[apparmor] [PATCH] profiles: Grant access to systemd-resolved in the nameservice abstraction
John Johansen
john.johansen at canonical.com
Wed Oct 12 06:58:06 UTC 2016
On 10/11/2016 11:03 PM, Steve Beattie wrote:
> On Tue, Oct 11, 2016 at 10:10:01PM +0000, Tyler Hicks wrote:
>> https://launchpad.net/bugs/1598759
>>
>> Profiles that rely on the nameservice abstraction are experiencing
>> denials on systems configured to use systemd-resolved via the
>> libnss-resolve plugin.
>>
>> libnss-resolve talks to systemd-resolved over D-Bus and this patch
>> attempts to only grant access to the safe members of the D-Bus API.
>>
>> Special considerations need to be made when applying this patch to most
>> Linux distributions as many of them do not have the ability to perform
>> fine-grained AppArmor mediation of D-Bus traffic. In those cases, any
>> users of the nameservice abstraction (such as tcpdump or ntpd) will have
>> full access to the D-Bus system bus once this change is applied to the
>> nameservice abstraction.
>
> I don't like this for precisely the reason above. Access to the D-Bus
> system bus would be allowed (modulo DAC and D-Bus policy) even on
> systems that do not use systemd-resolvd, and thus have no reason to
> access to the system D-bus at all.
>
> I think this either needs to stay as an Ubuntu patch or should be
> present but commented out[0] until the necessary apparmor bits that D-Bus
> needs have made it into the upstream kernel. That said, I welcome input
> specifically from non-Ubuntu downstreams here on this,
>
> Thanks.
>
> [0] or the support for conditional variables present in the apparmor
> policy language dusted off and made use of.
>
>
Conditionals aren't needed, just a version of the apparmor userspace that
supports the dbus syntax. In fact as conditionals are currently implemented
they won't work without understaning the syntax anyways, so these rules
will break older versions of apparmor regardless.
With the dbus syntax support, the policy will compile even if the dbus
extension is not there to enforce it. So unless someone is setting compiler
flags to fail on warnings, the dbus rules are already conditional on
support.
More information about the AppArmor
mailing list