To resolve the CVE-2022-0851, we need to pass the activation key to subscription-manager in a different way than through the --activationkey CLI option as we do now. ptoscano@redhat.com from the subscription-manager team has suggested us to use the Subscription Manager dbus API.

• API documentation: https://www.candlepinproject.org/docs/subscription-manager/dbus_objects.html 
• Examples:
  • the core of the anaconda communication with sub-man via dbus: https://github.com/rhinstaller/anaconda/blob/master/pyanaconda/modules/subscription/runtime.py
  • Another example - a cockpit plugin: https://github.com/candlepin/subscription-manager-cockpit/tree/main/src 
• dbus-python is available in RHEL 6, 7, and 8 (python3-dbus)
• Gchat thread: https://chat.google.com/room/AAAAKerHz_o/0R7qF-PDT3w 
• Systemd uses dbus so it is expected to be running on RHEL 7 and RHEL 8
  • Dbus is not installed in the CentOS Linux 6 minimal install (RHEL 6 uses the old anaconda and does not use systemd)
    • We can add a check that dbus is running and require the user to install it first
  • Eavesdropping subject to security policy from 1.5.6 on
  • Note: DBUS eavesdropping is subject to the system’s security policy so it’s not guaranteed to be secure.
  • RHEL 7 has dbus-1.10.0
  • RHEL 6 has dbus 1.2.24 which is subject to eavesdropping
    • From the fedora dbus-daemon manpage: "The well-known session bus normally allows receiving any message, including eavesdropping. The well-known system bus normally allows receiving any message that was not eavesdropped (any unicast message addressed to the recipient, and any broadcast message)"
    • The man page also explains how to configure a rule to allow or disallow eavesdropping if you want to deviate from that.

• Dbus documentation:
  • https://dbus.freedesktop.org/doc/dbus-daemon.1.html Man page for the daemon. Some information about eavesdropping in here
  • https://dbus.freedesktop.org/doc/dbus-specification.html DBus specification. Some information about eavesdropping in here
  • Google for dbus eavesdropping for more in-depth history in mailing lists and freedesktop bz. Example: https://bugs.freedesktop.org/show_bug.cgi?id=37890

Note: We could use the dbus API later on for more things than just system registration, e.g. for listing available pool IDs.

Acceptance criteria:

• subscription-manager dbus API is used for registering the system instead of passing the activation key through the --activationkey CLI option
  • convert2rhel has a check that dbus is installed and running
• measures are taken to avoid eavesdropping the registration credentials on the dbus
• Test case shows that activation key is not visible from the process list