[apparmor] [PATCH 2/4 v2] profiles: Add strict session bus abstraction
Jamie Strandboge
jamie at canonical.com
Thu Jan 9 20:54:49 UTC 2014
On 01/09/2014 02:47 PM, Tyler Hicks wrote:
> Move some of the file rules from the existing permissive session bus
> abstraction into a new strict session bus abstraction. Leave the
> dbus-launch rule in the permissive profile since not all applications
> will need it.
>
> The strict abstraction only allows for calling the Hello, AddMatch,
> RemoveMatch, GetNameOwner, NameHasOwner, and StartServiceByName methods
> that are exported by the D-Bus daemon.
>
> The permissive abstraction reuses the strict abstraction and then allows
> all communications on the session bus.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> Acked-by: John Johansen <john.johansen at canonical.com>
> ---
>
> * Changes from v1:
> - Added John's ack
> - Left the dbus-launch rule in the permissive dbus-session abstraction
> - Updated the commit message to reflect the above change
>
> profiles/apparmor.d/abstractions/dbus-session | 10 +++++-----
> .../apparmor.d/abstractions/dbus-session-strict | 21 +++++++++++++++++++++
> 2 files changed, 26 insertions(+), 5 deletions(-)
> create mode 100644 profiles/apparmor.d/abstractions/dbus-session-strict
>
Acked-By: Jamie Strandboge <jamie at canonical.com>
Thanks!
> diff --git a/profiles/apparmor.d/abstractions/dbus-session b/profiles/apparmor.d/abstractions/dbus-session
> index 76a7bbf..eb1ed91 100644
> --- a/profiles/apparmor.d/abstractions/dbus-session
> +++ b/profiles/apparmor.d/abstractions/dbus-session
> @@ -1,7 +1,7 @@
> # vim:syntax=apparmor
> # ------------------------------------------------------------------
> #
> -# Copyright (C) 2011 Canonical Ltd.
> +# Copyright (C) 2011-2013 Canonical Ltd.
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of version 2 of the GNU General Public
> @@ -9,9 +9,9 @@
> #
> # ------------------------------------------------------------------
>
> - /usr/bin/dbus-launch ix,
> + # This abstraction grants full session bus access. Consider using the
> + # dbus-session-strict abstraction for fine-grained bus mediation.
>
> - # unique per-machine identifier
> - /etc/machine-id r,
> - /var/lib/dbus/machine-id r,
> + #include <abstractions/dbus-session-strict>
> + /usr/bin/dbus-launch ix,
> dbus bus=session,
> diff --git a/profiles/apparmor.d/abstractions/dbus-session-strict b/profiles/apparmor.d/abstractions/dbus-session-strict
> new file mode 100644
> index 0000000..41c451a
> --- /dev/null
> +++ b/profiles/apparmor.d/abstractions/dbus-session-strict
> @@ -0,0 +1,21 @@
> +# vim:syntax=apparmor
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2011-2013 Canonical Ltd.
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +
> + # unique per-machine identifier
> + /etc/machine-id r,
> + /var/lib/dbus/machine-id r,
> +
> + dbus send
> + bus=session
> + path=/org/freedesktop/DBus
> + interface=org.freedesktop.DBus
> + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
> + peer=(name=org.freedesktop.DBus),
>
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140109/b4b8f8b0/attachment-0001.pgp>
More information about the AppArmor
mailing list