[apparmor] DBus rule syntax for subject and peer components
John Johansen
john.johansen at canonical.com
Tue Jun 18 12:09:05 UTC 2013
On 06/17/2013 12:39 PM, Tyler Hicks wrote:
> Jamie had asked for opinions of Proposal 3 vs Proposal 4 and we didn't
> get the responses that I had hoped for. There were two votes (Jamie and
> myself) for Proposal 3 and one (Seth) for Proposal 4.
>
> Rather than let the conversation come to a halt, I'd like to figure out
> what tweaks we'd want to make to Proposal 3. It just so happens that
> these tweaks should mostly apply to Proposal 4, as well. However, this
> email focuses on 3.
>
> I think it is entirely possible to come up with a single line rule
> syntax (a la Proposal 3) that can be extended to a multiple line rule
> syntax (a la Proposal 4) in the future.
>
> On 2013-06-10 18:44:13, Tyler Hicks wrote:
>> * Proposal 3 - Grouping of subject and peer address components
>>
>> Based on Steve's suggestion[4] and refined by Jamie[5]. It groups the
>> connection attributes together based on whether it is the subject's connection
>> attributes or the peer's.
>>
>> dbus [<bus>] [subj=(<subject>)] [acquire],
>> dbus [<bus>] [subj=(<subject>)] [peer=(<peer>)] [send | receive],
>>
>> /usr/bin/gnome-screensaver {
>> # Ignore file and accessibility bus access for this exercise
>> file,
>> dbus bus=accessibility,
>>
>> # Talks to system and session buses
>> dbus bus={system,session} peer=(name=org.freedesktop.DBus) (send receive),
>>
>> # Sends messages on the system bus
>> dbus bus=system peer=(name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager) send,
>> dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
>> dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties) send,
>>
>> # Receives messages on the session bus
>> dbus bus=session subj=(name=org.gnome.ScreenSaver) acquire,
>> dbus bus=session subj=(path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties) receive,
>> # Be selective because the Lock method is mediated by these rules
>> dbus bus=session subj=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(label=/usr/bin/gnome-settings-daemon) receive,
>> dbus bus=session subj=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(name=com.canonical.indicator.session) receive,
>>
>> # Sends messages on the session bus
>> dbus bus=session peer=(name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties) send,
>> dbus bus=session peer=(path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker) send,
>> dbus bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties) send,
>> }
>>
>
> * Proposal 3.1 - Change subj= to subject=
>
+1
> We don't abbreviate any of the other conditional names, so I think this
> is a no-brainer and I'm going to include this change in all of the
> proposals below.
>
> I'm including this as its own proposal since we may wish to only make
> this change.
>
> dbus [<bus>] [subject=(<subject>)] [acquire],
> dbus [<bus>] [subject=(<subject>)] [peer=(<peer>)] [send | receive],
>
> /usr/bin/gnome-screensaver {
> # Ignore file and accessibility bus access for this exercise
> file,
> dbus bus=accessibility,
>
> # Talks to system and session buses
> dbus bus={system,session} peer=(name=org.freedesktop.DBus) (send receive),
>
> # Sends messages on the system bus
> dbus bus=system peer=(name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager) send,
> dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
> dbus bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties) send,
>
> # Receives messages on the session bus
> dbus bus=session subject=(name=org.gnome.ScreenSaver) acquire,
> dbus bus=session subject=(path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties) receive,
> # Be selective because the Lock method is mediated by these rules
> dbus bus=session subject=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(label=/usr/bin/gnome-settings-daemon) receive,
> dbus bus=session subject=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(name=com.canonical.indicator.session) receive,
>
> # Sends messages on the session bus
> dbus bus=session peer=(name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties) send,
> dbus bus=session peer=(path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker) send,
> dbus bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties) send,
> }
>
>
> * Proposal 3.2 - Move the access to the front
>
+0.5 :)
> NOTE: This proposal can be combined with any of the other proposals
>
> Move the access towards the front of the rule, just behind the "dbus"
> keyword. This may help a policy reader quickly identify what permissions
> are being granted by the rule.
>
> I don't like the look of putting the access just after the bus=
> conditional, so I'm not including that as an example. If someone feels
> very strongly about that option, speak up.
>
> dbus [acquire] [<bus>] [subject=(<subject>)] [acquire],
> dbus [send | receive] [<bus>] [subject=(<subject>)] [peer=(<peer>)],
>
> /usr/bin/gnome-screensaver {
> # Ignore file and accessibility bus access for this exercise
> file,
> dbus bus=accessibility,
>
> # Talks to system and session buses
> dbus (send receive) bus={system,session} peer=(name=org.freedesktop.DBus),
>
> # Sends messages on the system bus
> dbus send bus=system peer=(name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager),
> dbus send bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts),
> dbus send bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties),
>
> # Receives messages on the session bus
> dbus acquire bus=session subject=(name=org.gnome.ScreenSaver),
> dbus receive bus=session subject=(path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties),
> # Be selective because the Lock method is mediated by these rules
> dbus receive bus=session subject=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(label=/usr/bin/gnome-settings-daemon),
> dbus receive bus=session subject=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(name=com.canonical.indicator.session),
>
> # Sends messages on the session bus
> dbus send bus=session peer=(name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties),
> dbus send bus=session peer=(path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker),
> dbus send bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties),
> }
>
>
> * Proposal 3.3 - Drop the equal signs for grouping
>
I don't particularly like this
> Remove the equals sign from the subject and peer groupings.
>
> dbus [<bus>] [subject(<subject>)] [acquire],
> dbus [<bus>] [subject(<subject>)] [peer(<peer>)] [send | receive],
>
> /usr/bin/gnome-screensaver {
> # Ignore file and accessibility bus access for this excercise
> file,
> dbus bus=accessibility,
>
> # Talks to system and session buses
> dbus bus={system,session} peer(name=org.freedesktop.DBus) (send receive),
>
> # Sends messages on the system bus
> dbus bus=system peer(name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager) send,
> dbus bus=system peer(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
> dbus bus=system peer(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties) send,
>
> # Receives messages on the session bus
> dbus bus=session subject(name=org.gnome.ScreenSaver) acquire,
> dbus bus=session subject(path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties) receive,
> # Be selective because the Lock method is mediated by these rules
> dbus bus=session subject(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer(label=/usr/bin/gnome-settings-daemon) receive,
> dbus bus=session subject(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer(name=com.canonical.indicator.session) receive,
>
> # Sends messages on the session bus
> dbus bus=session peer(name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties) send,
> dbus bus=session peer(path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker) send,
> dbus bus=session peer(name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties) send,
> }
>
>
> * Proposal 3.4 - Replace the equal signs with a space for grouping
>
better for parsing but I still don't care for it, mostly because it is different than how we have use () else where
> dbus [<bus>] [subject (<subject>)] [acquire],
> dbus [<bus>] [subject (<subject>)] [peer (<peer>)] [send | receive],
>
> /usr/bin/gnome-screensaver {
> # Ignore file and accessibility bus access for this excercise
> file,
> dbus bus=accessibility,
>
> # Talks to system and session buses
> dbus bus={system,session} peer (name=org.freedesktop.DBus) (send receive),
>
> # Sends messages on the system bus
> dbus bus=system peer (name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager) send,
> dbus bus=system peer (name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
> dbus bus=system peer (name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties) send,
>
> # Receives messages on the session bus
> dbus bus=session subject (name=org.gnome.ScreenSaver) acquire,
> dbus bus=session subject (path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties) receive,
> # Be selective because the Lock method is mediated by these rules
> dbus bus=session subject (path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer (label=/usr/bin/gnome-settings-daemon) receive,
> dbus bus=session subject (path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer (name=com.canonical.indicator.session) receive,
>
> # Sends messages on the session bus
> dbus bus=session peer (name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties) send,
> dbus bus=session peer (path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker) send,
> dbus bus=session peer (name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties) send,
> }
>
>
> * Proposal 3.5 - Replace the equal signs with a space and use curly
> braces for grouping
>
I can live with this and think it makes the most sense if we are thinking of things at a block level
> dbus [<bus>] [subject {<subject>}] [acquire],
> dbus [<bus>] [subject {<subject>}] [peer {<peer>}] [send | receive],
>
> /usr/bin/gnome-screensaver {
> # Ignore file and accessibility bus access for this excercise
> file,
> dbus bus=accessibility,
>
> # Talks to system and session buses
> dbus bus={system,session} peer {name=org.freedesktop.DBus} (send receive),
>
> # Sends messages on the system bus
> dbus bus=system peer {name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager} send,
> dbus bus=system peer {name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts} send,
> dbus bus=system peer {name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties} send,
>
> # Receives messages on the session bus
> dbus bus=session subject {name=org.gnome.ScreenSaver} acquire,
> dbus bus=session subject {path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties} receive,
> # Be selective because the Lock method is mediated by these rules
> dbus bus=session subject {path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver} peer {label=/usr/bin/gnome-settings-daemon} receive,
> dbus bus=session subject {path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver} peer {name=com.canonical.indicator.session} receive,
>
> # Sends messages on the session bus
> dbus bus=session peer {name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties} send,
> dbus bus=session peer {path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker} send,
> dbus bus=session peer {name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties} send,
> }
>
>
> * Proposal 3.6 - Replace the equals signs with a space and use no
> characters for grouping
>
I think that it is hard to find the grouping for the subject vs peer address
> dbus [<bus>] [subject <subject>] [acquire],
> dbus [<bus>] [subject <subject>] [peer <peer>] [send | receive],
>
> /usr/bin/gnome-screensaver {
> # Ignore file and accessibility bus access for this excercise
> file,
> dbus bus=accessibility,
>
> # Talks to system and session buses
> dbus bus={system,session} peer name=org.freedesktop.DBus (send receive),
>
> # Sends messages on the system bus
> dbus bus=system peer name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager send,
> dbus bus=system peer name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts send,
> dbus bus=system peer name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties send,
>
> # Receives messages on the session bus
> dbus bus=session subject name=org.gnome.ScreenSaver acquire,
> dbus bus=session subject path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties receive,
> # Be selective because the Lock method is mediated by these rules
> dbus bus=session subject path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver peer label=/usr/bin/gnome-settings-daemon receive,
> dbus bus=session subject path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver peer name=com.canonical.indicator.session receive,
>
> # Sends messages on the session bus
> dbus bus=session peer name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties send,
> dbus bus=session peer path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker send,
> dbus bus=session peer name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties send,
> }
>
More information about the AppArmor
mailing list