Re: [apparmor] [PATCH] profiles: Grant access to systemd-resolved in the nameservice abstraction

Tue, 11 Oct 2016 15:33:07 -0700 

On Tue, Oct 11, 2016 at 10:10:01PM +0000, Tyler Hicks wrote:
> https://launchpad.net/bugs/1598759
> 
> Profiles that rely on the nameservice abstraction are experiencing
> denials on systems configured to use systemd-resolved via the
> libnss-resolve plugin.
> 
> libnss-resolve talks to systemd-resolved over D-Bus and this patch
> attempts to only grant access to the safe members of the D-Bus API.
> 
> Special considerations need to be made when applying this patch to most
> Linux distributions as many of them do not have the ability to perform
> fine-grained AppArmor mediation of D-Bus traffic. In those cases, any
> users of the nameservice abstraction (such as tcpdump or ntpd) will have
> full access to the D-Bus system bus once this change is applied to the
> nameservice abstraction.
> 
> Signed-off-by: Tyler Hicks <[email protected]>

Thanks for tracking down the full details for all the fields.

Acked-by: Seth Arnold <[email protected]>

Thanks

> ---
>  profiles/apparmor.d/abstractions/nameservice | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
> 
> diff --git a/profiles/apparmor.d/abstractions/nameservice 
> b/profiles/apparmor.d/abstractions/nameservice
> index 5dff44d..a28aeeb 100644
> --- a/profiles/apparmor.d/abstractions/nameservice
> +++ b/profiles/apparmor.d/abstractions/nameservice
> @@ -84,6 +84,25 @@
>    # kerberos
>    #include <abstractions/kerberosclient>
>  
> +  # resolve
> +  #
> +  # Allow access to the safe members of the systemd-resolved D-Bus API:
> +  #
> +  #   https://www.freedesktop.org/wiki/Software/systemd/resolved/
> +  #
> +  # This API may be used directly over the D-Bus system bus or it may be used
> +  # indirectly via the nss-resolve plugin:
> +  #
> +  #   https://www.freedesktop.org/software/systemd/man/nss-resolve.html
> +  #
> +  #include <abstractions/dbus-strict>
> +  dbus send
> +       bus=system
> +       path="/org/freedesktop/resolve1"
> +       interface="org.freedesktop.resolve1.Manager"
> +       member="Resolve{Address,Hostname,Record,Service}"
> +       peer=(name="org.freedesktop.resolve1"),
> +
>    # TCP/UDP network access
>    network inet  stream,
>    network inet6 stream,

Attachment: signature.asc
Description: PGP signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to