[apparmor] [PATCH 2/4] profiles: Add strict session bus abstraction
Jamie Strandboge
jamie at canonical.com
Tue Jan 7 22:39:44 UTC 2014
On 01/03/2014 04:26 PM, Tyler Hicks wrote:
> Move the file rule from the existing permissive session bus abstraction
> into a new strict session bus abstraction.
>
Thanks for all these! This is a really good idea. Sorry for not responding sooner.
...
>
> diff --git a/profiles/apparmor.d/abstractions/dbus-session b/profiles/apparmor.d/abstractions/dbus-session
> index 76a7bbf..2eda4e0 100644
> --- a/profiles/apparmor.d/abstractions/dbus-session
> +++ b/profiles/apparmor.d/abstractions/dbus-session
...
> - /usr/bin/dbus-launch ix,
...
> diff --git a/profiles/apparmor.d/abstractions/dbus-session-strict b/profiles/apparmor.d/abstractions/dbus-session-strict
> + /usr/bin/dbus-launch ix,
...
First off, can we change this to be 'Pix'?
Secondly, I wonder if this rule should be in the permissive session bus
abstraction rather than the strict one. I have quite a few profiles that use
dbus rules without the existing dbus abstractions, and only one has a
/usr/bin/dbus-launch rule. Moving '/usr/bin/dbus-launch Pix,' out of
dbus-session-strict seems to make a lot of sense and I suggest we just do that.
What do others think?
Lastly, what I have for that profile is:
/usr/bin/dbus-launch Cx -> dbus_launch,
profile dbus_launch {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/X>
/usr/bin/dbus-launch r,
}
This confinement for dbus-launch is mildly interesting, but I think we might
have some issues if we use a child profile in this exact manner in the
abstraction. We could ship the profile outside of the abstraction though, and
use 'Pix -> dbus_launch' in the abstraction instead. It doesn't give much added
security, but dbus-launch clearly doesn't need much access.
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140107/fb2db253/attachment.pgp>
More information about the AppArmor
mailing list