https://launchpad.net/bugs/1598759
Profiles that rely on the nameservice abstraction are experiencing denials on systems configured to use systemd-resolved via the libnss-resolve plugin. libnss-resolve talks to systemd-resolved over D-Bus and this patch attempts to only grant access to the safe members of the D-Bus API. Special considerations need to be made when applying this patch to most Linux distributions as many of them do not have the ability to perform fine-grained AppArmor mediation of D-Bus traffic. In those cases, any users of the nameservice abstraction (such as tcpdump or ntpd) will have full access to the D-Bus system bus once this change is applied to the nameservice abstraction. Signed-off-by: Tyler Hicks <[email protected]> --- profiles/apparmor.d/abstractions/nameservice | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice index 5dff44d..a28aeeb 100644 --- a/profiles/apparmor.d/abstractions/nameservice +++ b/profiles/apparmor.d/abstractions/nameservice @@ -84,6 +84,25 @@ # kerberos #include <abstractions/kerberosclient> + # resolve + # + # Allow access to the safe members of the systemd-resolved D-Bus API: + # + # https://www.freedesktop.org/wiki/Software/systemd/resolved/ + # + # This API may be used directly over the D-Bus system bus or it may be used + # indirectly via the nss-resolve plugin: + # + # https://www.freedesktop.org/software/systemd/man/nss-resolve.html + # + #include <abstractions/dbus-strict> + dbus send + bus=system + path="/org/freedesktop/resolve1" + interface="org.freedesktop.resolve1.Manager" + member="Resolve{Address,Hostname,Record,Service}" + peer=(name="org.freedesktop.resolve1"), + # TCP/UDP network access network inet stream, network inet6 stream, -- 2.7.4 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
