From e223e91cec8ef42e41a0659c1f255a9c7fda1260 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 21 Nov 2016 21:19:29 +0000 Subject: [PATCH 08/10] Spec: document AppArmor mediation of auto-starting Signed-off-by: Simon McVittie --- doc/dbus-specification.xml | 78 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml index fbb8f25..5a3580c 100644 --- a/doc/dbus-specification.xml +++ b/doc/dbus-specification.xml @@ -5185,6 +5185,84 @@ service is started by systemd during boot. + + + Mediating Activation with AppArmor + + + Please refer to + AppArmor documentation + for general information on AppArmor, and how it mediates D-Bus + messages when used in conjunction with a kernel and + dbus-daemon that support this. + + + + In recent versions of the reference dbus-daemon, + AppArmor policy rules of type dbus send + are also used to control auto-starting: if a message is sent to + the well-known name of an activatable service, the + dbus-daemon will attempt to determine whether + it would deliver the message to that service + beforeauto-starting it, by making some + assumptions about the resulting process's credentials. + + + + If it does proceed with auto-starting, when the service appears, the + dbus-daemon repeats the policy check (with + the service's true credentials, which might not be identical) + before delivering the message. In practice, this second check will + usually be more strict than the first; the first check would only + be more strict if there are "blacklist"-style rules like + deny dbus send peer=(label=/usr/bin/protected) + that match on the peer's specific credentials, but AppArmor is + normally used in a "whitelist" style where this does not apply. + + + + To support this process, service description files may contain a + AssumedAppArmorLabel key. Its value is the name + of an AppArmor label, for example + /usr/sbin/mydaemon. + If present, AppArmor mediation of messages that auto-start a + service will decide whether to allow auto-starting to occur based + on the assumption that the activated service will be confined + under the specified label; in particular, rules of the form + dbus send peer=(label=/usr/sbin/mydaemon) or + deny dbus send peer=(label=/usr/sbin/mydaemon) + will match it, allowing or denying as appropriate + (even if there is in fact no profile of that name loaded). + + + + Otherwise, AppArmor mediation of messages that auto-start a + service will decide whether to allow auto-starting to occur + without specifying any particular label. In particular, any rule of + the form + dbus send peer=(label=X) (for any value of X, + including the special label unconfined) + will not allow the auto-start, and any rule of the form + deny dbus send peer=(label=X) + will not deny it. + + + + Rules of type dbus receive are not checked + when deciding whether to allow auto-starting; they are only checked + against the service's profile after the service has started, when + deciding whether to deliver the message that caused the auto-starting + operation. + + + + Explicit activation via + is not currently + affected by this mediation: if a confined process is to be prevented + from starting arbitrary services, then it must not be allowed to call + that method. + + -- 2.10.2