On Wed, 28 Mar 2018 at 18:17:00 +0000, daniel curtis wrote: > dbus (send) > bus=session > path=/org/freedesktop/DBus > interface=org.freedesktop.DBus > member=RequestName
There's nothing in this rule that requires the message to be sent to the dbus-daemon. It would allow Firefox to send a message to any destination on the bus, as long as the path, interface and member match; but the security boundary is between connections to the bus (and the dbus-daemon itself), not between paths, interfaces and members, so that doesn't seem ideal. I mentioned name=org.freedesktop.DBus as a solution to that in a previous email, but it looks like that was incorrect: I should have said peer=(name=org.freedesktop.DBus). Here is a real, working AppArmor profile for a simple D-Bus service (in this case its name is org.apertis.Didcot, where Firefox's name can be anything that matches org.mozilla.firefox.*): https://git.apertis.org/cgit/didcot.git/tree/debian/usr.bin.didcot Line-wrapping the rule that allows RequestName for better clarity, it's: dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member="RequestName" peer=(name=org.freedesktop.DBus), (I don't think the quotes around RequestName are required, but I happen to have used quotes when I wrote the initial version of that profile in 2016, and nobody removed them yet.) > If it's about the second rule: I'd asked what should I use for "path=" > (please see my previous message and "DENIED" entry). It was: > "firefox.*" and "firefox/*". And I'd asked, which variant is correct? > I should put it this way: > > path=/org/mozilla/firefox.* > path=/org/mozilla/firefox/* Neither of those is correct for a bind rule. Bind rules do not have a path. > According to You and your answer, I should use: > > dbus (bind) bus=session name=org.mozilla.firefox.*, Yes. smcv -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
