profiles: Add strict system bus abstraction

Move the file rule from the existing permissive system bus abstraction into a new strict system bus abstraction. The strict abstraction only allows for calling the Hello, AddMatch, RemoveMatch, GetNameOwner, NameHasOwner, and StartServiceByName methods that are exported by the D-Bus daemon. The permissive abstraction reuses the strict abstraction and then allows all communications on the system bus. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com>
2025-08-31 06:16:03 +00:00 · 2014-01-10 15:34:45 -06:00
parent 9fcbd8af1c
commit 38aae1d1f0
2 changed files with 24 additions and 3 deletions
--- a/profiles/apparmor.d/abstractions/dbus
+++ b/profiles/apparmor.d/abstractions/dbus
@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2009-2010 Canonical Ltd.
+#    Copyright (C) 2009-2013 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------

-  # System socket. Be careful when including this abstraction.
-  /{,var/}run/dbus/system_bus_socket rw,
+  # This abstraction grants full system bus access. Consider using the
+  # dbus-strict abstraction for fine-grained bus mediation.
+
+  #include <abstractions/dbus-strict>
  dbus bus=system,
--- a/profiles/apparmor.d/abstractions/dbus-strict
+++ b/profiles/apparmor.d/abstractions/dbus-strict
@@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2009-2013 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  /{,var/}run/dbus/system_bus_socket rw,
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+       peer=(name=org.freedesktop.DBus),