[apparmor] Apparmor rules for dconf confinement

Simon McVittie simon.mcvittie at collabora.co.uk
Fri Jun 5 13:12:03 UTC 2015


On 05/06/15 12:13, John Johansen wrote:
> On 05/29/2015 09:29 AM, Simon McVittie wrote:
>> Here's a sketch of how [polkit mediation] could look, for instance:
>>
>>     audit polkit action=org.freedesktop.udisks2.filesystem-mount,
>>     audit deny polkit \
>>         action=org.freedesktop.udisks2.filesystem-mount-system,
>>
>> or if the syntax in policy files was entirely generic, perhaps something
>> more like:
>>
>>     userspace class=polkit \
>>         action=org.freedesktop.udisks2.filesystem-mount,
>>     audit deny userspace class=polkit \
>>         action=org.freedesktop.udisks2.filesystem-mount-system,
>>
>> Does this sound like a reasonable generalization?
>>
> generally speaking, yes :)
> 
> I can't say when polkit will get patched but I expect it will happen sooner
> than later.

If this becomes something that is concretely required, please talk to
the polkit mailing list - the polkit developers ought to have an
opportunity to review this. I've subscribed to that list to be able to
give D-Bus advice.

My colleague Philip Withnall and I are not (currently) polkit
maintainers, but we would potentially be interested in reviewing and/or
helping with implementation for this feature.

-- 
Simon McVittie
Collabora Ltd. <http://www.collabora.com/>




More information about the AppArmor mailing list