[apparmor] [PATCH] profiles: Grant access to systemd-resolved in the nameservice abstraction

Wed Oct 12 06:03:29 UTC 2016

On Tue, Oct 11, 2016 at 10:10:01PM +0000, Tyler Hicks wrote:
> https://launchpad.net/bugs/1598759
> 
> Profiles that rely on the nameservice abstraction are experiencing
> denials on systems configured to use systemd-resolved via the
> libnss-resolve plugin.
> 
> libnss-resolve talks to systemd-resolved over D-Bus and this patch
> attempts to only grant access to the safe members of the D-Bus API.
> 
> Special considerations need to be made when applying this patch to most
> Linux distributions as many of them do not have the ability to perform
> fine-grained AppArmor mediation of D-Bus traffic. In those cases, any
> users of the nameservice abstraction (such as tcpdump or ntpd) will have
> full access to the D-Bus system bus once this change is applied to the
> nameservice abstraction.

I don't like this for precisely the reason above. Access to the D-Bus
system bus would be allowed (modulo DAC and D-Bus policy) even on
systems that do not use systemd-resolvd, and thus have no reason to
access to the system D-bus at all.

I think this either needs to stay as an Ubuntu patch or should be
present but commented out[0] until the necessary apparmor bits that D-Bus
needs have made it into the upstream kernel. That said, I welcome input
specifically from non-Ubuntu downstreams here on this,

Thanks.

[0] or the support for conditional variables present in the apparmor
    policy language dusted off and made use of. 

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161011/485e450f/attachment-0001.pgp>