[apparmor] Apparmor rules for dconf confinement
Simon McVittie
simon.mcvittie at collabora.co.uk
Fri Jun 5 13:12:03 UTC 2015
On 05/06/15 12:13, John Johansen wrote:
> On 05/29/2015 09:29 AM, Simon McVittie wrote:
>> Here's a sketch of how [polkit mediation] could look, for instance:
>>
>> audit polkit action=org.freedesktop.udisks2.filesystem-mount,
>> audit deny polkit \
>> action=org.freedesktop.udisks2.filesystem-mount-system,
>>
>> or if the syntax in policy files was entirely generic, perhaps something
>> more like:
>>
>> userspace class=polkit \
>> action=org.freedesktop.udisks2.filesystem-mount,
>> audit deny userspace class=polkit \
>> action=org.freedesktop.udisks2.filesystem-mount-system,
>>
>> Does this sound like a reasonable generalization?
>>
> generally speaking, yes :)
>
> I can't say when polkit will get patched but I expect it will happen sooner
> than later.
If this becomes something that is concretely required, please talk to
the polkit mailing list - the polkit developers ought to have an
opportunity to review this. I've subscribed to that list to be able to
give D-Bus advice.
My colleague Philip Withnall and I are not (currently) polkit
maintainers, but we would potentially be interested in reviewing and/or
helping with implementation for this feature.
--
Simon McVittie
Collabora Ltd. <http://www.collabora.com/>
More information about the AppArmor
mailing list