apparmor.d/docs/development/dbus.md

135 lines
5.4 KiB
Markdown
Raw Normal View History

2024-01-28 00:34:08 +01:00
---
title: Dbus
---
All dbus rules are labelled under the name of the given profiles that provide dbus data. If the profiles were going to change (a renaming, an architectural change), the dbus rules need to be updated accordingly.
Default **system**, **session** and **accessibility** bus access are provided with the abstraction:
- `abstractions/bus-system`
- `abstractions/bus-session`
- `abstractions/bus-accessibility`
## Dbus Abstractions
2024-02-23 21:14:21 +01:00
Access to common dbus interface is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read-only* like view of it. It may be required to have a look at the dbus interface documentation to check what method can be safely allowed.
For more access, simply use the [`dbus: talk`](#dbus-directive) directive.
2024-01-28 00:34:08 +01:00
## Dbus Directive
2024-03-24 14:24:26 +01:00
We use a special [directive](directives.md) to generate more advanced dbus access. The directive format is on purpose very similar to the apparmor dbus rule.
2024-01-28 00:34:08 +01:00
2024-03-23 18:42:53 +01:00
**Format**
```sh
#aa:dbus <access> bus=<bus> name=<name> [label=AARE] [interface=AARE] [path=AARE]
2024-01-28 00:34:08 +01:00
```
2024-03-23 18:42:53 +01:00
**`<access>`**
: Access type. Can be `own` or `talk`:
2024-03-24 14:24:26 +01:00
- `own` means the profile own the dbus interface. It is allowed to send and receive from anyone on this interface.
2024-03-23 18:42:53 +01:00
- `talk` means the profile can talk on a given interface to the profile owning it (that must be given under the `label` option).
**`<bus>`**
: Dbus bus, can be `system`, `session` or `accessibility`.
**`<name>`**
: Dbus interface name.
**`[label=AARE]`**
2024-03-24 14:24:26 +01:00
: Name of the profile. Mandatory for `talk` access.
2024-03-23 18:42:53 +01:00
**`[interface=AARE]`**
: Can optionally be given when it is different to the dbus path.
**`[path=AARE]`**
: Can optionally be given when it is different to the dbus name.
Note: `<access>`, `<bus>` and `<name>` are mandatory and will break the build if ignored.
2024-01-28 00:34:08 +01:00
2024-03-23 18:42:53 +01:00
**Example**
2024-01-28 00:34:08 +01:00
Allow owning a dbus interface:
!!! note ""
2024-03-23 18:42:53 +01:00
[apparmor.d/groups/network/NetworkManager](https://github.com/roddhjav/apparmor.d/blob/f81ceb91855f194dc53c10c17cbe1d7b50434a1e/apparmor.d/groups/network/NetworkManager#L45)
``` sh linenums="45"
#aa:dbus own bus=system name=org.freedesktop.NetworkManager
2024-01-28 00:34:08 +01:00
```
Allow talking to a dbus interface on a given profile
!!! note ""
2024-03-23 18:42:53 +01:00
[apparmor.d/groups/gnome/gdm](https://github.com/roddhjav/apparmor.d/blob/f81ceb91855f194dc53c10c17cbe1d7b50434a1e/apparmor.d/groups/gnome/gdm#L44)
``` sh linenums="34"
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
2024-01-28 00:34:08 +01:00
```
2024-03-23 18:42:53 +01:00
**Generate**
`#aa:dbus own bus=system name=org.freedesktop.NetworkManager`
:
```sh
dbus bind bus=system name=org.freedesktop.NetworkManager{,.*},
dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
interface=org.freedesktop.NetworkManager{,.*}
peer=(name=":1.@{int}"),
dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
interface=org.freedesktop.DBus.Properties
peer=(name=":1.@{int}"),
dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
interface=org.freedesktop.DBus.ObjectManager
peer=(name=":1.@{int}"),
dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
interface=org.freedesktop.NetworkManager{,.*}
peer=(name="{:1.@{int},org.freedesktop.DBus}"),
dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
interface=org.freedesktop.DBus.Properties
peer=(name="{:1.@{int},org.freedesktop.DBus}"),
dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
interface=org.freedesktop.DBus.ObjectManager
peer=(name="{:1.@{int},org.freedesktop.DBus}"),
dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=":1.@{int}"),
```
`#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind`
:
```sh
dbus send bus=system path=/org/freedesktop/login1{,/**}
interface=org.freedesktop.login1{,.*}
peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1{,/**}
interface=org.freedesktop.DBus.Properties
peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1{,/**}
interface=org.freedesktop.DBus.ObjectManager
peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1{,/**}
interface=org.freedesktop.login1{,.*}
peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1{,/**}
interface=org.freedesktop.DBus.Properties
peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1{,/**}
interface=org.freedesktop.DBus.ObjectManager
peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind),
dbus send bus=system path=/org/freedesktop/Accounts{,/**}
interface=org.freedesktop.Accounts{,.*}
```