[apparmor] [PATCH] parser: Add example dbus rule for unconfined peers
Tyler Hicks
tyhicks at canonical.com
Fri May 2 17:48:42 UTC 2014
It may not be obvious that the peer label can be "unconfined". Provide
an example rule, in the apparmor.d man page, demonstrating the
peer=(label=unconfined) conditional.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Reported-by: Alban Crequy <alban.crequy at collabora.co.uk>
---
Someone that is quite familiar with AppArmor D-Bus mediation mentioned in IRC
that he didn't realize that the peer label in dbus rules could be "unconfined".
That is due to a failure in our documentation. This patch is a quick attempt at
making it more clear.
parser/apparmor.d.pod | 3 +++
1 file changed, 3 insertions(+)
diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index ff7887d..dd1e6ff 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -741,6 +741,9 @@ Example AppArmor DBus rules:
member=ExampleMethod
peer=(name=(com.example.ExampleName1|com.example.ExampleName2)),
+ # Allow receive access for all unconfined peers
+ dbus receive peer=(label=unconfined)),
+
# Allow eavesdropping on the system bus
dbus eavesdrop bus=system,
--
1.9.1
More information about the AppArmor
mailing list