[apparmor] [PATCH] profiles: Grant access to systemd-resolved in the nameservice abstraction
Seth Arnold
seth.arnold at canonical.com
Tue Oct 11 22:32:34 UTC 2016
On Tue, Oct 11, 2016 at 10:10:01PM +0000, Tyler Hicks wrote:
> https://launchpad.net/bugs/1598759
>
> Profiles that rely on the nameservice abstraction are experiencing
> denials on systems configured to use systemd-resolved via the
> libnss-resolve plugin.
>
> libnss-resolve talks to systemd-resolved over D-Bus and this patch
> attempts to only grant access to the safe members of the D-Bus API.
>
> Special considerations need to be made when applying this patch to most
> Linux distributions as many of them do not have the ability to perform
> fine-grained AppArmor mediation of D-Bus traffic. In those cases, any
> users of the nameservice abstraction (such as tcpdump or ntpd) will have
> full access to the D-Bus system bus once this change is applied to the
> nameservice abstraction.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Thanks for tracking down the full details for all the fields.
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
> ---
> profiles/apparmor.d/abstractions/nameservice | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
> index 5dff44d..a28aeeb 100644
> --- a/profiles/apparmor.d/abstractions/nameservice
> +++ b/profiles/apparmor.d/abstractions/nameservice
> @@ -84,6 +84,25 @@
> # kerberos
> #include <abstractions/kerberosclient>
>
> + # resolve
> + #
> + # Allow access to the safe members of the systemd-resolved D-Bus API:
> + #
> + # https://www.freedesktop.org/wiki/Software/systemd/resolved/
> + #
> + # This API may be used directly over the D-Bus system bus or it may be used
> + # indirectly via the nss-resolve plugin:
> + #
> + # https://www.freedesktop.org/software/systemd/man/nss-resolve.html
> + #
> + #include <abstractions/dbus-strict>
> + dbus send
> + bus=system
> + path="/org/freedesktop/resolve1"
> + interface="org.freedesktop.resolve1.Manager"
> + member="Resolve{Address,Hostname,Record,Service}"
> + peer=(name="org.freedesktop.resolve1"),
> +
> # TCP/UDP network access
> network inet stream,
> network inet6 stream,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161011/24e07716/attachment.pgp>
More information about the AppArmor
mailing list