On 10/12/2016 02:26 PM, Christian Boltz wrote:
> Hello,
> 
> Am Dienstag, 11. Oktober 2016, 23:03:29 CEST schrieb Steve Beattie:
>> On Tue, Oct 11, 2016 at 10:10:01PM +0000, Tyler Hicks wrote:
>>> https://launchpad.net/bugs/1598759
>>>
>>> Profiles that rely on the nameservice abstraction are experiencing
>>> denials on systems configured to use systemd-resolved via the
>>> libnss-resolve plugin.
>>>
>>> libnss-resolve talks to systemd-resolved over D-Bus and this patch
>>> attempts to only grant access to the safe members of the D-Bus API.
>>>
>>> Special considerations need to be made when applying this patch to
>>> most Linux distributions as many of them do not have the ability to
>>> perform fine-grained AppArmor mediation of D-Bus traffic. In those
>>> cases, any users of the nameservice abstraction (such as tcpdump or
>>> ntpd) will have full access to the D-Bus system bus once this
>>> change is applied to the nameservice abstraction.
>>
>> I don't like this for precisely the reason above. Access to the D-Bus
>> system bus would be allowed (modulo DAC and D-Bus policy) even on
>> systems that do not use systemd-resolvd, and thus have no reason to
>> access to the system D-bus at all.
>>
>> I think this either needs to stay as an Ubuntu patch or should be
>> present but commented out[0] until the necessary apparmor bits that
>> D-Bus needs have made it into the upstream kernel. That said, I
>> welcome input specifically from non-Ubuntu downstreams here on this,
> 
> I agree - allowing full dbus access via abstractions/nameservice 
> (because the upstream kernel doesn't support dbus rules yet) sounds like 
> a very bad idea. I'd prefer to keep this as an Ubuntu-only patch for 
> now. (But please don't forget to upstream it one day.)
> 
> You can also see it the other way round - this is a very good argument 
> for upstreaming all the kernel patches ;-)
> 
> BTW: I don't know if openSUSE uses systemd-resolved at all. All I can 
> say is that my local unbound works fine - but that's not the default 
> openSUSE setup ;-)
> 
> 
atm I think I am in favor of wrapping it in the conditional and
defaulting that conditional to false.

The ubuntu patch then changing the conditional to true. This way
the information is being carried upstream. And only the distro
specific tweak is out of tree.


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to