[apparmor] Custom DBUS daemon and apparmor

Tyler Hicks tyhicks at canonical.com
Tue Nov 19 17:02:01 UTC 2013


On 2013-11-19 11:03:24, Sébastien Sénéchal wrote:
> Hello all
> 
> I am writing an app usig remote DBUS for communication
> 
> since dbus 1.6.12, apparmor is used for authentication, so i am trying to
> find
> 
> correct way to setup…
> 
> 
> this involves:
> 
> - a dbus listening on tcp:host=127.0.0.1,bind=*,port=14500

Oof... AppArmor should be disabled if a tcp address is used. The
AppArmor mediation code only has the ability to check peer labels over
UNIX domain sockets. It is most likely seeing an error when getting the
label and then refusing the connection.

It looks like the SELinux mediation support in D-Bus has the same bug:

  https://bugzilla.redhat.com/show_bug.cgi?id=890658

Would you mind opening a bug in Launchpad? I'll fix this for 14.04.

Tyler

> 
>  dbus-daemon --config-file=/etc/dbus-1/custom.conf
> 
> - the service itself which connect to the bus and register service
> 
> - clients who can then send calls to the service
> 
> 
> when i used <apparmor mode="disabled"/> in /etc/dbus-1/custom.conf,
>  Everyhing works fine.
> 
> 
> I re-enabled apparmor in d bus-deamon config file and I created a apparmor
> profile for my the daemon
> 
> /usr/lib/kde4/libexec/mydaemeon {
> 
> dbus,
> 
> network ,
> 
> capability,
> 
> ….
> 
> }
> 
> same for /usr/bin/clients
> 
> 
> Issue is that connection is always closed….
> 
> telnet 127.0.0.1 14500 works only when disabled, else connection is closed.
> 
> 
> apparmor profile seems fine (works when using system dbus + apparmor). but
> fails connecting using a QDBusConnection with a custom bus
> 
> QDBusConnection lasterror :
> 
> Did not receive a reply. Possible causes include: the remote application
> did not send a reply, the message bus security policy blocked the reply,
> the reply timeout expired, or the network connection was broken.
> 
> 
> I also attempt configuring a profile for /usr/daemon-bus. to no avail…
> 
> 
> I see nothing in kernel.log related to apparmor… no denied. yet it is
> apparmor who prevents me from accessing that port /..
> 
> 
> does anyone has attempted  a custom dbus accept incoming connection other
> than disabling apparmor? or any idea?
> 
> I saw from the dev list that some work was needed on IPC.  is that a
> limitation/bug?
> 
> 
> Thanks in advance, I am getting stuck on this
> 
> 
> regards
> 
> 
> 
> below is my custom dbus : (127.0.0.1 example, can be a local static
> interface)
> 
> 
> <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration
> 1.0//EN"
> 
> "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
> 
> <busconfig>
> 
>  <fork/>
> 
>  <servicedir>/usr/share/dbus-1/system-services</servicedir>
> 
>  <syslog/>
> 
>  <listen>tcp:host=127.0.0.1,bind=*,port=14500</listen>
> 
>  <allow_anonymous/>
> 
>  <listen>unix:path=/var/run/dbus/system_x10dbus_socket</listen>
> 
>  <includedir>/etc/dbus-1/system.d/</includedir>
> 
> </busconfig>

> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131119/9785f1ec/attachment.pgp>


More information about the AppArmor mailing list