[apparmor] [PATCH 2/4] profiles: Add strict session bus abstraction

Jamie Strandboge jamie at canonical.com
Tue Jan 7 22:39:44 UTC 2014


On 01/03/2014 04:26 PM, Tyler Hicks wrote:
> Move the file rule from the existing permissive session bus abstraction
> into a new strict session bus abstraction.
> 
Thanks for all these! This is a really good idea. Sorry for not responding sooner.
...
> 
> diff --git a/profiles/apparmor.d/abstractions/dbus-session b/profiles/apparmor.d/abstractions/dbus-session
> index 76a7bbf..2eda4e0 100644
> --- a/profiles/apparmor.d/abstractions/dbus-session
> +++ b/profiles/apparmor.d/abstractions/dbus-session

...

> -  /usr/bin/dbus-launch ix,

...

> diff --git a/profiles/apparmor.d/abstractions/dbus-session-strict b/profiles/apparmor.d/abstractions/dbus-session-strict

> +  /usr/bin/dbus-launch ix,

...

First off, can we change this to be 'Pix'?

Secondly, I wonder if this rule should be in the permissive session bus
abstraction rather than the strict one. I have quite a few profiles that use
dbus rules without the existing dbus abstractions, and only one has a
/usr/bin/dbus-launch rule. Moving '/usr/bin/dbus-launch Pix,' out of
dbus-session-strict seems to make a lot of sense and I suggest we just do that.
What do others think?

Lastly, what I have for that profile is:

  /usr/bin/dbus-launch Cx -> dbus_launch,
  profile dbus_launch {
    #include <abstractions/base>
    #include <abstractions/nameservice>
    #include <abstractions/X>
    /usr/bin/dbus-launch r,
  }

This confinement for dbus-launch is mildly interesting, but I think we might
have some issues if we use a child profile in this exact manner in the
abstraction. We could ship the profile outside of the abstraction though, and
use 'Pix -> dbus_launch' in the abstraction instead. It doesn't give much added
security, but dbus-launch clearly doesn't need much access.

-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140107/fb2db253/attachment.pgp>


More information about the AppArmor mailing list