6.7 KiB
title |
---|
Dbus |
All dbus rules are labelled under the name of the given profiles that provide dbus data. It is one of the value added by this project, as we have profiles for everything, we can restrict the bus further by limiting connection to a given peer label (the profile name). In the case of renaming a profile, all dbus rules related in this profile need to be updated accordingly.
Profiles
Regardless of the Dbus implementation used (dbus-daemon
or dbus-broker
), all dbus daemons are handled under the same set of profiles: dbus-system
, dbus-session
, and dbus-accessibility
. This structure largely improves the confinement of each profile.
To ensure the system and session bus are handled by a different profile, a systemd drop-in configuration file is used to set the specific dbus profile that a dbus service must use.
Abstractions
Base
Default system, session, and accessibility bus access are provided with the following abstractions:
abstractions/bus-system
abstractions/bus-session
abstractions/bus-accessibility
Interfaces
Access to common dbus interfaces is done using the abstractions under abstractions/bus/
. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a read-only like view of it. It may be required to have a look at the dbus interface documentation to check what method can be safely allowed.
For more access, simply use the aa:dbus talk
directive.
There is a trade of between security and maintenance to make:
aa:dbus talk
will generate less issue as it gives full talk accessabstractions/bus/*
will provide more restriction, and possibly more issue.
Ideally, these rules should be automatically generated from either the dbus interface documentation or the program call.
Dbus Directive
We use a special directive to generate more advanced dbus access. The directive format is on purpose very similar to the AppArmor dbus rule.
Format
#aa:dbus <access> bus=<bus> name=<name> [label=AARE] [interface=AARE] [path=AARE]
<access>
-
Access type. Can be
own
ortalk
:own
means the profile owns the dbus interface. It is allowed to send and receive from anyone on this interface.talk
means the profile can talk on a given interface to the profile that owns it (a label must be given under thelabel
option).
<bus>
-
Dbus bus, can be
system
,session
oraccessibility
. <name>
-
Dbus interface name.
[label=AARE]
-
Name of the profile. Mandatory for
talk
access. [interface=AARE]
-
Can optionally be given when it is different to the dbus path.
[path=AARE]
-
Can optionally be given when it is different to the dbus name.
Note: <access>
, <bus>
, and <name>
are mandatory and will break the build if ignored.
Example
Allow owning a dbus interface:
!!! note ""
[apparmor.d/groups/network/NetworkManager](https://github.com/roddhjav/apparmor.d/blob/f81ceb91855f194dc53c10c17cbe1d7b50434a1e/apparmor.d/groups/network/NetworkManager#L45)
``` sh linenums="45"
#aa:dbus own bus=system name=org.freedesktop.NetworkManager
```
Allow talking to a dbus interface on a given profile:
!!! note ""
[apparmor.d/groups/gnome/gdm](https://github.com/roddhjav/apparmor.d/blob/f81ceb91855f194dc53c10c17cbe1d7b50434a1e/apparmor.d/groups/gnome/gdm#L44)
``` sh linenums="34"
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
```
Generate
#aa:dbus own bus=system name=org.freedesktop.NetworkManager
-
dbus bind bus=system name=org.freedesktop.NetworkManager{,.*}, dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.NetworkManager{,.*} peer=(name=":1.@{int}"), dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties peer=(name=":1.@{int}"), dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.ObjectManager peer=(name=":1.@{int}"), dbus send bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.NetworkManager{,.*} peer=(name="{:1.@{int},org.freedesktop.DBus}"), dbus send bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties peer=(name="{:1.@{int},org.freedesktop.DBus}"), dbus send bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.ObjectManager peer=(name="{:1.@{int},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=":1.@{int}"),
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
-
dbus send bus=system path=/org/freedesktop/login1{,/**} interface=org.freedesktop.login1{,.*} peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1{,/**} interface=org.freedesktop.DBus.Properties peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1{,/**} interface=org.freedesktop.DBus.ObjectManager peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1{,/**} interface=org.freedesktop.login1{,.*} peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1{,/**} interface=org.freedesktop.DBus.Properties peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1{,/**} interface=org.freedesktop.DBus.ObjectManager peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*}