[apparmor] [profile] Firefox: "org.mozilla.firefox.*" and "dbus_bind" -- DENIED.

[Simon McVittie]

On Wed, 28 Mar 2018 at 18:17:00 +0000, daniel curtis wrote:
> dbus (send)
>        bus=session
>        path=/org/freedesktop/DBus
>        interface=org.freedesktop.DBus
>        member=RequestName

There's nothing in this rule that requires the message to be sent to the
dbus-daemon. It would allow Firefox to send a message to any destination
on the bus, as long as the path, interface and member match; but the
security boundary is between connections to the bus (and the dbus-daemon
itself), not between paths, interfaces and members, so that doesn't
seem ideal.

I mentioned name=org.freedesktop.DBus as a solution to that in a
previous email, but it looks like that was incorrect: I should have
said peer=(name=org.freedesktop.DBus).

Here is a real, working AppArmor profile for a simple D-Bus service
(in this case its name is org.apertis.Didcot, where Firefox's name
can be anything that matches org.mozilla.firefox.*):
https://git.apertis.org/cgit/didcot.git/tree/debian/usr.bin.didcot

Line-wrapping the rule that allows RequestName for better clarity, it's:

dbus (send)
       bus=session
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member="RequestName"
       peer=(name=org.freedesktop.DBus),

(I don't think the quotes around RequestName are required, but I happen
to have used quotes when I wrote the initial version of that profile in
2016, and nobody removed them yet.)

> If it's about the second rule: I'd asked what should I use for "path="
> (please see my previous message and "DENIED" entry). It was:
> "firefox.*" and "firefox/*". And I'd asked, which variant is correct?
> I should put it this way:
> 
> path=/org/mozilla/firefox.*
> path=/org/mozilla/firefox/*

Neither of those is correct for a bind rule. Bind rules do not have
a path.

> According to You and your answer, I should use:
> 
> dbus (bind) bus=session name=org.mozilla.firefox.*,

Yes.

    smcv