On Tue, Oct 11, 2016 at 10:10:01PM +0000, Tyler Hicks wrote: > https://launchpad.net/bugs/1598759 > > Profiles that rely on the nameservice abstraction are experiencing > denials on systems configured to use systemd-resolved via the > libnss-resolve plugin. > > libnss-resolve talks to systemd-resolved over D-Bus and this patch > attempts to only grant access to the safe members of the D-Bus API. > > Special considerations need to be made when applying this patch to most > Linux distributions as many of them do not have the ability to perform > fine-grained AppArmor mediation of D-Bus traffic. In those cases, any > users of the nameservice abstraction (such as tcpdump or ntpd) will have > full access to the D-Bus system bus once this change is applied to the > nameservice abstraction.
I don't like this for precisely the reason above. Access to the D-Bus
system bus would be allowed (modulo DAC and D-Bus policy) even on
systems that do not use systemd-resolvd, and thus have no reason to
access to the system D-bus at all.
I think this either needs to stay as an Ubuntu patch or should be
present but commented out[0] until the necessary apparmor bits that D-Bus
needs have made it into the upstream kernel. That said, I welcome input
specifically from non-Ubuntu downstreams here on this,
Thanks.
[0] or the support for conditional variables present in the apparmor
policy language dusted off and made use of.
--
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
