[apparmor] dbus/pair address rule encoding

Jamie Strandboge jamie at canonical.com
Thu May 9 20:20:56 UTC 2013 

On 05/09/2013 02:41 PM, John Johansen wrote:
> 
> Lets look at it as local (subject) address and remote/peer address
> 
> profile subject {
> 
>   dbus name=well.known.address acquire,
> 
>   dbus name=well.known.address receive,  #subject can receive messages on this well.known.address
> 
>   dbus -> name=a.peer.address send,      #subject can send to a peer/remote process using the well known address a.peer.address
> 
>   dbus -> name=a.peer.address receive,   #subject can receive a message from a peer/remote process that sent from its a.peer.address
>                                          # this case is unusual
> 
> }
> 
> note that send atomically gives permission to receive a reply, just not to receive arbitrary new messages
> 
> the unusually case is the one that tyler pointed out as problematic, and I'm not sure it really is but I would like to get this right
> 

This explanation makes things a lot more clear for me. Part of my
problem was that I was trying to apply natural language to the rule, but
your explanation is clear.

That said, and speaking for myself only, I think I got tripped up
because '->' suggests a direction. In most cases this works out ok, but
in the unusual case:
dbus -> name=a.peer.address receive,

my brain was thinking that the '->' meant 'to' and therefore the subject
was sending something to the remote address, but the syntax actually
meant it was receiving something. We can document around this since it
is the unusual case, but will this be so unusual with non-DBus rules
that use the same syntax? Would using 'remote:' be any clearer? Eg:
  dbus name=well.known.address acquire,
  dbus name=well.known.address receive,
  dbus remote: name=a.peer.address send,
  dbus remote: name=a.peer.address receive,

Typing that out, it seems not because the specified access on the RHS of
the peer is actually describing (based on your descriptions, above) what
the subject can do, as opposed to what the peer can do, but my brain
wants the RHS of the peer to correspond to the peer itself, since it is
closer. I don't think there is a way to make that confusion go away by
substituting '->' for something else.

I'm tempted to suggest another syntax, but not sure how it would impact
the non-DBus applications of the syntax.

-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130509/bffc1103/attachment.pgp>

More information about the AppArmor mailing list