[apparmor] [profile] Firefox: "org.mozilla.firefox.*" and "dbus_bind" -- DENIED.
Simon McVittie
smcv at collabora.com
Wed Mar 28 17:46:26 UTC 2018
On Wed, 28 Mar 2018 at 16:54:56 +0000, daniel curtis wrote:
> According to the above entry, I've decided to add such rule:
>
> dbus (send)
> bus=session
> path=/org/freedesktop/{DBus,dbus}
> interface=org.freedesktop.DBus
> member=RequestName
> peer=(label=unconfined),
Where did {DBus,dbus} come from? The dbus-daemon's API entry point is
at the object path /org/freedesktop/DBus. Or have you seen real
applications sending messages to /org/freedesktop/dbus?
name=org.freedesktop.DBus would be better than
peer=(label=unconfined). org.freedesktop.DBus is a special bus name that
can only ever be owned by the message bus (dbus-daemon) whereas all
sorts of processes can be unconfined.
>
> ● apparmor="DENIED" operation="dbus_bind" bus="session"
> name="org.mozilla.firefox.ATFjHSFqwZ__" mask="bind" pid=2913
> label="/usr/lib/firefox/firefox{,*[^s][^h]}"
...
> dbus (bind)
> bus=session
> path=/org/mozilla/firefox.*
> peer=(label=@{profile_name}),
org.mozilla.firefox.whatever is not an object path, and does not match
the glob /org/mozilla/firefox.* (slashes aren't dots). I think you mean:
dbus (bind) bus=session name=org.mozilla.firefox.*,
dbus bind operations also don't have a peer. You can tell because the
log entry doesn't mention a peer. (Also, what would that mean? A dbus
bind operation is the confined process asking to be given a particular
name, which is entirely between the confined process and the dbus-daemon:
there's no third party involved.)
smcv
More information about the AppArmor
mailing list