[apparmor] [PATCH] Allow reading /etc/machine-id in the dbus-session abstraction.

[John Johansen]

On 11/20/2013 01:28 AM, intrigeri wrote:
> Seth Arnold wrote (20 Nov 2013 01:31:29 GMT) :
>> Hi Intrigeri, better late than never I hope...
> 

<< snip >>

>> So, the thing with <abstractions/dbus-session>, is that it is currently
>> wide-open. It feels too open to me, but for a starting point that we can
>> tell people "just add this one line to your profile and things will work
>> again", it makes sense. But it'd be ideal to use our new dbus powers for
>> tighter confinement.
> 
> I'm sorry I did not follow this feature closely enough: what version
> of AppArmor userspace (released?) and kernel (mainline 3.12?
> patch needed?) is needed to make use of the new dbus rules?
> 
The dbus patches are a bit of a pain atm, you will need patches against the
kernel, the userspace, and dbus. Ubuntu has done this for the 13.10 release
(it carries a snapshot of the 3.0 dev kernel patches, a patched 2.8
userspace, and a patched dbus).

With the 3.0 version of apparmor some of this will go away. The userspace
will incorporate all necessary changes. The kernel patches are being pushed
upstream in small chunks as they become ready. However I am not sure when
the full 3.0 set will reach upstream. The query interface will not make
3.13 as the patchset for that has already been pushed, but it might make
3.14 as it doesn't require the full 3.0 patchset. As for the dbus patches
I am unsure when the upstreaming of those will begin, its something that
needs to be done, but we are short on resources and time atm.

Currently to use dbus rules you need
- 3.12 or later kernel + a small set of patches, or the 3.0 dev kernel
  patcheset.
- dbus patches against the 2.8 userspace, or the current 3.0 dev tree
- dbus 1.6 + the apparmor mediation patchset