It may not be obvious that the peer label can be "unconfined". Provide an example rule, in the apparmor.d man page, demonstrating the peer=(label=unconfined) conditional.
Signed-off-by: Tyler Hicks <[email protected]> Reported-by: Alban Crequy <[email protected]> --- Someone that is quite familiar with AppArmor D-Bus mediation mentioned in IRC that he didn't realize that the peer label in dbus rules could be "unconfined". That is due to a failure in our documentation. This patch is a quick attempt at making it more clear. parser/apparmor.d.pod | 3 +++ 1 file changed, 3 insertions(+) diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index ff7887d..dd1e6ff 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -741,6 +741,9 @@ Example AppArmor DBus rules: member=ExampleMethod peer=(name=(com.example.ExampleName1|com.example.ExampleName2)), + # Allow receive access for all unconfined peers + dbus receive peer=(label=unconfined)), + # Allow eavesdropping on the system bus dbus eavesdrop bus=system, -- 1.9.1 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
