AppArmor mediation in dbus-daemon
Marcel Holtmann
marcel at holtmann.org
Mon Feb 17 22:27:36 CET 2014
Hi Tyler,
>>> I've created a bug, with patches, to add AppArmor mediation to
>>> dbus-daemon:
>>>
>>> https://bugs.freedesktop.org/show_bug.cgi?id=75113
>>>
>>> The bug's description has the details, along with pointers to AppArmor
>>> docs describing the policy language.
>>
>> This goes ahead with that deep packet introspection logic I presume?
>
> It isn't deep packet introspection in dbus-daemon. The bus, path,
> interface, and member strings have been passed to the SELinux hooks for
> many years. SELinux didn't use them but AppArmor is using them.
>
>>
>> Note that something like this will never end up in kdbus, as discussed
>> previously. That of course doesn't mean this couldn't be added to
>> dbus-daemon right now, but I hope you understand that if you intend to
>> use kdbus one day, then adding support like this to good old dbus1
>> daemon is a dead-end already.
>
> I still think that it shouldn't be considered deep packet introspection
> in kdbus and plan on submitting some small patches to you guys (kdbus
> upstream) that move several fields to the kdbus message metadata.
I mentioned this in the other thread as well, but let me just repeat this here.
You can not just attach arbitrary meta data and hope that your security model is secure. That is a fundamental design flaw in your security model. If kdbus can not verify that the attached meta data is correct, then you are as vulnerable as before.
An attacker can attach whatever meta data it wants and bluntly lie about what is actually in the message itself. Meaning it will be routed to the destination, but then the destination does execute something totally different than your AppArmor policy checked for.
This concept really needs to sink in. kdbus is not responsible for blocking message. They will be routed to whoever the sender wants it to. The receiver is responsible for verifying the messages. That is the only way. Everything else is putting a sheet of paper over a hole and hoping nobody falls into it.
If you want AppArmor support and kdbus with packet introspection, then you have to do that in your AppArmor support inside the kernel. That is the only place. It does not belong into kdbus.
Regards
Marcel
More information about the dbus
mailing list