On 2013-05-09 15:20:56, Jamie Strandboge wrote:
> On 05/09/2013 02:41 PM, John Johansen wrote:
> >
> > Lets look at it as local (subject) address and remote/peer address
> >
> > profile subject {
> >
> > dbus name=well.known.address acquire,
> >
> > dbus name=well.known.address receive, #subject can receive messages on
> > this well.known.address
> >
> > dbus -> name=a.peer.address send, #subject can send to a peer/remote
> > process using the well known address a.peer.address
> >
> > dbus -> name=a.peer.address receive, #subject can receive a message
> > from a peer/remote process that sent from its a.peer.address
> > # this case is unusual
> >
> > }
> >
> > note that send atomically gives permission to receive a reply, just not to
> > receive arbitrary new messages
> >
> > the unusually case is the one that tyler pointed out as problematic, and
> > I'm not sure it really is but I would like to get this right
> >
>
> This explanation makes things a lot more clear for me. Part of my
> problem was that I was trying to apply natural language to the rule, but
> your explanation is clear.
>
> That said, and speaking for myself only, I think I got tripped up
> because '->' suggests a direction. In most cases this works out ok, but
> in the unusual case:
> dbus -> name=a.peer.address receive,Now that I think about it more, this rule should never be written. It says, "my peer (a.peer.address) can receive messages from anyone". apparmor_parser would accept the rule, but it would be an error of the policy writer. Tyler > > my brain was thinking that the '->' meant 'to' and therefore the subject > was sending something to the remote address, but the syntax actually > meant it was receiving something. We can document around this since it > is the unusual case, but will this be so unusual with non-DBus rules > that use the same syntax? Would using 'remote:' be any clearer? Eg: > dbus name=well.known.address acquire, > dbus name=well.known.address receive, > dbus remote: name=a.peer.address send, > dbus remote: name=a.peer.address receive, > > Typing that out, it seems not because the specified access on the RHS of > the peer is actually describing (based on your descriptions, above) what > the subject can do, as opposed to what the peer can do, but my brain > wants the RHS of the peer to correspond to the peer itself, since it is > closer. I don't think there is a way to make that confusion go away by > substituting '->' for something else. > > I'm tempted to suggest another syntax, but not sure how it would impact > the non-DBus applications of the syntax. > > -- > Jamie Strandboge http://www.ubuntu.com/ > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
