[apparmor] [PATCH] Allow reading /etc/machine-id in the dbus-session abstraction.
intrigeri
intrigeri at debian.org
Wed Nov 20 09:28:57 UTC 2013
Seth Arnold wrote (20 Nov 2013 01:31:29 GMT) :
> Hi Intrigeri, better late than never I hope...
Sure!
> On Thu, Jul 25, 2013 at 10:52:42AM +0200, intrigeri at debian.org wrote:
>> From: intrigeri <intrigeri at boum.org>
>>
>> D-Bus now uses /etc/machine-id in some cases:
>> https://bugs.freedesktop.org/show_bug.cgi?id=35228
>> ---
>> profiles/apparmor.d/abstractions/dbus-session | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/profiles/apparmor.d/abstractions/dbus-session b/profiles/apparmor.d/abstractions/dbus-session
>> index 8735c1f..b9c872e 100644
>> --- a/profiles/apparmor.d/abstractions/dbus-session
>> +++ b/profiles/apparmor.d/abstractions/dbus-session
>> @@ -10,4 +10,5 @@
>> # ------------------------------------------------------------------
>>
>> /usr/bin/dbus-launch ix,
>> + /etc/machine-id r,
>> /var/lib/dbus/machine-id r,
>> --
>> 1.8.3.2
> Okay, I've now learned enough that this looks Obviously Correct. :)
> Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks.
> On Fri, Jul 26, 2013 at 11:26:32AM +0200, intrigeri wrote:
>> For some reason unknown to me, Ubuntu's Totem profile doesn't use the
>> dbus-session abstraction, but instead itself grants the
>> /var/lib/dbus/machine-id read access. Another look at the 13.10
>> profiles directory, and I find usr.bin.evolution and
>> usr.bin.pulseaudio there that do the same, but usr.bin.empathy
>> _denies_ access to /var/lib/dbus/machine-id, while still using
>> abstraction/gnome. So perhaps Evolution, Totem and PulseAudio should
>> just use abstraction/dbus-session instead?
> So, the thing with <abstractions/dbus-session>, is that it is currently
> wide-open. It feels too open to me, but for a starting point that we can
> tell people "just add this one line to your profile and things will work
> again", it makes sense. But it'd be ideal to use our new dbus powers for
> tighter confinement.
I'm sorry I did not follow this feature closely enough: what version
of AppArmor userspace (released?) and kernel (mainline 3.12?
patch needed?) is needed to make use of the new dbus rules?
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
More information about the AppArmor
mailing list