AppArmor mediation in dbus-daemon

Marc Deslauriers marc.deslauriers at canonical.com
Mon Feb 17 23:32:35 CET 2014


Hi Marcel,

On 14-02-17 04:27 PM, Marcel Holtmann wrote:
>> I still think that it shouldn't be considered deep packet introspection
>> in kdbus and plan on submitting some small patches to you guys (kdbus
>> upstream) that move several fields to the kdbus message metadata.
> 
> I mentioned this in the other thread as well, but let me just repeat this here.
> 
> You can not just attach arbitrary meta data and hope that your security model is secure. That is a fundamental design flaw in your security model. If kdbus can not verify that the attached meta data is correct, then you are as vulnerable as before.
>
> An attacker can attach whatever meta data it wants and bluntly lie about what
is actually in the message itself. Meaning it will be routed to the destination,
but then the destination does execute something totally different than your
AppArmor policy checked for.
>

The idea isn't to just attach the metadata, it's to _move_ it from the payload
to the metadata. You can't just repeat it, that would definitely be a bad design.

Marc.



More information about the dbus mailing list