AppArmor mediation in dbus-daemon

Lennart Poettering mzqohf at 0pointer.de
Tue Feb 18 01:25:48 CET 2014 

On Mon, 17.02.14 14:13, Tyler Hicks (tyhicks at canonical.com) wrote:

> Hi Lennart!
> 
> On 2014-02-17 20:51:32, Lennart Poettering wrote:
> > On Mon, 17.02.14 13:34, Tyler Hicks (tyhicks at canonical.com) wrote:
> > 
> > > I've created a bug, with patches, to add AppArmor mediation to
> > > dbus-daemon:
> > > 
> > >   https://bugs.freedesktop.org/show_bug.cgi?id=75113
> > > 
> > > The bug's description has the details, along with pointers to AppArmor
> > > docs describing the policy language.
> > 
> > This goes ahead with that deep packet introspection logic I presume? 
> 
> It isn't deep packet introspection in dbus-daemon. The bus, path,
> interface, and member strings have been passed to the SELinux hooks for
> many years. SELinux didn't use them but AppArmor is using them.

Yepp, that's what I meant.

> > Note that something like this will never end up in kdbus, as discussed
> > previously. That of course doesn't mean this couldn't be added to
> > dbus-daemon right now, but I hope you understand that if you intend to
> > use kdbus one day, then adding support like this to good old dbus1
> > daemon is a dead-end already.
> 
> I still think that it shouldn't be considered deep packet introspection
> in kdbus and plan on submitting some small patches to you guys (kdbus
> upstream) that move several fields to the kdbus message metadata.

I can see that. But we still disagree on this.

The thing is that you need to convince us that this has a place in
kdbus, and we are pretty strongly of the opinion that it has not. We
don't need to convince you however that it is a bad idea, because kdbus
is ultimately mintained by us and not you. And all of the kdbus
maintainers are pretty much in agreement that we don't want to see
anything like this in the kernel.

> My intent isn't to be stubborn about the issue but I'd like to be sure
> that we're all on the same page about what I'm proposing. Patches are
> the only way to do that.

Nope. Just proposing the same thing over and over again doesn't
magically bring us onto the same page, you know.

Really, it feels like we are running into the same sad flamefest we
already had in January and literally nothing changed...

Lennart

-- 
Lennart Poettering, Red Hat

More information about the dbus mailing list