[apparmor] [PATCH] profiles: Grant access to systemd-resolved in the nameservice abstraction

[Tyler Hicks]

https://launchpad.net/bugs/1598759

Profiles that rely on the nameservice abstraction are experiencing
denials on systems configured to use systemd-resolved via the
libnss-resolve plugin.

libnss-resolve talks to systemd-resolved over D-Bus and this patch
attempts to only grant access to the safe members of the D-Bus API.

Special considerations need to be made when applying this patch to most
Linux distributions as many of them do not have the ability to perform
fine-grained AppArmor mediation of D-Bus traffic. In those cases, any
users of the nameservice abstraction (such as tcpdump or ntpd) will have
full access to the D-Bus system bus once this change is applied to the
nameservice abstraction.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 profiles/apparmor.d/abstractions/nameservice | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
index 5dff44d..a28aeeb 100644
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -84,6 +84,25 @@
   # kerberos
   #include <abstractions/kerberosclient>
 
+  # resolve
+  #
+  # Allow access to the safe members of the systemd-resolved D-Bus API:
+  #
+  #   https://www.freedesktop.org/wiki/Software/systemd/resolved/
+  #
+  # This API may be used directly over the D-Bus system bus or it may be used
+  # indirectly via the nss-resolve plugin:
+  #
+  #   https://www.freedesktop.org/software/systemd/man/nss-resolve.html
+  #
+  #include <abstractions/dbus-strict>
+  dbus send
+       bus=system
+       path="/org/freedesktop/resolve1"
+       interface="org.freedesktop.resolve1.Manager"
+       member="Resolve{Address,Hostname,Record,Service}"
+       peer=(name="org.freedesktop.resolve1"),
+
   # TCP/UDP network access
   network inet  stream,
   network inet6 stream,
-- 
2.7.4