On 06/10/2013 06:44 PM, Tyler Hicks wrote:
> I've profiled the system and session bus activity of gnome-screensaver to
> provide examples of various DBus policy ideas generated in a previous apparmor
> list thread[1].
>
> To start us off, here's the profile using the current DBus syntax. It is
> complex, but it uses all of the DBus accesses (send, receive, and
> acquire) and it is representative of what a real profile may look like.
>
> /usr/bin/gnome-screensaver {
> # Ignore file and accessibility bus access for this excercise
> file,
> dbus bus=accessibility,
>
> # Talks to system and session buses
> dbus bus={system,session} dest=org.freedesktop.DBus (send receive),
>
> # Sends messages on the system bus
> dbus bus=system dest=org.freedesktop.ConsoleKit
> path=/org/freedesktop/ConsoleKit/Manager
> interface=org.freedesktop.ConsoleKit.Manager send,
> dbus bus=system dest=org.freedesktop.Accounts
> path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts send,
> dbus bus=system dest=org.freedesktop.Accounts
> path=/org/freedesktop/Accounts/User*
> interface=org.freedesktop.DBus.Properties send,
>
> # Receives messages on the session bus
> dbus bus=session dest=org.gnome.ScreenSaver acquire,
> dbus bus=session path=/org/gnome/ScreenSaver
> interface=org.freedesktop.DBus.Properties receive,
> # It would be nice to be able to specify who gnome-screensaver should
> receive
> # these messages from since the Lock method is mediated by this rule
> dbus bus=session path=/org/gnome/ScreenSaver
> interface=org.gnome.ScreenSaver receive,
>
I realize this isn't available yet and never will be for this particular
syntax but on the off chance this can help the discussion I'll throw in the
label extension here as well.
So for this syntax, I am not sure whether I would use label or rlabel. I have
gone with the assumption of label and that on send/receive rules it means
the remote label.
dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver
label=/usr/bin/gnome-settings-daemon receive,
> # Sends messages on the session bus
> dbus bus=session dest=org.gnome.SessionManager
> path=/org/gnome/SessionManager/Presence
> interface=org.freedesktop.DBus.Properties send,
> dbus bus=session path=/org/gtk/vfs/mounttracker
> interface=org.gtk.vfs.MountTracker send,
> dbus bus=session dest=org.gnome.Shell path=/org/gnome/Shell
> interface=org.freedesktop.DBus.Properties send,
> }
>
> There are a few changes needed for the new syntax:
>
> 1. dest= will be changed to name= so that it can identify either the
> subject's
> or the peer's connection name without causing confusion
> 2. method= will be changed to member= so that it can identify either methods
> or signals without causing confusion
> 3. There needs to be a way to specify both the subject and peer's address
> components
>
> #3 is what this thread is meant to focus on. In the examples below, the
> session bus receive rules are modified to indicate peer connection
> information,
> which is something that cannot be expressed in the current syntax. For the
> gnome-screensaver example, it would allow us to specify the peer's connection
> name, or even the peer's connection label, that is allowed to call the
> org.gnome.ScreenSaver.Lock method.
>
> * Proposal 1 - Leveraging the meaning of arrows
>
> Based on Seth's suggestion[2]. It eliminates the send and receive permissions
> and uses arrows to indicate the how messages can flow between two different
> DBus connections. The acquire permission and syntax is not changed.
>
> dbus [<bus>] [<subject>] [acquire],
> dbus [<bus>] [<subject>] [-> | <- | <->] [<peer>],
>
> /usr/bin/gnome-screensaver {
> # Ignore file and accessibility bus access for this excercise
> file,
> dbus bus=accessibility,
>
> # Talks to system and session buses
> dbus bus={system,session} name=org.freedesktop.DBus (send receive),
>
> # Sends messages on the system bus
> dbus bus=system -> name=org.freedesktop.ConsoleKit
> path=/org/freedesktop/ConsoleKit/Manager
> interface=org.freedesktop.ConsoleKit.Manager,
> dbus bus=system -> name=org.freedesktop.Accounts
> path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts,
> dbus bus=system -> name=org.freedesktop.Accounts
> path=/org/freedesktop/Accounts/User*
> interface=org.freedesktop.DBus.Properties,
>
> # Receives messages on the session bus
> dbus bus=session name=org.gnome.ScreenSaver acquire,
> dbus bus=session path=/org/gnome/ScreenSaver
> interface=org.freedesktop.DBus.Properties <-,
> # Be selective because the Lock method is mediated by these rules
> dbus bus=session path=/org/gnome/ScreenSaver
> interface=org.gnome.ScreenSaver <- label=/usr/bin/gnome-settings-daemon,
> dbus bus=session path=/org/gnome/ScreenSaver
> interface=org.gnome.ScreenSaver <- name=com.canonical.indicator.session,
>
> # Sends messages on the session bus
> dbus bus=session -> name=org.gnome.SessionManager
> path=/org/gnome/SessionManager/Presence
> interface=org.freedesktop.DBus.Properties,
> dbus bus=session -> path=/org/gtk/vfs/mounttracker
> interface=org.gtk.vfs.MountTracker,
> dbus bus=session -> name=org.gnome.Shell path=/org/gnome/Shell
> interface=org.freedesktop.DBus.Properties,
> }
>
So this is okay, but I find it odd that there is both <- -> indicating a
permission and also the keyword aquire to indicate a permission.
Also seeing it I don't like the split (or lack there of in the case of local
addresses) between the bus= and name=, ie.
dbus bus=system -> name=org.freedesktop.Accounts
path=/org/freedesktop/Accounts
I realize that is more of a global to the rule, but the rule feels like it is
saying
from bus=system send to name=org.freedestop.Accounts ...
technically true but
send to bus=system name=org.freedesktop.Accounts ...
reads better to me as bus is part in some sense part of the address, its just
that it must always be the same for local and remote. I do realize that
bus=system isn't intended as part of the local address but this syntax just
makes it feel like it is
> * Proposal 2 - Place the access between the subject and peer
>
> Based on Jamie's "--" suggestion[3]. It moves the access information next to
> the subject, because the access is always applied to the subject. The acquire
> permission and syntax is not changed.
>
> dbus [<bus>] [<subject>] [acquire],
> dbus [<bus>] [<subject>] [(send | receive)] [-- <peer>],
>
> /usr/bin/gnome-screensaver {
> # Ignore file and accessibility bus access for this excercise
> file,
> dbus bus=accessibility,
>
> # Talks to system and session buses
> dbus bus={system,session} name=org.freedesktop.DBus (send receive),
>
> # Sends messages on the system bus
> dbus bus=system send -- name=org.freedesktop.ConsoleKit
> path=/org/freedesktop/ConsoleKit/Manager
> interface=org.freedesktop.ConsoleKit.Manager,
> dbus bus=system send -- name=org.freedesktop.Accounts
> path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts,
> dbus bus=system send -- name=org.freedesktop.Accounts
> path=/org/freedesktop/Accounts/User*
> interface=org.freedesktop.DBus.Properties,
>
> # Receives messages on the session bus
> dbus bus=session acquire name=org.gnome.ScreenSaver,
> dbus bus=session path=/org/gnome/ScreenSaver
> interface=org.freedesktop.DBus.Properties receive,
> # Be selective because the Lock method is mediated by these rules
> dbus bus=session path=/org/gnome/ScreenSaver
> interface=org.gnome.ScreenSaver receive --
> label=/usr/bin/gnome-settings-daemon,
> dbus bus=session path=/org/gnome/ScreenSaver
> interface=org.gnome.ScreenSaver receive --
> name=com.canonical.indicator.session,
>
> # Sends messages on the session bus
> dbus bus=session send -- name=org.gnome.SessionManager
> path=/org/gnome/SessionManager/Presence
> interface=org.freedesktop.DBus.Properties,
> dbus bus=session send -- path=/org/gtk/vfs/mounttracker
> interface=org.gtk.vfs.MountTracker,
> dbus bus=session send -- name=org.gnome.Shell path=/org/gnome/Shell
> interface=org.freedesktop.DBus.Properties,
> }
>
This reads a little better to me than proposal 1. However I would probably
prefer the permission moving before the local address
dbus bus=session receive path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver -- label=/usr/bin/gnome-settings-daemon,
it makes it location consistent and also serves to separate the bus= from the
local address
> * Proposal 3 - Grouping of subject and peer address components
>
> Based on Steve's suggestion[4] and refined by Jamie[5]. It groups the
> connection attributes together based on whether it is the subject's connection
> attributes or the peer's.
>
> dbus [<bus>] [subj=(<subject>)] [acquire],
> dbus [<bus>] [subj=(<subject>)] [peer=(<peer>)] [send | receive],
>
> /usr/bin/gnome-screensaver {
> # Ignore file and accessibility bus access for this excercise
> file,
> dbus bus=accessibility,
>
> # Talks to system and session buses
> dbus bus={system,session} peer=(name=org.freedesktop.DBus) (send receive),
>
> # Sends messages on the system bus
> dbus bus=system peer=(name=org.freedesktop.ConsoleKit
> path=/org/freedesktop/ConsoleKit/Manager
> interface=org.freedesktop.ConsoleKit.Manager) send,
> dbus bus=system peer=(name=org.freedesktop.Accounts
> path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
> dbus bus=system peer=(name=org.freedesktop.Accounts
> path=/org/freedesktop/Accounts/User*
> interface=org.freedesktop.DBus.Properties) send,
>
> # Receives messages on the session bus
> dbus bus=session subj=(name=org.gnome.ScreenSaver) acquire,
> dbus bus=session subj=(path=/org/gnome/ScreenSaver
> interface=org.freedesktop.DBus.Properties) receive,
> # Be selective because the Lock method is mediated by these rules
> dbus bus=session subj=(path=/org/gnome/ScreenSaver
> interface=org.gnome.ScreenSaver) peer=(label=/usr/bin/gnome-settings-daemon)
> receive,
> dbus bus=session subj=(path=/org/gnome/ScreenSaver
> interface=org.gnome.ScreenSaver) peer=(name=com.canonical.indicator.session)
> receive,
>
> # Sends messages on the session bus
> dbus bus=session peer=(name=org.gnome.SessionManager
> path=/org/gnome/SessionManager/Presence
> interface=org.freedesktop.DBus.Properties) send,
> dbus bus=session peer=(path=/org/gtk/vfs/mounttracker
> interface=org.gtk.vfs.MountTracker) send,
> dbus bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell
> interface=org.freedesktop.DBus.Properties) send,
> }
>
This reads okay as well, it separates bus from the local address, and puts
the permission in a reliable position so that it can be found quickly
> The original thread[1] included many different ideas as well as tweaks on
> these
> three chosen proposals. If I missed something that you'd like to see included
> for consideration, please reply with the gnome-screensaver profile modified
> according to your proposal.
>
Well there is Proposal 3 - except not requiring subj=() for the local address,
as rules are always being written from the subjects perspective
/usr/bin/gnome-screensaver {
# Ignore file and accessibility bus access for this excercise
file,
dbus bus=accessibility,
# Talks to system and session buses
dbus bus={system,session} peer=(name=org.freedesktop.DBus) (send receive),
# Sends messages on the system bus
dbus bus=system peer=(name=org.freedesktop.ConsoleKit
path=/org/freedesktop/ConsoleKit/Manager
interface=org.freedesktop.ConsoleKit.Manager) send,
dbus bus=system peer=(name=org.freedesktop.Accounts
path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts) send,
dbus bus=system peer=(name=org.freedesktop.Accounts
path=/org/freedesktop/Accounts/User* interface=org.freedesktop.DBus.Properties)
send,
# Receives messages on the session bus
dbus bus=session name=org.gnome.ScreenSaver acquire,
dbus bus=session path=/org/gnome/ScreenSaver
interface=org.freedesktop.DBus.Properties receive,
# Be selective because the Lock method is mediated by these rules
dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver
peer=(label=/usr/bin/gnome-settings-daemon) receive,
dbus bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver
peer=(name=com.canonical.indicator.session) receive,
# Sends messages on the session bus
dbus bus=session peer=(name=org.gnome.SessionManager
path=/org/gnome/SessionManager/Presence
interface=org.freedesktop.DBus.Properties) send,
dbus bus=session peer=(path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker) send,
dbus bus=session peer=(name=org.gnome.Shell path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties) send,
}
of course this reintroduces the proble of bus=session appearing to be part of
the local address, and an asymmetry in how local and peer addresses are
specified.
I think I am leaning towards proposal 3 but would like to hear other
peoples opinions.
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
