived.Vrrp1"
+		       send_interface="org.freedesktop.DBus.Properties" />
 	</policy>
 </busconfig>