[apparmor] [PATCH 1/4] profiles: Add strict system bus abstraction

John Johansen john.johansen at canonical.com
Tue Jan 7 21:12:03 UTC 2014 

On 01/03/2014 02:26 PM, Tyler Hicks wrote:
> Move the file rule from the existing permissive system bus abstraction
> into a new strict system bus abstraction.
> 
> The strict abstraction only allows for calling the Hello, AddMatch,
> RemoveMatch, GetNameOwner, NameHasOwner, and StartServiceByName methods
> that are exported by the D-Bus daemon.
> 
> The permissive abstraction reuses the strict abstraction and then allows
> all communications on the system bus.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-by: John Johansen <john.johansen at canonical.com>

> ---
>  profiles/apparmor.d/abstractions/dbus        |  8 +++++---
>  profiles/apparmor.d/abstractions/dbus-strict | 19 +++++++++++++++++++
>  2 files changed, 24 insertions(+), 3 deletions(-)
>  create mode 100644 profiles/apparmor.d/abstractions/dbus-strict
> 
> diff --git a/profiles/apparmor.d/abstractions/dbus b/profiles/apparmor.d/abstractions/dbus
> index f0644c0..c670fc2 100644
> --- a/profiles/apparmor.d/abstractions/dbus
> +++ b/profiles/apparmor.d/abstractions/dbus
> @@ -1,7 +1,7 @@
>  # vim:syntax=apparmor
>  # ------------------------------------------------------------------
>  #
> -#    Copyright (C) 2009-2010 Canonical Ltd.
> +#    Copyright (C) 2009-2013 Canonical Ltd.
>  #
>  #    This program is free software; you can redistribute it and/or
>  #    modify it under the terms of version 2 of the GNU General Public
> @@ -9,6 +9,8 @@
>  #
>  # ------------------------------------------------------------------
>  
> -  # System socket. Be careful when including this abstraction.
> -  /{,var/}run/dbus/system_bus_socket rw,
> +  # This abstraction grants full system bus access. Consider using the
> +  # dbus-strict abstraction for fine-grained bus mediation.
> +
> +  #include <abstractions/dbus-strict>
>    dbus bus=system,
> diff --git a/profiles/apparmor.d/abstractions/dbus-strict b/profiles/apparmor.d/abstractions/dbus-strict
> new file mode 100644
> index 0000000..01a426e
> --- /dev/null
> +++ b/profiles/apparmor.d/abstractions/dbus-strict
> @@ -0,0 +1,19 @@
> +# vim:syntax=apparmor
> +# ------------------------------------------------------------------
> +#
> +#    Copyright (C) 2009-2013 Canonical Ltd.
> +#
> +#    This program is free software; you can redistribute it and/or
> +#    modify it under the terms of version 2 of the GNU General Public
> +#    License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +
> +  /{,var/}run/dbus/system_bus_socket rw,
> +
> +  dbus send
> +       bus=system
> +       path=/org/freedesktop/DBus
> +       interface=org.freedesktop.DBus
> +       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
> +       peer=(name=org.freedesktop.DBus),
>

More information about the AppArmor mailing list