[apparmor] dbus/pair address rule encoding

Tyler Hicks tyhicks at canonical.com
Thu May 9 20:32:37 UTC 2013 

On 2013-05-09 15:20:56, Jamie Strandboge wrote:
> On 05/09/2013 02:41 PM, John Johansen wrote:
> > 
> > Lets look at it as local (subject) address and remote/peer address
> > 
> > profile subject {
> > 
> >   dbus name=well.known.address acquire,
> > 
> >   dbus name=well.known.address receive,  #subject can receive messages on this well.known.address
> > 
> >   dbus -> name=a.peer.address send,      #subject can send to a peer/remote process using the well known address a.peer.address
> > 
> >   dbus -> name=a.peer.address receive,   #subject can receive a message from a peer/remote process that sent from its a.peer.address
> >                                          # this case is unusual
> > 
> > }
> > 
> > note that send atomically gives permission to receive a reply, just not to receive arbitrary new messages
> > 
> > the unusually case is the one that tyler pointed out as problematic, and I'm not sure it really is but I would like to get this right
> > 
> 
> This explanation makes things a lot more clear for me. Part of my
> problem was that I was trying to apply natural language to the rule, but
> your explanation is clear.
> 
> That said, and speaking for myself only, I think I got tripped up
> because '->' suggests a direction. In most cases this works out ok, but
> in the unusual case:
> dbus -> name=a.peer.address receive,

Now that I think about it more, this rule should never be written. It
says, "my peer (a.peer.address) can receive messages from anyone".

apparmor_parser would accept the rule, but it would be an error of the
policy writer.

Tyler

> 
> my brain was thinking that the '->' meant 'to' and therefore the subject
> was sending something to the remote address, but the syntax actually
> meant it was receiving something. We can document around this since it
> is the unusual case, but will this be so unusual with non-DBus rules
> that use the same syntax? Would using 'remote:' be any clearer? Eg:
>   dbus name=well.known.address acquire,
>   dbus name=well.known.address receive,
>   dbus remote: name=a.peer.address send,
>   dbus remote: name=a.peer.address receive,
> 
> Typing that out, it seems not because the specified access on the RHS of
> the peer is actually describing (based on your descriptions, above) what
> the subject can do, as opposed to what the peer can do, but my brain
> wants the RHS of the peer to correspond to the peer itself, since it is
> closer. I don't think there is a way to make that confusion go away by
> substituting '->' for something else.
> 
> I'm tempted to suggest another syntax, but not sure how it would impact
> the non-DBus applications of the syntax.
> 
> -- 
> Jamie Strandboge                 http://www.ubuntu.com/
> 



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130509/936fe677/attachment-0001.pgp>

More information about the AppArmor mailing list