[apparmor] [PATCH] Allow reading /etc/machine-id in the dbus-session abstraction.
Seth Arnold
seth.arnold at canonical.com
Wed Nov 20 01:31:29 UTC 2013
Hi Intrigeri, better late than never I hope...
On Thu, Jul 25, 2013 at 10:52:42AM +0200, intrigeri at debian.org wrote:
> From: intrigeri <intrigeri at boum.org>
>
> D-Bus now uses /etc/machine-id in some cases:
> https://bugs.freedesktop.org/show_bug.cgi?id=35228
> ---
> profiles/apparmor.d/abstractions/dbus-session | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/profiles/apparmor.d/abstractions/dbus-session b/profiles/apparmor.d/abstractions/dbus-session
> index 8735c1f..b9c872e 100644
> --- a/profiles/apparmor.d/abstractions/dbus-session
> +++ b/profiles/apparmor.d/abstractions/dbus-session
> @@ -10,4 +10,5 @@
> # ------------------------------------------------------------------
>
> /usr/bin/dbus-launch ix,
> + /etc/machine-id r,
> /var/lib/dbus/machine-id r,
> --
> 1.8.3.2
Okay, I've now learned enough that this looks Obviously Correct. :)
Acked-by: Seth Arnold <seth.arnold at canonical.com>
On Fri, Jul 26, 2013 at 11:26:32AM +0200, intrigeri wrote:
> For some reason unknown to me, Ubuntu's Totem profile doesn't use the
> dbus-session abstraction, but instead itself grants the
> /var/lib/dbus/machine-id read access. Another look at the 13.10
> profiles directory, and I find usr.bin.evolution and
> usr.bin.pulseaudio there that do the same, but usr.bin.empathy
> _denies_ access to /var/lib/dbus/machine-id, while still using
> abstraction/gnome. So perhaps Evolution, Totem and PulseAudio should
> just use abstraction/dbus-session instead?
So, the thing with <abstractions/dbus-session>, is that it is currently
wide-open. It feels too open to me, but for a starting point that we can
tell people "just add this one line to your profile and things will work
again", it makes sense. But it'd be ideal to use our new dbus powers for
tighter confinement.
I haven't yet written enough profiles using the new dbus rules. My first
effort was for pulseaudio, and I've included it here for a starting point
of a discussion.
We can, and probably should, move some of the rules into the abstractions,
such as dbus-system and dbus-session and we might want to create a
dbus-accessability abstraction.
Bluez might need an abstraction. And pulseaudio binds to some interfaces
here, probably another abstraction should be created to allow clients to
communicate with pulseaudio using the bound interface.
Here's the pulseaudio profile:
# Last Modified: Thu Nov 7 10:13:08 2013
#include <tunables/global>
/usr/bin/pulseaudio {
#include <abstractions/X>
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/nameservice>
capability chown,
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,
capability sys_resource,
capability sys_ptrace,
/run/dbus/system_bus_socket rw,
dbus (send)
bus=system
path="/org/freedesktop/DBus"
interface="org.freedesktop.DBus"
member="Hello",
dbus (send)
bus=system
path="/org/freedesktop/DBus"
interface="org.freedesktop.DBus"
member="{RemoveMatch,AddMatch}",
dbus (send)
bus="system"
path="/org/freedesktop/RealtimeKit1"
interface="org.freedesktop.RealtimeKit1"
member="MakeThreadHighPriority",
dbus (send)
bus="system"
path="/org/bluez/*/hci[0-9]"
interface="org.bluez.Media"
member="RegisterEndpoint"
peer=(name="org.bluez"),
dbus (send)
bus="system"
path="/org/bluez/*/hci[0-9]"
interface="org.bluez.Adapter"
member="GetProperties"
peer=(name="org.bluez"),
dbus (send)
bus="system"
path="/"
interface="org.bluez.Manager"
member="GetProperties",
dbus (receive)
bus="system"
path="/"
interface="org.bluez.Manager"
member="AdapterAdded",
dbus (send)
bus=session
path="/org/freedesktop/DBus"
interface="org.freedesktop.DBus"
member="Hello",
dbus (send)
bus=session
path="/org/freedesktop/DBus"
interface="org.freedesktop.DBus"
member="{RequestName,AddMatch,RemoveMatch,ReleaseName,GetNameOwner}",
dbus (bind)
bus=session
name={org.PulseAudio1,org.pulseaudio.Server,org.freedesktop.ReserveDevice*.Audio*},
/dev/null rw,
/dev/random r,
/dev/urandom r,
/etc/pulse/ r,
/etc/pulse/* r,
/etc/timidity/.pulse_cookie w,
/etc/udev/udev.conf r,
/run/pulse/ rw,
/run/pulse/.pulse-cookie rwk,
/run/pulse/dbus-socket rwk,
/run/pulse/native rwk,
/run/pulse/pid rwk,
/run/udev/data/+sound:card* r,
/run/user/*/pulse/ rw,
/run/user/*/pulse/autospawn.lock rwk,
/run/user/*/pulse/cli wr,
/run/user/*/pulse/native w,
/run/user/*/pulse/pid rwk,
/run/user/lightdm/ w,
/run/systemd/users/* r,
/sys/bus/ r,
/sys/class/ r,
/sys/class/sound/ r,
/sys/devices/**/sound/card[0-9]*/uevent r,
/sys/devices/pci[0-9]*/**/*class r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/online r,
/sys/devices/virtual/dmi/id/bios_vendor r,
/sys/devices/virtual/dmi/id/board_vendor r,
/sys/devices/virtual/dmi/id/sys_vendor r,
owner /tmp/.esd-[0-9]*/ rw,
owner /tmp/.esd-[0-9]*/socket rw,
owner /tmp/orcexec.* mrw,
owner /tmp/pulse-*/autospawn.lock rwk,
owner /tmp/pulse-*/native rwk,
owner /tmp/pulse-*/pid rwk,
/usr/bin/pulseaudio mrix,
/usr/lib/pulse-1.[0-9]/modules/*.so mr,
/usr/lib/pulse-2.[0-9]/modules/*.so mr,
/usr/lib/pulse-3.[0-9]/modules/*.so mr,
/usr/lib/pulseaudio/pulse/gconf-helper Cx,
/usr/lib{,32,64}/** mr,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/pulseaudio/** r,
/var/lib/dbus/machine-id r,
owner /var/lib/lightdm/.Xauthority r,
owner /var/lib/lightdm/.esd_auth rwk,
owner /var/lib/lightdm/.pulse-cookie rwk,
owner /var/lib/lightdm/.pulse/ rw,
owner /var/lib/lightdm/.pulse/* rw,
/var/lib/pulse/ rw,
/var/lib/pulse/*-default-sink rw,
/var/lib/pulse/*-default-source rw,
/var/lib/pulse/*.tdb rw,
@{HOME}/.config/pulse/ rw,
@{HOME}/.config/pulse/cookie rwk,
@{HOME}/.esd_auth rwk,
@{HOME}/.pulse-cookie rwk,
@{HOME}/.pulse/ rw,
@{HOME}/.pulse/* rw,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/maps r,
@{PROC}/[0-9]*/stat r,
profile /usr/lib/pulseaudio/pulse/gconf-helper {
#include <abstractions/base>
dbus (send)
bus=session
path="/org/freedesktop/DBus"
interface="org.freedesktop.DBus"
member="{Hello,AddMatch,StartServiceByName,RemoveMatch}",
dbus (send)
bus=session
path="/org/gnome/GConf/Server"
interface="org.gnome.GConf.Server"
member="GetDefaultDatabase",
dbus (send)
bus=session
path="/org/gnome/GConf/Database/0"
interface="org.gnome.GConf.Database"
member="{AddNotify,AllDirs,AllEntries}",
/usr/lib/pulseaudio/pulse/gconf-helper mr,
}
}
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131119/583a424f/attachment.pgp>
More information about the AppArmor
mailing list