I've profiled the system and session bus activity of gnome-screensaver to provide examples of various DBus policy ideas generated in a previous apparmor list thread[1].
To start us off, here's the profile using the current DBus syntax. It is
complex, but it uses all of the DBus accesses (send, receive, and
acquire) and it is representative of what a real profile may look like.
/usr/bin/gnome-screensaver {
# Ignore file and accessibility bus access for this excercise
file,
dbus bus=accessibility,
# Talks to system and session buses
dbus bus={system,session} dest=org.freedesktop.DBus (send receive),
# Sends messages on the system bus
dbus bus=system dest=org.freedesktop.ConsoleKit
path=/org/freedesktop/ConsoleKit/Manager
interface=org.freedesktop.ConsoleKit.Manager send,
dbus bus=system dest=org.freedesktop.Accounts path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts send,
dbus bus=system dest=org.freedesktop.Accounts
path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties
send,
# Receives messages on the session bus
dbus bus=session dest=org.gnome.ScreenSaver acquire,
dbus bus=session path=/org/gnome/ScreenSaver
interface=org.freedesktop.DBus.Properties receive,
# It would be nice to be able to specify who gnome-screensaver should receive
# these messages from since the Lock method is mediated by this rule
dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver
receive,
# Sends messages on the session bus
dbus bus=session dest=org.gnome.SessionManager
path=/org/gnome/SessionManager/Presence
interface=org.freedesktop.DBus.Properties send,
dbus bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker send,
dbus bus=session dest=org.gnome.Shell path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties send,
}
There are a few changes needed for the new syntax:
1. dest= will be changed to name= so that it can identify either the subject's
or the peer's connection name without causing confusion
2. method= will be changed to member= so that it can identify either methods
or signals without causing confusion
3. There needs to be a way to specify both the subject and peer's address
components
#3 is what this thread is meant to focus on. In the examples below, the
session bus receive rules are modified to indicate peer connection information,
which is something that cannot be expressed in the current syntax. For the
gnome-screensaver example, it would allow us to specify the peer's connection
name, or even the peer's connection label, that is allowed to call the
org.gnome.ScreenSaver.Lock method.
* Proposal 1 - Leveraging the meaning of arrows
Based on Seth's suggestion[2]. It eliminates the send and receive permissions
and uses arrows to indicate the how messages can flow between two different
DBus connections. The acquire permission and syntax is not changed.
dbus [<bus>] [<subject>] [acquire],
dbus [<bus>] [<subject>] [-> | <- | <->] [<peer>],
/usr/bin/gnome-screensaver {
# Ignore file and accessibility bus access for this excercise
file,
dbus bus=accessibility,
# Talks to system and session buses
dbus bus={system,session} name=org.freedesktop.DBus (send receive),
# Sends messages on the system bus
dbus bus=system -> name=org.freedesktop.ConsoleKit
path=/org/freedesktop/ConsoleKit/Manager
interface=org.freedesktop.ConsoleKit.Manager,
dbus bus=system -> name=org.freedesktop.Accounts
path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts,
dbus bus=system -> name=org.freedesktop.Accounts
path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties,
# Receives messages on the session bus
dbus bus=session name=org.gnome.ScreenSaver acquire,
dbus bus=session path=/org/gnome/ScreenSaver
interface=org.freedesktop.DBus.Properties <-,
# Be selective because the Lock method is mediated by these rules
dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver
<- label=/usr/bin/gnome-settings-daemon,
dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver
<- name=com.canonical.indicator.session,
# Sends messages on the session bus
dbus bus=session -> name=org.gnome.SessionManager
path=/org/gnome/SessionManager/Presence
interface=org.freedesktop.DBus.Properties,
dbus bus=session -> path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker,
dbus bus=session -> name=org.gnome.Shell path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties,
}
* Proposal 2 - Place the access between the subject and peer
Based on Jamie's "--" suggestion[3]. It moves the access information next to
the subject, because the access is always applied to the subject. The acquire
permission and syntax is not changed.
dbus [<bus>] [<subject>] [acquire],
dbus [<bus>] [<subject>] [(send | receive)] [-- <peer>],
/usr/bin/gnome-screensaver {
# Ignore file and accessibility bus access for this excercise
file,
dbus bus=accessibility,
# Talks to system and session buses
dbus bus={system,session} name=org.freedesktop.DBus (send receive),
# Sends messages on the system bus
dbus bus=system send -- name=org.freedesktop.ConsoleKit
path=/org/freedesktop/ConsoleKit/Manager
interface=org.freedesktop.ConsoleKit.Manager,
dbus bus=system send -- name=org.freedesktop.Accounts
path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts,
dbus bus=system send -- name=org.freedesktop.Accounts
path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties,
# Receives messages on the session bus
dbus bus=session acquire name=org.gnome.ScreenSaver,
dbus bus=session path=/org/gnome/ScreenSaver
interface=org.freedesktop.DBus.Properties receive,
# Be selective because the Lock method is mediated by these rules
dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver
receive -- label=/usr/bin/gnome-settings-daemon,
dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver
receive -- name=com.canonical.indicator.session,
# Sends messages on the session bus
dbus bus=session send -- name=org.gnome.SessionManager
path=/org/gnome/SessionManager/Presence
interface=org.freedesktop.DBus.Properties,
dbus bus=session send -- path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker,
dbus bus=session send -- name=org.gnome.Shell path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties,
}
* Proposal 3 - Grouping of subject and peer address components
Based on Steve's suggestion[4] and refined by Jamie[5]. It groups the
connection attributes together based on whether it is the subject's connection
attributes or the peer's.
dbus [<bus>] [subj=(<subject>)] [acquire],
dbus [<bus>] [subj=(<subject>)] [peer=(<peer>)] [send | receive],
/usr/bin/gnome-screensaver {
# Ignore file and accessibility bus access for this excercise
file,
dbus bus=accessibility,
# Talks to system and session buses
dbus bus={system,session} peer=(name=org.freedesktop.DBus) (send receive),
# Sends messages on the system bus
dbus bus=system peer=(name=org.freedesktop.ConsoleKit
path=/org/freedesktop/ConsoleKit/Manager
interface=org.freedesktop.ConsoleKit.Manager) send,
dbus bus=system peer=(name=org.freedesktop.Accounts
path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
dbus bus=system peer=(name=org.freedesktop.Accounts
path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties)
send,
# Receives messages on the session bus
dbus bus=session subj=(name=org.gnome.ScreenSaver) acquire,
dbus bus=session subj=(path=/org/gnome/ScreenSaver
interface=org.freedesktop.DBus.Properties) receive,
# Be selective because the Lock method is mediated by these rules
dbus bus=session subj=(path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver) peer=(label=/usr/bin/gnome-settings-daemon)
receive,
dbus bus=session subj=(path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver) peer=(name=com.canonical.indicator.session)
receive,
# Sends messages on the session bus
dbus bus=session peer=(name=org.gnome.SessionManager
path=/org/gnome/SessionManager/Presence
interface=org.freedesktop.DBus.Properties) send,
dbus bus=session peer=(path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker) send,
dbus bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties) send,
}
The original thread[1] included many different ideas as well as tweaks on these
three chosen proposals. If I missed something that you'd like to see included
for consideration, please reply with the gnome-screensaver profile modified
according to your proposal.
Tyler
References:
[1] https://lists.ubuntu.com/archives/apparmor/2013-May/003651.html
[2] https://lists.ubuntu.com/archives/apparmor/2013-May/003696.html
[3] https://lists.ubuntu.com/archives/apparmor/2013-May/003683.html
[4] https://lists.ubuntu.com/archives/apparmor/2013-May/003701.html
[5] https://lists.ubuntu.com/archives/apparmor/2013-May/003707.html
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
