Hello, Am Dienstag, 11. Oktober 2016, 23:03:29 CEST schrieb Steve Beattie: > On Tue, Oct 11, 2016 at 10:10:01PM +0000, Tyler Hicks wrote: > > https://launchpad.net/bugs/1598759 > > > > Profiles that rely on the nameservice abstraction are experiencing > > denials on systems configured to use systemd-resolved via the > > libnss-resolve plugin. > > > > libnss-resolve talks to systemd-resolved over D-Bus and this patch > > attempts to only grant access to the safe members of the D-Bus API. > > > > Special considerations need to be made when applying this patch to > > most Linux distributions as many of them do not have the ability to > > perform fine-grained AppArmor mediation of D-Bus traffic. In those > > cases, any users of the nameservice abstraction (such as tcpdump or > > ntpd) will have full access to the D-Bus system bus once this > > change is applied to the nameservice abstraction. > > I don't like this for precisely the reason above. Access to the D-Bus > system bus would be allowed (modulo DAC and D-Bus policy) even on > systems that do not use systemd-resolvd, and thus have no reason to > access to the system D-bus at all. > > I think this either needs to stay as an Ubuntu patch or should be > present but commented out until the necessary apparmor bits that > D-Bus needs have made it into the upstream kernel. That said, I > welcome input specifically from non-Ubuntu downstreams here on this,
I agree - allowing full dbus access via abstractions/nameservice (because the upstream kernel doesn't support dbus rules yet) sounds like a very bad idea. I'd prefer to keep this as an Ubuntu-only patch for now. (But please don't forget to upstream it one day.) You can also see it the other way round - this is a very good argument for upstreaming all the kernel patches ;-) BTW: I don't know if openSUSE uses systemd-resolved at all. All I can say is that my local unbound works fine - but that's not the default openSUSE setup ;-) Regards, Christian Boltz -- Erfinder und Entwickler sind von Natur aus faul, denn Erfindern und Entwickler, entwickeln Dinge, die das Leben einfacher machen sollen. Die Hauptinitiative hierfür ist meist Faulheit. [http://miraspostgresqlwelt.blogspot.com/2011/09/technische-unterschiede-postgresql_02.html]
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor