From 938eb27f2a7758f831ae922bd37b9bbca7648210 Mon Sep 17 00:00:00 2001 From: Tyler Hicks Date: Mon, 10 Feb 2014 18:24:59 -0600 Subject: [PATCH 01/10] Document AppArmor enforcement in the dbus-daemon man page Signed-off-by: Tyler Hicks --- doc/dbus-daemon.1.xml.in | 52 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in index 7b7f4a1..0608822 100644 --- a/doc/dbus-daemon.1.xml.in +++ b/doc/dbus-daemon.1.xml.in @@ -803,6 +803,27 @@ Right now the default will be the security context of the bus itself. If two <associate> elements specify the same name, the element appearing later in the configuration file will be used. + + + <apparmor> + + + + +The <apparmor> element is used to configure AppArmor mediation on +the bus. It can contain one attribute that specifies the mediation mode: + + + <apparmor mode="(enabled|disabled|required)"/> + + +The default mode is "enabled". In "enabled" mode, AppArmor mediation +will be performed if AppArmor support is available in the kernel. If it is not +available, dbus-daemon will start but AppArmor mediation will not occur. In +"disabled" mode, AppArmor mediation is disabled. In "required" mode, AppArmor +mediation will be enabled if AppArmor support is available, otherwise +dbus-daemon will refuse to start. + SELinux @@ -870,6 +891,37 @@ itself will be used. +AppArmor +The AppArmor confinement context is stored when applications connect to +the bus. The confinement context consists of a label and a confinement mode. +When a security decision is required, the daemon uses the confinement context +to query the AppArmor policy to determine if the action should be allowed or +denied and if the action should be audited. + +The daemon performs AppArmor security checks in three places. + +First, any time a message is routed from one connection to another +connection, the bus daemon will check permissions with the label of the first +connection as source, label and/or connection name of the second connection as +target, along with the bus name, the path name, the interface name, and the +member name. Reply messages, such as method_return and error messages, are +implicitly allowed if they are in response to a message that has already been +allowed. + +Second, any time a connection asks to own a name, the bus daemon will +check permissions with the label of the connection as source, the requested +name as target, along with the bus name. + +Third, any time a connection attempts to eavesdrop, the bus daemon will +check permissions with the label of the connection as the source, along with +the bus name. + +AppArmor rules for bus mediation are not stored in the bus configuration +files. They are stored in the application's AppArmor profile. Please see +apparmor.d(5) for more details. + + + DEBUGGING If you're trying to figure out where your messages are going or why you aren't getting messages, there are several things you can try. -- 1.9.rc1