[apparmor] dbus/pair address rule encoding

[Tyler Hicks]

On 2013-05-09 16:37:06, Jamie Strandboge wrote:
> On 05/09/2013 04:13 PM, Tyler Hicks wrote:
> 
> > Take this rule for example:
> > 
> >   dbus bus=session -> name=com.example.service path=/com/example/service interface=com.example.service receive,
> > 
> > If we adjust our thinking a little it could mean, "a message that flows
> > FROM anywhere TO com.example.service can be received under the
> > current profile."
> > 
> I don't understand this sentence. How can a message flow from anywhere
> to com.example.service and be received by anywhere (which is what is the
> subject of the current profile)?

It can't be received by anywhere. It can only be received by the
application running under the profile containing that rule.

I'll try my best to better explain this but I'm not confident I will
make it any more clear.

The conditionals are there to match a specific message flow. In this
case, it is FROM anywhere (because there is no address conditional on the
left side of the ->) TO com.example.service.

The permission at the end is there to allow the current profile to do
something when it encounters the message flow. In this case, it is to
receive the message that matches the specified flow.

So, that rule allows for receiving a message that flows from anywhere to
com.example.service.

> 
> I think my brain just melted... :)

Clear as mud now?

Tyler

> 
> -- 
> Jamie Strandboge                 http://www.ubuntu.com/
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130509/715e4962/attachment.pgp>