mistakenly did not incorporate feedback from Seth Arnold. Specifically, don't
specify label=unconfined on the abstract sockets.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- the base abstraction for common abstract and anonymous rules (comments
included per rule)
- dbus-session-strict to add a rule for connecting to the dbus session
abstract
socket. I used 'peer=(label=unconfined)' here, but I could probably lose the
explicit label if people preferred that
- X to add a rule for connecting to the X abstract socket. Same as for
dbus-session-strict
- nameservice to add a rule for connecting to a netlink raw. This change could
possibly be excluded, but applications using networking (at least on Ubuntu)
all seem to need it. Excluding it would mean systems using nscd would need to
add this and ones not using it would have a noisy denial
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Move some of the file rules from the existing permissive session bus
abstraction into a new strict session bus abstraction. Leave the
dbus-launch rule in the permissive profile since not all applications
will need it.
The strict abstraction only allows for calling the Hello, AddMatch,
RemoveMatch, GetNameOwner, NameHasOwner, and StartServiceByName methods
that are exported by the D-Bus daemon.
The permissive abstraction reuses the strict abstraction and then allows
all communications on the session bus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
