[apparmor] DBus rule syntax for subject and peer components
Tyler Hicks
tyhicks at canonical.com
Mon Jun 17 19:39:52 UTC 2013
Jamie had asked for opinions of Proposal 3 vs Proposal 4 and we didn't
get the responses that I had hoped for. There were two votes (Jamie and
myself) for Proposal 3 and one (Seth) for Proposal 4.
Rather than let the conversation come to a halt, I'd like to figure out
what tweaks we'd want to make to Proposal 3. It just so happens that
these tweaks should mostly apply to Proposal 4, as well. However, this
email focuses on 3.
I think it is entirely possible to come up with a single line rule
syntax (a la Proposal 3) that can be extended to a multiple line rule
syntax (a la Proposal 4) in the future.
On 2013-06-10 18:44:13, Tyler Hicks wrote:
> * Proposal 3 - Grouping of subject and peer address components
>
> Based on Steve's suggestion[4] and refined by Jamie[5]. It groups the
> connection attributes together based on whether it is the subject's connection
> attributes or the peer's.
>
> dbus [<bus>] [subj=(<subject>)] [acquire],
> dbus [<bus>] [subj=(<subject>)] [peer=(<peer>)] [send | receive],
>
> /usr/bin/gnome-screensaver {
> # Ignore file and accessibility bus access for this exercise
> file,
> dbus bus=accessibility,
>
> # Talks to system and session buses
> dbus bus={system,session} peer=(name=org.freedesktop.DBus) (send receive),
>
> # Sends messages on the system bus
> dbus bus=system peer=(name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager) send,
> dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
> dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties) send,
>
> # Receives messages on the session bus
> dbus bus=session subj=(name=org.gnome.ScreenSaver) acquire,
> dbus bus=session subj=(path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties) receive,
> # Be selective because the Lock method is mediated by these rules
> dbus bus=session subj=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(label=/usr/bin/gnome-settings-daemon) receive,
> dbus bus=session subj=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(name=com.canonical.indicator.session) receive,
>
> # Sends messages on the session bus
> dbus bus=session peer=(name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties) send,
> dbus bus=session peer=(path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker) send,
> dbus bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties) send,
> }
>
* Proposal 3.1 - Change subj= to subject=
We don't abbreviate any of the other conditional names, so I think this
is a no-brainer and I'm going to include this change in all of the
proposals below.
I'm including this as its own proposal since we may wish to only make
this change.
dbus [<bus>] [subject=(<subject>)] [acquire],
dbus [<bus>] [subject=(<subject>)] [peer=(<peer>)] [send | receive],
/usr/bin/gnome-screensaver {
# Ignore file and accessibility bus access for this exercise
file,
dbus bus=accessibility,
# Talks to system and session buses
dbus bus={system,session} peer=(name=org.freedesktop.DBus) (send receive),
# Sends messages on the system bus
dbus bus=system peer=(name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager) send,
dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties) send,
# Receives messages on the session bus
dbus bus=session subject=(name=org.gnome.ScreenSaver) acquire,
dbus bus=session subject=(path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties) receive,
# Be selective because the Lock method is mediated by these rules
dbus bus=session subject=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(label=/usr/bin/gnome-settings-daemon) receive,
dbus bus=session subject=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(name=com.canonical.indicator.session) receive,
# Sends messages on the session bus
dbus bus=session peer=(name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties) send,
dbus bus=session peer=(path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker) send,
dbus bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties) send,
}
* Proposal 3.2 - Move the access to the front
NOTE: This proposal can be combined with any of the other proposals
Move the access towards the front of the rule, just behind the "dbus"
keyword. This may help a policy reader quickly identify what permissions
are being granted by the rule.
I don't like the look of putting the access just after the bus=
conditional, so I'm not including that as an example. If someone feels
very strongly about that option, speak up.
dbus [acquire] [<bus>] [subject=(<subject>)] [acquire],
dbus [send | receive] [<bus>] [subject=(<subject>)] [peer=(<peer>)],
/usr/bin/gnome-screensaver {
# Ignore file and accessibility bus access for this exercise
file,
dbus bus=accessibility,
# Talks to system and session buses
dbus (send receive) bus={system,session} peer=(name=org.freedesktop.DBus),
# Sends messages on the system bus
dbus send bus=system peer=(name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager),
dbus send bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts),
dbus send bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties),
# Receives messages on the session bus
dbus acquire bus=session subject=(name=org.gnome.ScreenSaver),
dbus receive bus=session subject=(path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties),
# Be selective because the Lock method is mediated by these rules
dbus receive bus=session subject=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(label=/usr/bin/gnome-settings-daemon),
dbus receive bus=session subject=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(name=com.canonical.indicator.session),
# Sends messages on the session bus
dbus send bus=session peer=(name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties),
dbus send bus=session peer=(path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker),
dbus send bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties),
}
* Proposal 3.3 - Drop the equal signs for grouping
Remove the equals sign from the subject and peer groupings.
dbus [<bus>] [subject(<subject>)] [acquire],
dbus [<bus>] [subject(<subject>)] [peer(<peer>)] [send | receive],
/usr/bin/gnome-screensaver {
# Ignore file and accessibility bus access for this excercise
file,
dbus bus=accessibility,
# Talks to system and session buses
dbus bus={system,session} peer(name=org.freedesktop.DBus) (send receive),
# Sends messages on the system bus
dbus bus=system peer(name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager) send,
dbus bus=system peer(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
dbus bus=system peer(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties) send,
# Receives messages on the session bus
dbus bus=session subject(name=org.gnome.ScreenSaver) acquire,
dbus bus=session subject(path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties) receive,
# Be selective because the Lock method is mediated by these rules
dbus bus=session subject(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer(label=/usr/bin/gnome-settings-daemon) receive,
dbus bus=session subject(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer(name=com.canonical.indicator.session) receive,
# Sends messages on the session bus
dbus bus=session peer(name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties) send,
dbus bus=session peer(path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker) send,
dbus bus=session peer(name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties) send,
}
* Proposal 3.4 - Replace the equal signs with a space for grouping
dbus [<bus>] [subject (<subject>)] [acquire],
dbus [<bus>] [subject (<subject>)] [peer (<peer>)] [send | receive],
/usr/bin/gnome-screensaver {
# Ignore file and accessibility bus access for this excercise
file,
dbus bus=accessibility,
# Talks to system and session buses
dbus bus={system,session} peer (name=org.freedesktop.DBus) (send receive),
# Sends messages on the system bus
dbus bus=system peer (name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager) send,
dbus bus=system peer (name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
dbus bus=system peer (name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties) send,
# Receives messages on the session bus
dbus bus=session subject (name=org.gnome.ScreenSaver) acquire,
dbus bus=session subject (path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties) receive,
# Be selective because the Lock method is mediated by these rules
dbus bus=session subject (path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer (label=/usr/bin/gnome-settings-daemon) receive,
dbus bus=session subject (path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer (name=com.canonical.indicator.session) receive,
# Sends messages on the session bus
dbus bus=session peer (name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties) send,
dbus bus=session peer (path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker) send,
dbus bus=session peer (name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties) send,
}
* Proposal 3.5 - Replace the equal signs with a space and use curly
braces for grouping
dbus [<bus>] [subject {<subject>}] [acquire],
dbus [<bus>] [subject {<subject>}] [peer {<peer>}] [send | receive],
/usr/bin/gnome-screensaver {
# Ignore file and accessibility bus access for this excercise
file,
dbus bus=accessibility,
# Talks to system and session buses
dbus bus={system,session} peer {name=org.freedesktop.DBus} (send receive),
# Sends messages on the system bus
dbus bus=system peer {name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager} send,
dbus bus=system peer {name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts} send,
dbus bus=system peer {name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties} send,
# Receives messages on the session bus
dbus bus=session subject {name=org.gnome.ScreenSaver} acquire,
dbus bus=session subject {path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties} receive,
# Be selective because the Lock method is mediated by these rules
dbus bus=session subject {path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver} peer {label=/usr/bin/gnome-settings-daemon} receive,
dbus bus=session subject {path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver} peer {name=com.canonical.indicator.session} receive,
# Sends messages on the session bus
dbus bus=session peer {name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties} send,
dbus bus=session peer {path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker} send,
dbus bus=session peer {name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties} send,
}
* Proposal 3.6 - Replace the equals signs with a space and use no
characters for grouping
dbus [<bus>] [subject <subject>] [acquire],
dbus [<bus>] [subject <subject>] [peer <peer>] [send | receive],
/usr/bin/gnome-screensaver {
# Ignore file and accessibility bus access for this excercise
file,
dbus bus=accessibility,
# Talks to system and session buses
dbus bus={system,session} peer name=org.freedesktop.DBus (send receive),
# Sends messages on the system bus
dbus bus=system peer name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager send,
dbus bus=system peer name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts send,
dbus bus=system peer name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties send,
# Receives messages on the session bus
dbus bus=session subject name=org.gnome.ScreenSaver acquire,
dbus bus=session subject path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties receive,
# Be selective because the Lock method is mediated by these rules
dbus bus=session subject path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver peer label=/usr/bin/gnome-settings-daemon receive,
dbus bus=session subject path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver peer name=com.canonical.indicator.session receive,
# Sends messages on the session bus
dbus bus=session peer name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties send,
dbus bus=session peer path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker send,
dbus bus=session peer name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties send,
}
Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130617/1f602e85/attachment.pgp>
More information about the AppArmor
mailing list