[apparmor] [PATCH 2/4 v2] profiles: Add strict session bus abstraction

[Tyler Hicks]

Move some of the file rules from the existing permissive session bus
abstraction into a new strict session bus abstraction. Leave the
dbus-launch rule in the permissive profile since not all applications
will need it.

The strict abstraction only allows for calling the Hello, AddMatch,
RemoveMatch, GetNameOwner, NameHasOwner, and StartServiceByName methods
that are exported by the D-Bus daemon.

The permissive abstraction reuses the strict abstraction and then allows
all communications on the session bus.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>
---

* Changes from v1:
  - Added John's ack
  - Left the dbus-launch rule in the permissive dbus-session abstraction
  - Updated the commit message to reflect the above change

 profiles/apparmor.d/abstractions/dbus-session       | 10 +++++-----
 .../apparmor.d/abstractions/dbus-session-strict     | 21 +++++++++++++++++++++
 2 files changed, 26 insertions(+), 5 deletions(-)
 create mode 100644 profiles/apparmor.d/abstractions/dbus-session-strict

diff --git a/profiles/apparmor.d/abstractions/dbus-session b/profiles/apparmor.d/abstractions/dbus-session
index 76a7bbf..eb1ed91 100644
--- a/profiles/apparmor.d/abstractions/dbus-session
+++ b/profiles/apparmor.d/abstractions/dbus-session
@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2011 Canonical Ltd.
+#    Copyright (C) 2011-2013 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-  /usr/bin/dbus-launch ix,
+  # This abstraction grants full session bus access. Consider using the
+  # dbus-session-strict abstraction for fine-grained bus mediation.
 
-  # unique per-machine identifier
-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
+  #include <abstractions/dbus-session-strict>
+  /usr/bin/dbus-launch ix,
   dbus bus=session,
diff --git a/profiles/apparmor.d/abstractions/dbus-session-strict b/profiles/apparmor.d/abstractions/dbus-session-strict
new file mode 100644
index 0000000..41c451a
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/dbus-session-strict
@@ -0,0 +1,21 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011-2013 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  # unique per-machine identifier
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
+  dbus send
+       bus=session
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+       peer=(name=org.freedesktop.DBus),
-- 
1.8.3.2