Hi all, I am working on rewriting dbus rules for the apparmor.d [0] projects. And it let me to the general question on what is the best way to write dbus rule in apparmor.
The current implementation could be summed up as simply adding to a profile whatever dbus rule has been raised in the log. It is simple as it is mostly automatic (thanks to `aa-log -r`). However, it can generate a lot of rule [1] and, it is not maintainable. I had a look at how dbus are managed on flatpak [2] and snap [3], and I was wondering if a similar construction could be used in apparmor profile. For instance, the profile polkitd [4] owns the interface org.freedesktop.PolicyKit1*, so the rules in the polkitd profile could be setup as: ``` dbus (bind) bus=system name=org.freedesktop.PolicyKit1, dbus (send,receive) bus=system interface=org.freedesktop.PolicyKit1* peer=(name=:*), ``` while program sending request to polkitd could have rules such as: ``` dbus send bus=system interface=org.freedesktop.PolicyKit1* peer=(name=:*, label=polkitd), ``` I am not an expert in dbus at all, therefore I was wondering if such a setup could be useful. Do we need more/less restriction in the rule? Do any of you have other recommendations on how these dbus rules should be managed. Regards, Alex [0]: https://github.com/roddhjav/apparmor.d [1]: https://github.com/roddhjav/apparmor.d/blob/4df3f2e52f846d66dd9bf0e45dce4063e315005d/apparmor.d/groups/gnome/gnome-shell#L59-L462 [2]: https://docs.flatpak.org/en/latest/sandbox-permissions.html#gvfs-access [3]: https://forum.snapcraft.io/t/the-dbus-interface/2038 [4]: https://github.com/roddhjav/apparmor.d/blob/4df3f2e52f846d66dd9bf0e45dce4063e315005d/apparmor.d/groups/freedesktop/polkitd