AppArmor mediation in dbus-daemon
Tyler Hicks
tyhicks at canonical.com
Mon Feb 17 21:13:40 CET 2014
Hi Lennart!
On 2014-02-17 20:51:32, Lennart Poettering wrote:
> On Mon, 17.02.14 13:34, Tyler Hicks (tyhicks at canonical.com) wrote:
>
> > I've created a bug, with patches, to add AppArmor mediation to
> > dbus-daemon:
> >
> > https://bugs.freedesktop.org/show_bug.cgi?id=75113
> >
> > The bug's description has the details, along with pointers to AppArmor
> > docs describing the policy language.
>
> This goes ahead with that deep packet introspection logic I presume?
It isn't deep packet introspection in dbus-daemon. The bus, path,
interface, and member strings have been passed to the SELinux hooks for
many years. SELinux didn't use them but AppArmor is using them.
>
> Note that something like this will never end up in kdbus, as discussed
> previously. That of course doesn't mean this couldn't be added to
> dbus-daemon right now, but I hope you understand that if you intend to
> use kdbus one day, then adding support like this to good old dbus1
> daemon is a dead-end already.
I still think that it shouldn't be considered deep packet introspection
in kdbus and plan on submitting some small patches to you guys (kdbus
upstream) that move several fields to the kdbus message metadata.
My intent isn't to be stubborn about the issue but I'd like to be sure
that we're all on the same page about what I'm proposing. Patches are
the only way to do that.
Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/dbus/attachments/20140217/53d37ffe/attachment.pgp>
More information about the dbus
mailing list