[apparmor] DBus rule syntax for subject and peer components

[Tyler Hicks]

Proposals that were decisively approved through voting:

* Proposal 3.1 - Change subj= to subject=
* Proposal 3.2 - Move the access to the front

Unfortunately, the way that I laid out the proposals in the last email
did not result in clear decision on whether people preferred the
original Proposal 3's grouping like subject=() or Proposal 3.5's
subject {} style.

I've revised the profiles to include what we have already approved. I'm
asking for a *quick* set of responses to finalize this today.


* Revised Proposal 3 - subject=() and peer=()

dbus [acquire] [<bus>] [subject=(<subject>)],
dbus [send | receive] [<bus>] [subject=(<subject>)] [peer=(<peer>)],

/usr/bin/gnome-screensaver {
  # Ignore file and accessibility bus access for this exercise
  file,
  dbus bus=accessibility,

  # Talks to system and session buses
  dbus (send receive) bus={system,session} peer=(name=org.freedesktop.DBus),

  # Sends messages on the system bus
  dbus send bus=system peer=(name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager),
  dbus send bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts),
  dbus send bus=system peer=(name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties),

  # Receives messages on the session bus
  dbus acquire bus=session subject=(name=org.gnome.ScreenSaver),
  dbus receive bus=session subject=(path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties),
  # Be selective because the Lock method is mediated by these rules
  dbus receive bus=session subject=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(label=/usr/bin/gnome-settings-daemon),
  dbus receive bus=session subject=(path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver) peer=(name=com.canonical.indicator.session),

  # Sends messages on the session bus
  dbus send bus=session peer=(name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties),
  dbus send bus=session peer=(path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker),
  dbus send bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties),
}


* Revised Proposal 3.5 - subject {} and peer {}

dbus [acquire] [<bus>] [subject {<subject>}],
dbus [send | receive] [<bus>] [subject {<subject>}] [peer {<peer>}],

/usr/bin/gnome-screensaver {
  # Ignore file and accessibility bus access for this exercise
  file,
  dbus bus=accessibility,

  # Talks to system and session buses
  dbus (send receive) bus={system,session} peer {name=org.freedesktop.DBus},

  # Sends messages on the system bus
  dbus send bus=system peer {name=org.freedesktop.ConsoleKit path=/org/freedesktop/ConsoleKit/Manager interface=org.freedesktop.ConsoleKit.Manager},
  dbus send bus=system peer {name=org.freedesktop.Accounts path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts},
  dbus send bus=system peer {name=org.freedesktop.Accounts path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties},

  # Receives messages on the session bus
  dbus acquire bus=session subject {name=org.gnome.ScreenSaver},
  dbus receive bus=session subject {path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties},
  # Be selective because the Lock method is mediated by these rules
  dbus receive bus=session subject {path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver} peer {label=/usr/bin/gnome-settings-daemon},
  dbus receive bus=session subject {path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver} peer {name=com.canonical.indicator.session},

  # Sends messages on the session bus
  dbus send bus=session peer {name=org.gnome.SessionManager path=/org/gnome/SessionManager/Presence interface=org.freedesktop.DBus.Properties},
  dbus send bus=session peer {path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker},
  dbus send bus=session peer {name=org.gnome.Shell path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties},
}

Thanks!

Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130620/ea7b5a45/attachment.pgp>