2024-03-21 23:09:16 +01:00
|
|
|
// apparmor.d - Full set of apparmor profiles
|
|
|
|
|
// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
|
|
|
|
|
|
// Dbus directive
|
|
|
|
|
//
|
|
|
|
|
// Example of supported directive:
|
|
|
|
|
// #aa:dbus own bus=session name=org.freedesktop.FileManager1
|
|
|
|
|
// #aa:dbus talk name=org.freedesktop.login1 label=systemd-logind
|
|
|
|
|
//
|
|
|
|
|
// See https://apparmor.pujol.io/development/dbus/#dbus-directive
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
package directive
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"github.com/roddhjav/apparmor.d/pkg/aa"
|
2024-03-25 23:40:25 +01:00
|
|
|
"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
|
2024-03-21 23:09:16 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var defaultInterfaces = []string{
|
|
|
|
|
"org.freedesktop.DBus.Properties",
|
|
|
|
|
"org.freedesktop.DBus.ObjectManager",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type Dbus struct {
|
2024-03-25 23:40:25 +01:00
|
|
|
cfg.Base
|
2024-03-21 23:09:16 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func init() {
|
2024-03-25 23:40:25 +01:00
|
|
|
RegisterDirective(&Dbus{
|
|
|
|
|
Base: cfg.Base{
|
|
|
|
|
Keyword: "dbus",
|
|
|
|
|
Msg: "Dbus directive applied",
|
|
|
|
|
Help: `#aa:dbus own bus=<bus> name=<name> [interface=AARE] [path=AARE]
|
|
|
|
|
#aa:dbus talk bus=<bus> name=<name> label=<profile> [interface=AARE] [path=AARE]`,
|
2024-03-21 23:09:16 +01:00
|
|
|
},
|
2024-03-25 23:40:25 +01:00
|
|
|
})
|
2024-03-21 23:09:16 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func setInterfaces(rules map[string]string) []string {
|
|
|
|
|
interfaces := []string{rules["name"]}
|
|
|
|
|
if _, present := rules["interface"]; present {
|
|
|
|
|
interfaces = append(interfaces, rules["interface"])
|
|
|
|
|
}
|
|
|
|
|
interfaces = append(interfaces, defaultInterfaces...)
|
|
|
|
|
return interfaces
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (d Dbus) Apply(opt *Option, profile string) string {
|
2024-04-16 22:51:56 +02:00
|
|
|
var p *aa.AppArmorProfileFile
|
2024-03-21 23:09:16 +01:00
|
|
|
|
2024-03-23 18:41:10 +01:00
|
|
|
action := d.sanityCheck(opt)
|
2024-03-21 23:09:16 +01:00
|
|
|
switch action {
|
|
|
|
|
case "own":
|
2024-03-23 18:41:10 +01:00
|
|
|
p = d.own(opt.ArgMap)
|
2024-03-21 23:09:16 +01:00
|
|
|
case "talk":
|
2024-03-23 18:41:10 +01:00
|
|
|
p = d.talk(opt.ArgMap)
|
2024-03-21 23:09:16 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
generatedDbus := p.String()
|
|
|
|
|
lenDbus := len(generatedDbus)
|
|
|
|
|
generatedDbus = generatedDbus[:lenDbus-1]
|
|
|
|
|
profile = strings.Replace(profile, opt.Raw, generatedDbus, -1)
|
|
|
|
|
return profile
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-23 18:41:10 +01:00
|
|
|
func (d Dbus) sanityCheck(opt *Option) string {
|
|
|
|
|
if len(opt.ArgList) < 1 {
|
|
|
|
|
panic(fmt.Sprintf("Unknown dbus action: %s in %s", opt.Name, opt.File))
|
|
|
|
|
}
|
|
|
|
|
action := opt.ArgList[0]
|
|
|
|
|
if action != "own" && action != "talk" {
|
|
|
|
|
panic(fmt.Sprintf("Unknown dbus action: %s in %s", opt.Name, opt.File))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if _, present := opt.ArgMap["name"]; !present {
|
2024-03-21 23:09:16 +01:00
|
|
|
panic(fmt.Sprintf("Missing name for 'dbus: %s' in %s", action, opt.File))
|
|
|
|
|
}
|
2024-03-23 18:41:10 +01:00
|
|
|
if _, present := opt.ArgMap["bus"]; !present {
|
|
|
|
|
panic(fmt.Sprintf("Missing bus for '%s' in %s", opt.ArgMap["name"], opt.File))
|
2024-03-21 23:09:16 +01:00
|
|
|
}
|
2024-03-23 18:41:10 +01:00
|
|
|
if _, present := opt.ArgMap["label"]; !present && action == "talk" {
|
|
|
|
|
panic(fmt.Sprintf("Missing label for '%s' in %s", opt.ArgMap["name"], opt.File))
|
2024-03-21 23:09:16 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set default values
|
2024-03-23 18:41:10 +01:00
|
|
|
if _, present := opt.ArgMap["path"]; !present {
|
|
|
|
|
opt.ArgMap["path"] = "/" + strings.Replace(opt.ArgMap["name"], ".", "/", -1) + "{,/**}"
|
2024-03-21 23:09:16 +01:00
|
|
|
}
|
2024-03-23 18:41:10 +01:00
|
|
|
opt.ArgMap["name"] += "{,.*}"
|
|
|
|
|
return action
|
2024-03-21 23:09:16 +01:00
|
|
|
}
|
|
|
|
|
|
2024-04-16 22:51:56 +02:00
|
|
|
func (d Dbus) own(rules map[string]string) *aa.AppArmorProfileFile {
|
2024-03-21 23:09:16 +01:00
|
|
|
interfaces := setInterfaces(rules)
|
2024-04-16 22:51:56 +02:00
|
|
|
profile := &aa.AppArmorProfileFile{}
|
2024-04-15 15:09:04 +02:00
|
|
|
p := profile.GetDefaultProfile()
|
2024-03-21 23:09:16 +01:00
|
|
|
p.Rules = append(p.Rules, &aa.Dbus{
|
|
|
|
|
Access: "bind", Bus: rules["bus"], Name: rules["name"],
|
|
|
|
|
})
|
|
|
|
|
for _, iface := range interfaces {
|
|
|
|
|
p.Rules = append(p.Rules, &aa.Dbus{
|
|
|
|
|
Access: "receive",
|
|
|
|
|
Bus: rules["bus"],
|
|
|
|
|
Path: rules["path"],
|
|
|
|
|
Interface: iface,
|
2024-04-15 00:58:34 +02:00
|
|
|
PeerName: `":1.@{int}"`,
|
2024-03-21 23:09:16 +01:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
for _, iface := range interfaces {
|
|
|
|
|
p.Rules = append(p.Rules, &aa.Dbus{
|
|
|
|
|
Access: "send",
|
|
|
|
|
Bus: rules["bus"],
|
|
|
|
|
Path: rules["path"],
|
|
|
|
|
Interface: iface,
|
2024-04-15 00:58:34 +02:00
|
|
|
PeerName: `"{:1.@{int},org.freedesktop.DBus}"`,
|
2024-03-21 23:09:16 +01:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
p.Rules = append(p.Rules, &aa.Dbus{
|
|
|
|
|
Access: "receive",
|
|
|
|
|
Bus: rules["bus"],
|
|
|
|
|
Path: rules["path"],
|
|
|
|
|
Interface: "org.freedesktop.DBus.Introspectable",
|
|
|
|
|
Member: "Introspect",
|
2024-04-15 00:58:34 +02:00
|
|
|
PeerName: `":1.@{int}"`,
|
2024-03-21 23:09:16 +01:00
|
|
|
})
|
2024-04-15 15:09:04 +02:00
|
|
|
return profile
|
2024-03-21 23:09:16 +01:00
|
|
|
}
|
|
|
|
|
|
2024-04-16 22:51:56 +02:00
|
|
|
func (d Dbus) talk(rules map[string]string) *aa.AppArmorProfileFile {
|
2024-03-21 23:09:16 +01:00
|
|
|
interfaces := setInterfaces(rules)
|
2024-04-16 22:51:56 +02:00
|
|
|
profile := &aa.AppArmorProfileFile{}
|
2024-04-15 15:09:04 +02:00
|
|
|
p := profile.GetDefaultProfile()
|
2024-03-21 23:09:16 +01:00
|
|
|
for _, iface := range interfaces {
|
|
|
|
|
p.Rules = append(p.Rules, &aa.Dbus{
|
|
|
|
|
Access: "send",
|
|
|
|
|
Bus: rules["bus"],
|
|
|
|
|
Path: rules["path"],
|
|
|
|
|
Interface: iface,
|
2024-04-15 00:58:34 +02:00
|
|
|
PeerName: `"{:1.@{int},` + rules["name"] + `}"`,
|
|
|
|
|
PeerLabel: rules["label"],
|
2024-03-21 23:09:16 +01:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
for _, iface := range interfaces {
|
|
|
|
|
p.Rules = append(p.Rules, &aa.Dbus{
|
|
|
|
|
Access: "receive",
|
|
|
|
|
Bus: rules["bus"],
|
|
|
|
|
Path: rules["path"],
|
|
|
|
|
Interface: iface,
|
2024-04-15 00:58:34 +02:00
|
|
|
PeerName: `"{:1.@{int},` + rules["name"] + `}"`,
|
|
|
|
|
PeerLabel: rules["label"],
|
2024-03-21 23:09:16 +01:00
|
|
|
})
|
|
|
|
|
}
|
2024-04-15 15:09:04 +02:00
|
|
|
return profile
|
2024-03-21 23:09:16 +01:00
|
|
|
}
|
