[apparmor] DBus rule syntax for subject and peer components

John Johansen john.johansen at canonical.com
Tue Jun 11 18:54:45 UTC 2013


On 06/10/2013 06:44 PM, Tyler Hicks wrote:
> I've profiled the system and session bus activity of gnome-screensaver to
> provide examples of various DBus policy ideas generated in a previous apparmor
> list thread[1].
> 
> To start us off, here's the profile using the current DBus syntax. It is
> complex, but it uses all of the DBus accesses (send, receive, and
> acquire) and it is representative of what a real profile may look like.
> 
> /usr/bin/gnome-screensaver {
>   # Ignore file and accessibility bus access for this excercise
>   file,
>   dbus bus=accessibility,
> 
>   # Talks to system and session buses
>   dbus bus={system,session} dest=org.freedesktop.DBus (send receive),
> 
>   # Sends messages on the system bus
>   dbus bus=system dest=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager send,
>   dbus bus=system dest=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts send,
>   dbus bus=system dest=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties send,
> 
>   # Receives messages on the session bus
>   dbus bus=session dest=org.gnome.ScreenSaver acquire,
>   dbus bus=session path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties receive,
>   # It would be nice to be able to specify who gnome-screensaver should receive
>   # these messages from since the Lock method is mediated by this rule
>   dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver receive,
> 
I realize this isn't available yet and never will be for this particular
syntax but on the off chance this can help the discussion I'll throw in the
label extension here as well.

So for this syntax, I am not sure whether I would use label or rlabel. I have
gone with the assumption of label and that on send/receive rules it means
the remote label.

dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver label=/usr/bin/gnome-settings-daemon receive,


>   # Sends messages on the session bus
>   dbus bus=session dest=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties send,
>   dbus bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker send,
>   dbus bus=session dest=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties send,
> }
> 
> There are a few changes needed for the new syntax:
> 
>  1. dest= will be changed to name= so that it can identify either the subject's
>     or the peer's connection name without causing confusion
>  2. method= will be changed to member= so that it can identify either methods
>     or signals without causing confusion
>  3. There needs to be a way to specify both the subject and peer's address
>     components
> 
> #3 is what this thread is meant to focus on. In the examples below, the
> session bus receive rules are modified to indicate peer connection information,
> which is something that cannot be expressed in the current syntax. For the
> gnome-screensaver example, it would allow us to specify the peer's connection
> name, or even the peer's connection label, that is allowed to call the
> org.gnome.ScreenSaver.Lock method.
> 
> * Proposal 1 - Leveraging the meaning of arrows
> 
> Based on Seth's suggestion[2]. It eliminates the send and receive permissions
> and uses arrows to indicate the how messages can flow between two different
> DBus connections. The acquire permission and syntax is not changed.
> 
> dbus [<bus>] [<subject>] [acquire],
> dbus [<bus>] [<subject>] [-> | <- | <->] [<peer>], 
> 
> /usr/bin/gnome-screensaver {
>   # Ignore file and accessibility bus access for this excercise
>   file,
>   dbus bus=accessibility,
> 
>   # Talks to system and session buses
>   dbus bus={system,session} name=org.freedesktop.DBus (send receive),
> 
>   # Sends messages on the system bus
>   dbus bus=system -> name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager,
>   dbus bus=system -> name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts,
>   dbus bus=system -> name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties,
> 
>   # Receives messages on the session bus
>   dbus bus=session name=org.gnome.ScreenSaver acquire,
>   dbus bus=session path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties <-,
>   # Be selective because the Lock method is mediated by these rules
>   dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver <- label=/usr/bin/gnome-settings-daemon,
>   dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver <- name=com.canonical.indicator.session,
>
>   # Sends messages on the session bus
>   dbus bus=session -> name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties,
>   dbus bus=session -> path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker,
>   dbus bus=session -> name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties,
> }
>
So this is okay, but I find it odd that there is both <- -> indicating a
permission and also the keyword aquire to indicate a permission.

Also seeing it I don't like the split (or lack there of in the case of local
addresses) between the bus= and name=, ie.
  dbus bus=system -> name=org.freedesktop.Accounts path=/org/freedesktop/Accounts

I realize that is more of a global to the rule, but the rule feels like it is
saying

  from bus=system  send to name=org.freedestop.Accounts ...

technically true but

  send to bus=system name=org.freedesktop.Accounts ...

reads better to me as bus is part in some sense part of the address, its just
that it must always be the same for local and remote. I do realize that
bus=system isn't intended as part of the local address but this syntax just
makes it feel like it is

> * Proposal 2 - Place the access between the subject and peer
> 
> Based on Jamie's "--" suggestion[3]. It moves the access information next to
> the subject, because the access is always applied to the subject. The acquire
> permission and syntax is not changed.
> 
> dbus [<bus>] [<subject>] [acquire],
> dbus [<bus>] [<subject>] [(send | receive)] [-- <peer>],
> 
> /usr/bin/gnome-screensaver {
>   # Ignore file and accessibility bus access for this excercise
>   file,
>   dbus bus=accessibility,
> 
>   # Talks to system and session buses
>   dbus bus={system,session} name=org.freedesktop.DBus (send receive),
> 
>   # Sends messages on the system bus
>   dbus bus=system send -- name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager,
>   dbus bus=system send -- name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts,
>   dbus bus=system send -- name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties,
> 
>   # Receives messages on the session bus
>   dbus bus=session acquire name=org.gnome.ScreenSaver,
>   dbus bus=session path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties receive,
>   # Be selective because the Lock method is mediated by these rules
>   dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver receive -- label=/usr/bin/gnome-settings-daemon,
>   dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver receive -- name=com.canonical.indicator.session,
> 
>   # Sends messages on the session bus
>   dbus bus=session send -- name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties,
>   dbus bus=session send -- path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker,
>   dbus bus=session send -- name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties,
> }
> 
This reads a little better to me than proposal 1. However I would probably
prefer the permission moving before the local address

  dbus bus=session receive path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver -- label=/usr/bin/gnome-settings-daemon,

it makes it location consistent and also serves to separate the bus= from the local address

> * Proposal 3 - Grouping of subject and peer address components
> 
> Based on Steve's suggestion[4] and refined by Jamie[5]. It groups the
> connection attributes together based on whether it is the subject's connection
> attributes or the peer's.
> 
> dbus [<bus>] [subj=(<subject>)] [acquire],
> dbus [<bus>] [subj=(<subject>)] [peer=(<peer>)] [send | receive],
> 
> /usr/bin/gnome-screensaver {
>   # Ignore file and accessibility bus access for this excercise
>   file,
>   dbus bus=accessibility,
> 
>   # Talks to system and session buses
>   dbus bus={system,session} peer=(name=org.freedesktop.DBus) (send receive),
> 
>   # Sends messages on the system bus
>   dbus bus=system peer=(name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager) send,
>   dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
>   dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties) send,
> 
>   # Receives messages on the session bus
>   dbus bus=session subj=(name=org.gnome.ScreenSaver) acquire,
>   dbus bus=session subj=(path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties) receive,
>   # Be selective because the Lock method is mediated by these rules
>   dbus bus=session subj=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(label=/usr/bin/gnome-settings-daemon) receive,
>   dbus bus=session subj=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(name=com.canonical.indicator.session) receive,
> 
>   # Sends messages on the session bus
>   dbus bus=session peer=(name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties) send,
>   dbus bus=session peer=(path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker) send,
>   dbus bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties) send,
> }
> 
This reads okay as well, it separates bus from the local address, and puts
the permission in a reliable position so that it can be found quickly

> The original thread[1] included many different ideas as well as tweaks on these
> three chosen proposals. If I missed something that you'd like to see included
> for consideration, please reply with the gnome-screensaver profile modified
> according to your proposal.
> 

Well there is Proposal 3 - except not requiring subj=() for the local address,
as rules are always being written from the subjects perspective

/usr/bin/gnome-screensaver {
  # Ignore file and accessibility bus access for this excercise
  file,
  dbus bus=accessibility,

  # Talks to system and session buses
  dbus bus={system,session} peer=(name=org.freedesktop.DBus) (send receive),

  # Sends messages on the system bus
  dbus bus=system peer=(name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager) send,
  dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
  dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties) send,

  # Receives messages on the session bus
  dbus bus=session name=org.gnome.ScreenSaver acquire,
  dbus bus=session path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties receive,
  # Be selective because the Lock method is mediated by these rules
  dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver peer=(label=/usr/bin/gnome-settings-daemon) receive,
  dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver peer=(name=com.canonical.indicator.session) receive,

  # Sends messages on the session bus
  dbus bus=session peer=(name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties) send,
  dbus bus=session peer=(path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker) send,
  dbus bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties) send,
}


of course this reintroduces the proble of bus=session appearing to be part of
the local address, and an asymmetry in how local and peer addresses are
specified.


I think I am leaning towards proposal 3 but would like to hear other
peoples opinions.





More information about the AppArmor mailing list