[apparmor] [PATCH 2/4] profiles: Add strict session bus abstraction

[Tyler Hicks]

Move the file rule from the existing permissive session bus abstraction
into a new strict session bus abstraction.

The strict abstraction only allows for calling the Hello, AddMatch,
RemoveMatch, GetNameOwner, NameHasOwner, and StartServiceByName methods
that are exported by the D-Bus daemon.

The permissive abstraction reuses the strict abstraction and then allows
all communications on the session bus.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 profiles/apparmor.d/abstractions/dbus-session      |  9 ++++-----
 .../apparmor.d/abstractions/dbus-session-strict    | 23 ++++++++++++++++++++++
 2 files changed, 27 insertions(+), 5 deletions(-)
 create mode 100644 profiles/apparmor.d/abstractions/dbus-session-strict

diff --git a/profiles/apparmor.d/abstractions/dbus-session b/profiles/apparmor.d/abstractions/dbus-session
index 76a7bbf..2eda4e0 100644
--- a/profiles/apparmor.d/abstractions/dbus-session
+++ b/profiles/apparmor.d/abstractions/dbus-session
@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2011 Canonical Ltd.
+#    Copyright (C) 2011-2013 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -9,9 +9,8 @@
 #
 # ------------------------------------------------------------------
 
-  /usr/bin/dbus-launch ix,
+  # This abstraction grants full session bus access. Consider using the
+  # dbus-session-strict abstraction for fine-grained bus mediation.
 
-  # unique per-machine identifier
-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
+  #include <abstractions/dbus-session-strict>
   dbus bus=session,
diff --git a/profiles/apparmor.d/abstractions/dbus-session-strict b/profiles/apparmor.d/abstractions/dbus-session-strict
new file mode 100644
index 0000000..2c6a593
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/dbus-session-strict
@@ -0,0 +1,23 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011-2013 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  /usr/bin/dbus-launch ix,
+
+  # unique per-machine identifier
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
+  dbus send
+       bus=session
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+       peer=(name=org.freedesktop.DBus),
-- 
1.8.3.2