[apparmor] [profile: plugin-container] the dbus machine-id: deny or allow 'r'?

daniel curtis sidetripping at gmail.com
Thu Feb 25 17:18:21 UTC 2016


Some time ago, I've decided to create a profile for the 'plugin-container'
process to make a Firefox web browser even more secure. Everything seems to
work okay. I've managed to "solve" the DENIED messages/entries from a
system log files, such as e.g. '/var/log/kern.log' etc.

Anyway, there is a one thing which wonders me: '/var/lib/dbus/machine-id'.
According to the DENIED messages in a log files, there is something like

name="/var/lib/dbus/machine-id", denied mask 'r'

So, an AppArmor rule, to fix this issue, should contain e.g.:

/var/lib/dbus/machine-id r,

Am I right? But, "AppArmor Policy Reviews"[1] article, which contains a
general advice when reviewing policy for AppArmor etc., mentions that
'/var/lib/dbus/machine-id' should be denied. Short quote:

"Some programs may request access to the DBus system bus socket, but may
not actually need it for normal functioning. In these cases, (...) the same
may be the case for the dbus machine-id:

deny /var/lib/dbus/machine-id r,"

According to all above what is the right direction? What should I do: allow
'r' for a machine-id or rather deny access to this DBus system bus socket?
What is yours opinions on this?

* Description: Ubuntu 12.04.5 LTS
* AppArmor (apparmor, apparmor-utils): 2.7.102-0ubuntu3.10

Thanks, best regards.
[1] https://wiki.ubuntu.com/SecurityTeam/AppArmorPolicyReview
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160225/78d10b66/attachment.html>

More information about the AppArmor mailing list