[apparmor] DBus rule syntax for subject and peer components

Tyler Hicks tyhicks at canonical.com
Tue Jun 11 01:44:13 UTC 2013 

I've profiled the system and session bus activity of gnome-screensaver to
provide examples of various DBus policy ideas generated in a previous apparmor
list thread[1].

To start us off, here's the profile using the current DBus syntax. It is
complex, but it uses all of the DBus accesses (send, receive, and
acquire) and it is representative of what a real profile may look like.

/usr/bin/gnome-screensaver {
  # Ignore file and accessibility bus access for this excercise
  file,
  dbus bus=accessibility,

  # Talks to system and session buses
  dbus bus={system,session} dest=org.freedesktop.DBus (send receive),

  # Sends messages on the system bus
  dbus bus=system dest=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager send,
  dbus bus=system dest=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts send,
  dbus bus=system dest=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties send,

  # Receives messages on the session bus
  dbus bus=session dest=org.gnome.ScreenSaver acquire,
  dbus bus=session path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties receive,
  # It would be nice to be able to specify who gnome-screensaver should receive
  # these messages from since the Lock method is mediated by this rule
  dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver receive,

  # Sends messages on the session bus
  dbus bus=session dest=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties send,
  dbus bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker send,
  dbus bus=session dest=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties send,
}

There are a few changes needed for the new syntax:

 1. dest= will be changed to name= so that it can identify either the subject's
    or the peer's connection name without causing confusion
 2. method= will be changed to member= so that it can identify either methods
    or signals without causing confusion
 3. There needs to be a way to specify both the subject and peer's address
    components

#3 is what this thread is meant to focus on. In the examples below, the
session bus receive rules are modified to indicate peer connection information,
which is something that cannot be expressed in the current syntax. For the
gnome-screensaver example, it would allow us to specify the peer's connection
name, or even the peer's connection label, that is allowed to call the
org.gnome.ScreenSaver.Lock method.

* Proposal 1 - Leveraging the meaning of arrows

Based on Seth's suggestion[2]. It eliminates the send and receive permissions
and uses arrows to indicate the how messages can flow between two different
DBus connections. The acquire permission and syntax is not changed.

dbus [<bus>] [<subject>] [acquire],
dbus [<bus>] [<subject>] [-> | <- | <->] [<peer>], 

/usr/bin/gnome-screensaver {
  # Ignore file and accessibility bus access for this excercise
  file,
  dbus bus=accessibility,

  # Talks to system and session buses
  dbus bus={system,session} name=org.freedesktop.DBus (send receive),

  # Sends messages on the system bus
  dbus bus=system -> name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager,
  dbus bus=system -> name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts,
  dbus bus=system -> name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties,

  # Receives messages on the session bus
  dbus bus=session name=org.gnome.ScreenSaver acquire,
  dbus bus=session path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties <-,
  # Be selective because the Lock method is mediated by these rules
  dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver <- label=/usr/bin/gnome-settings-daemon,
  dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver <- name=com.canonical.indicator.session,

  # Sends messages on the session bus
  dbus bus=session -> name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties,
  dbus bus=session -> path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker,
  dbus bus=session -> name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties,
}

* Proposal 2 - Place the access between the subject and peer

Based on Jamie's "--" suggestion[3]. It moves the access information next to
the subject, because the access is always applied to the subject. The acquire
permission and syntax is not changed.

dbus [<bus>] [<subject>] [acquire],
dbus [<bus>] [<subject>] [(send | receive)] [-- <peer>],

/usr/bin/gnome-screensaver {
  # Ignore file and accessibility bus access for this excercise
  file,
  dbus bus=accessibility,

  # Talks to system and session buses
  dbus bus={system,session} name=org.freedesktop.DBus (send receive),

  # Sends messages on the system bus
  dbus bus=system send -- name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager,
  dbus bus=system send -- name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts,
  dbus bus=system send -- name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties,

  # Receives messages on the session bus
  dbus bus=session acquire name=org.gnome.ScreenSaver,
  dbus bus=session path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties receive,
  # Be selective because the Lock method is mediated by these rules
  dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver receive -- label=/usr/bin/gnome-settings-daemon,
  dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver receive -- name=com.canonical.indicator.session,

  # Sends messages on the session bus
  dbus bus=session send -- name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties,
  dbus bus=session send -- path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker,
  dbus bus=session send -- name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties,
}

* Proposal 3 - Grouping of subject and peer address components

Based on Steve's suggestion[4] and refined by Jamie[5]. It groups the
connection attributes together based on whether it is the subject's connection
attributes or the peer's.

dbus [<bus>] [subj=(<subject>)] [acquire],
dbus [<bus>] [subj=(<subject>)] [peer=(<peer>)] [send | receive],

/usr/bin/gnome-screensaver {
  # Ignore file and accessibility bus access for this excercise
  file,
  dbus bus=accessibility,

  # Talks to system and session buses
  dbus bus={system,session} peer=(name=org.freedesktop.DBus) (send receive),

  # Sends messages on the system bus
  dbus bus=system peer=(name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager) send,
  dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
  dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties) send,

  # Receives messages on the session bus
  dbus bus=session subj=(name=org.gnome.ScreenSaver) acquire,
  dbus bus=session subj=(path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties) receive,
  # Be selective because the Lock method is mediated by these rules
  dbus bus=session subj=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(label=/usr/bin/gnome-settings-daemon) receive,
  dbus bus=session subj=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(name=com.canonical.indicator.session) receive,

  # Sends messages on the session bus
  dbus bus=session peer=(name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties) send,
  dbus bus=session peer=(path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker) send,
  dbus bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties) send,
}

The original thread[1] included many different ideas as well as tweaks on these
three chosen proposals. If I missed something that you'd like to see included
for consideration, please reply with the gnome-screensaver profile modified
according to your proposal.

Tyler

References:

[1] https://lists.ubuntu.com/archives/apparmor/2013-May/003651.html
[2] https://lists.ubuntu.com/archives/apparmor/2013-May/003696.html
[3] https://lists.ubuntu.com/archives/apparmor/2013-May/003683.html
[4] https://lists.ubuntu.com/archives/apparmor/2013-May/003701.html
[5] https://lists.ubuntu.com/archives/apparmor/2013-May/003707.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130610/524bac33/attachment.pgp>

More information about the AppArmor mailing list