[apparmor] Custom DBUS daemon and apparmor

Sébastien Sénéchal altagir at gmail.com
Tue Nov 19 16:03:24 UTC 2013 

Hello all

I am writing an app usig remote DBUS for communication

since dbus 1.6.12, apparmor is used for authentication, so i am trying to
find

correct way to setup…


this involves:

- a dbus listening on tcp:host=127.0.0.1,bind=*,port=14500

 dbus-daemon --config-file=/etc/dbus-1/custom.conf

- the service itself which connect to the bus and register service

- clients who can then send calls to the service


when i used <apparmor mode="disabled"/> in /etc/dbus-1/custom.conf,
 Everyhing works fine.


I re-enabled apparmor in d bus-deamon config file and I created a apparmor
profile for my the daemon

/usr/lib/kde4/libexec/mydaemeon {

dbus,

network ,

capability,

….

}

same for /usr/bin/clients


Issue is that connection is always closed….

telnet 127.0.0.1 14500 works only when disabled, else connection is closed.


apparmor profile seems fine (works when using system dbus + apparmor). but
fails connecting using a QDBusConnection with a custom bus

QDBusConnection lasterror :

Did not receive a reply. Possible causes include: the remote application
did not send a reply, the message bus security policy blocked the reply,
the reply timeout expired, or the network connection was broken.


I also attempt configuring a profile for /usr/daemon-bus. to no avail…


I see nothing in kernel.log related to apparmor… no denied. yet it is
apparmor who prevents me from accessing that port /..


does anyone has attempted  a custom dbus accept incoming connection other
than disabling apparmor? or any idea?

I saw from the dev list that some work was needed on IPC.  is that a
limitation/bug?


Thanks in advance, I am getting stuck on this


regards



below is my custom dbus : (127.0.0.1 example, can be a local static
interface)


<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration
1.0//EN"

"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

<busconfig>

 <fork/>

 <servicedir>/usr/share/dbus-1/system-services</servicedir>

 <syslog/>

 <listen>tcp:host=127.0.0.1,bind=*,port=14500</listen>

 <allow_anonymous/>

 <listen>unix:path=/var/run/dbus/system_x10dbus_socket</listen>

 <includedir>/etc/dbus-1/system.d/</includedir>

</busconfig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131119/57038961/attachment.html>

More information about the AppArmor mailing list