The message type certain could be added. However it is not the only way this separation can be achieved.
The label in particular should be able to be used without tying it to a specific service. Admittedly this is somewhat limited atm. 1. the label name on a service does not have to match its executable name so an executable could be labeled with a more generic profile. This however will not work in cases where an executable maybe servicing multiple service end points that want different labels, and would be require #2. 2. while conceptually apparmor supports having none application (domain) labels on objects, the support for enabling a service to provide a different label while creating sockets has not landed yet, so until it does, apparmor policy currently is tying the service confinement and policy tighter than it should. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1692582 Title: RFE: dbus AppArmor mediation matching by message type To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1692582/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
