From 389ca1f5b6da73d6e256ca8e53e51a4d623cbc1b Mon Sep 17 00:00:00 2001
From: Jiri Hnidek <jhnidek@redhat.com>
Date: Tue, 31 Oct 2023 17:38:45 +0100
Subject: [PATCH] RHEL-15110: Fix issue with registration using gsd-subman

* We were too agresive, when we fixed CVE in this PR:
  https://github.com/candlepin/subscription-manager/pull/3317
* It is still safe to allow non-root user to create abstract
  socket using Start() on interface com.redhat.RHSM1.RegisterServer
  and destroy it later using Stop(). This abstract socket
  could be later used by root user for calling e.g. Register()
  on interface com.redhat.RHSM1.Register. This is way how
  it works for gsd-subman (run by non-root user) and
  gsd-subman-helper (run by root user).
---
 etc-conf/dbus/system.d/com.redhat.RHSM1.conf | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/etc-conf/dbus/system.d/com.redhat.RHSM1.conf b/etc-conf/dbus/system.d/com.redhat.RHSM1.conf
index 11adf1d798..4c04437aa9 100644
--- a/etc-conf/dbus/system.d/com.redhat.RHSM1.conf
+++ b/etc-conf/dbus/system.d/com.redhat.RHSM1.conf
@@ -79,6 +79,21 @@
             send_interface="com.redhat.RHSM1.Config"
             send_member="Get"/>
 
+        <!--
+        Non-root user can create abstract socket with Start()
+        method and only root user or user with same UID can
+        use this socket. Only root user can use such socket
+        for calling Register() on interface
+        com.redhat.RHSM1.Register
+        -->
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.RegisterServer"
+            send_member="Start"/>
+
+        <allow send_destination="com.redhat.RHSM1"
+            send_interface="com.redhat.RHSM1.RegisterServer"
+            send_member="Stop"/>
+
         <!--
         The UUID returned by following method is read
         from consumer cert. Only this file is not