From 80894907937fbfb446df5015a8b44de32fb0e886 Mon Sep 17 00:00:00 2001
From: Robertkill <lvpeilong@uniontech.com>
Date: Wed, 10 Jun 2026 16:31:37 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E6=94=B6=E7=B4=A7=20DBus=20policy=20?=
 =?UTF-8?q?=E9=99=90=E5=88=B6=E6=99=AE=E9=80=9A=E7=94=A8=E6=88=B7=E7=9B=B4?=
 =?UTF-8?q?=E6=8E=A5=E8=B0=83=E7=94=A8=20Face1=20=E6=95=8F=E6=84=9F?=
 =?UTF-8?q?=E6=8E=A5=E5=8F=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

org.deepin.dde.Face1 的 DBus policy 配置中，context=default 放行了
所有方法（含 EnrollStart/VerifyStart/Delete 等），导致任意本地
用户均可通过 system bus 直接调用人脸特征管理操作。

收紧 default policy：只放行 Introspectable/Peer/Properties 标准
接口，拒绝 org.deepin.dde.Face1 接口。deepin-daemon group 和
root 用户不受限（实际的调用者 deepin-authentication 以 root 运行，
或其调用链经 deepin-security-loader 附加了 deepin-daemon group）。

PMS: BUG-364733
Influence: 普通用户不再能直接通过 qdbus/busctl 调用 Face1 敏感方法
---
 msic/dbus-conf/org.deepin.dde.Face1.conf | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/msic/dbus-conf/org.deepin.dde.Face1.conf b/msic/dbus-conf/org.deepin.dde.Face1.conf
index 2029549..a01bf1b 100644
--- a/msic/dbus-conf/org.deepin.dde.Face1.conf
+++ b/msic/dbus-conf/org.deepin.dde.Face1.conf
@@ -10,14 +10,28 @@
     <allow own="org.deepin.dde.Face1"/>
   </policy>
 
-  <!-- Allow anyone to invoke methods on the interfaces -->
+  <!-- Default: deny all Face1 methods, allow standard dbus interfaces -->
   <policy context="default">
-    <allow send_destination="org.deepin.dde.Face1"/>
+    <allow send_destination="org.deepin.dde.Face1"
+           send_interface="org.freedesktop.DBus.Introspectable"/>
+    <allow send_destination="org.deepin.dde.Face1"
+           send_interface="org.freedesktop.DBus.Peer"/>
+    <allow send_destination="org.deepin.dde.Face1"
+           send_interface="org.freedesktop.DBus.Properties"/>
+    <deny send_destination="org.deepin.dde.Face1"
+          send_interface="org.deepin.dde.Face1"/>
+  </policy>
 
+  <!-- deepin-daemon group can call everything -->
+  <policy group="deepin-daemon">
+    <allow send_destination="org.deepin.dde.Face1"/>
+    <allow receive_sender="org.deepin.dde.Face1"/>
   </policy>
-  <policy user="deepin-daemon">
-    <allow own="org.deepin.dde.Face1"/>
-    <allow send_destination="org.deepin.dde.Face1" />
+
+  <!-- Root can call everything -->
+  <policy user="root">
+    <allow send_destination="org.deepin.dde.Face1"/>
+    <allow receive_sender="org.deepin.dde.Face1"/>
   </policy>
 
 </busconfig>