[apparmor] [PATCH] profiles: Grant access to systemd-resolved in the nameservice abstraction

[Steve Beattie]

On Tue, Oct 11, 2016 at 11:03:29PM -0700, Steve Beattie wrote:
> On Tue, Oct 11, 2016 at 10:10:01PM +0000, Tyler Hicks wrote:
> > https://launchpad.net/bugs/1598759
> > 
> > Profiles that rely on the nameservice abstraction are experiencing
> > denials on systems configured to use systemd-resolved via the
> > libnss-resolve plugin.
> > 
> > libnss-resolve talks to systemd-resolved over D-Bus and this patch
> > attempts to only grant access to the safe members of the D-Bus API.
> > 
> > Special considerations need to be made when applying this patch to most
> > Linux distributions as many of them do not have the ability to perform
> > fine-grained AppArmor mediation of D-Bus traffic. In those cases, any
> > users of the nameservice abstraction (such as tcpdump or ntpd) will have
> > full access to the D-Bus system bus once this change is applied to the
> > nameservice abstraction.
> 
> I don't like this for precisely the reason above. Access to the D-Bus
> system bus would be allowed (modulo DAC and D-Bus policy) even on
> systems that do not use systemd-resolvd, and thus have no reason to
> access to the system D-bus at all.
> 
> I think this either needs to stay as an Ubuntu patch or should be
> present but commented out[0] until the necessary apparmor bits that D-Bus
> needs have made it into the upstream kernel. That said, I welcome input
> specifically from non-Ubuntu downstreams here on this,

For the record, in the Ubuntu context, the patch looks good and is
verified to eliminate the rejections seen in Ubuntu 16.10, so gets my
ack there.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161011/b9153c3b/attachment.pgp>