[apparmor] [PATCH] profiles: Grant access to systemd-resolved in the nameservice abstraction

Wed Oct 12 21:26:48 UTC 2016

Hello,

Am Dienstag, 11. Oktober 2016, 23:03:29 CEST schrieb Steve Beattie:
> On Tue, Oct 11, 2016 at 10:10:01PM +0000, Tyler Hicks wrote:
> > https://launchpad.net/bugs/1598759
> > 
> > Profiles that rely on the nameservice abstraction are experiencing
> > denials on systems configured to use systemd-resolved via the
> > libnss-resolve plugin.
> > 
> > libnss-resolve talks to systemd-resolved over D-Bus and this patch
> > attempts to only grant access to the safe members of the D-Bus API.
> > 
> > Special considerations need to be made when applying this patch to
> > most Linux distributions as many of them do not have the ability to
> > perform fine-grained AppArmor mediation of D-Bus traffic. In those
> > cases, any users of the nameservice abstraction (such as tcpdump or
> > ntpd) will have full access to the D-Bus system bus once this
> > change is applied to the nameservice abstraction.
> 
> I don't like this for precisely the reason above. Access to the D-Bus
> system bus would be allowed (modulo DAC and D-Bus policy) even on
> systems that do not use systemd-resolvd, and thus have no reason to
> access to the system D-bus at all.
> 
> I think this either needs to stay as an Ubuntu patch or should be
> present but commented out[0] until the necessary apparmor bits that
> D-Bus needs have made it into the upstream kernel. That said, I
> welcome input specifically from non-Ubuntu downstreams here on this,

I agree - allowing full dbus access via abstractions/nameservice 
(because the upstream kernel doesn't support dbus rules yet) sounds like 
a very bad idea. I'd prefer to keep this as an Ubuntu-only patch for 
now. (But please don't forget to upstream it one day.)

You can also see it the other way round - this is a very good argument 
for upstreaming all the kernel patches ;-)

BTW: I don't know if openSUSE uses systemd-resolved at all. All I can 
say is that my local unbound works fine - but that's not the default 
openSUSE setup ;-)

Regards,

Christian Boltz
-- 
Erfinder und Entwickler sind von Natur aus faul, denn Erfindern und
Entwickler, entwickeln Dinge, die das Leben einfacher machen sollen.
Die Hauptinitiative hierfür ist meist Faulheit.
[http://miraspostgresqlwelt.blogspot.com/2011/09/technische-unterschiede-postgresql_02.html]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161012/e0fd4197/attachment.pgp>