fix: tighten DBus policy to restrict direct access to Face1 sensitive methods

[robertkill]

Summary

org.deepin.dde.Face1 DBus policy allowed any local user to call all methods including EnrollStart/VerifyStart/Delete via <policy context=\default\><allow send_destination=\org.deepin.dde.Face1\/></policy>.

Fix: Tighten the default policy to only permit standard DBus interfaces (Introspectable/Peer/Properties), deny the org.deepin.dde.Face1 interface for unprivileged users. deepin-daemon group and root retain full access.

Changes

msic/dbus-conf/org.deepin.dde.Face1.conf — DBus policy:

• Default context: allow Introspectable/Peer/Properties, deny Face1 interface
• deepin-daemon group: allow everything
• root: allow everything

Rationale

The actual callers of Face1 are:

1. deepin-authentication (runs as root, already has its own caller authorization via commit Ia92a3cdb)
2. Processes that go through deepin-security-loader (attaches deepin-daemon group)

No end-user application directly calls org.deepin.dde.Face1.

Verification

Tested on debug machine (10.20.9.188):

Method	uos (regular user)	root
EnrollStart	Access denied	✅ passes
EnrollStop	Access denied	✅ passes
VerifyStart	Access denied	✅ passes
VerifyStop	Access denied	✅ passes
Delete	Access denied	✅ passes
getClaim	✅ works	✅ works
getList	✅ works	✅ works
getCharaType	✅ works	✅ works

PMS: BUG-364733
Influence: 普通用户不再能直接通过 qdbus/busctl 调用 Face1 敏感方法

Summary by Sourcery

Restrict DBus access to the org.deepin.dde.Face1 interface so only root and deepin-daemon processes can invoke its methods while regular users are limited to standard DBus interfaces.

Bug Fixes:

• Prevent unprivileged local users from directly invoking sensitive org.deepin.dde.Face1 methods over DBus by tightening the default policy.

Enhancements:

• Grant the deepin-daemon group and root explicit full DBus access to org.deepin.dde.Face1, including send and receive permissions.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Tightens the DBus security policy for org.deepin.dde.Face1 so only standard DBus interfaces remain available to unprivileged users, while full access is limited to root and members of the deepin-daemon group.

File-Level Changes

Change	Details	Files
Restrict default DBus access to org.deepin.dde.Face1 to only standard introspection/peer/properties interfaces and explicitly deny the Face1 interface for unprivileged users.	Replaced broad allow rule that permitted any method calls on the org.deepin.dde.Face1 destination with interface-specific allow rules for org.freedesktop.DBus.Introspectable, org.freedesktop.DBus.Peer, and org.freedesktop.DBus.Properties. Added an explicit deny rule for traffic targeting the org.deepin.dde.Face1 interface from the default policy context.	msic/dbus-conf/org.deepin.dde.Face1.conf
Grant unrestricted DBus access to org.deepin.dde.Face1 only to trusted principals (deepin-daemon group and root user).	Introduced a policy block for the deepin-daemon group that allows both sending to and receiving from the org.deepin.dde.Face1 service. Replaced the previous deepin-daemon user-based policy with a root user policy that allows both sending to and receiving from the org.deepin.dde.Face1 service, ensuring root retains full access.	msic/dbus-conf/org.deepin.dde.Face1.conf

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[deepin-ci-robot]

deepin pr auto review

这是一个DBus配置文件的变更，主要涉及权限控制的调整。我对这个变更有以下几点分析和建议：

1. 安全性改进：

• 原配置允许所有用户调用Face1的方法，这存在安全隐患。新配置默认只允许标准的DBus接口(Introspectable、Peer、Properties)，这是一个很好的安全增强。
• 新增了对deepin-daemon组和root用户的完整权限控制，明确了特权用户的访问范围。

2. 配置结构优化：

• 配置文件结构更加清晰，通过注释明确划分了不同权限区域。
• 将原来的user级别权限改为group级别，更符合权限管理的最佳实践。

3. 建议改进：

• 建议为deepin-daemon组添加更具体的权限限制，而不是允许"一切"，遵循最小权限原则。
• 可以考虑添加日志记录功能，记录敏感操作的访问情况。
• 建议明确指定允许的接口和方法，而不是使用通配符，这样可以更精确地控制访问权限。

4. 其他建议：

• 考虑添加时间限制或IP限制等额外的安全措施。
• 建议定期审查和更新这些权限配置，确保它们仍然符合当前的安全需求。

总的来说，这个变更提高了系统的安全性，通过默认拒绝所有请求，然后明确允许特定接口和用户的方式，实现了更严格的访问控制。但仍有进一步细化的空间，以实现更精确的权限管理。

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: BLumia, mhduiy, robertkill, waterlovemelon

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment