dbus-session-strict: allow access to the user bus socket

From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Wed, 4 May 2016 13:48:36 +0100
Subject: dbus-session-strict: allow access to the user bus socket

If dbus is configured with --enable-user-bus (for example in the
dbus-user-session package in Debian and its derivatives), and the user
session is started with systemd, then the "dbus-daemon --session" will be
started by "systemd --user" and listen on $XDG_RUNTIME_DIR/bus. Similarly,
on systems where dbus-daemon has been replaced with kdbus, the
bridge/proxy used to provide compatibility with the traditional D-Bus
protocol listens on that same socket.

In practice, $XDG_RUNTIME_DIR is /run/user/$uid on all systemd systems,
where $uid represents the numeric uid. I have not used /{var/,}run here,
because systemd does not support configurations where /var/run and /run
are distinct; in practice, /var/run is a symbolic link.

Based on a patch by Sjoerd Simons, which originally used the historical
path /run/user/*/dbus/user_bus_socket. That path was popularized by the
user-session-units git repository, but has never been used in a released
version of dbus and should be considered unsupported.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

profiles/apparmor.d/abstractions/dbus-session-strict

@@ -17,6 +17,9 @@
        type=stream
        peer=(addr="@/tmp/dbus-*"),
 
+  # dbus with systemd and --enable-user-session
+  owner /run/user/[0-9]*/bus rw,
+
   dbus send
        bus=session
        path=/org/freedesktop/DBus