Commit 8842d3cf authored by André Magalhães's avatar André Magalhães
parent aae8683b
# vim:syntax=apparmor
###
# <abstractions/dbus-daemon>: allow running the D-Bus session bus or AT-SPI
#
# This abstraction gives the confined process a child profile that can be
# used to run a session bus.
#
# This is obsolete. The session dbus-daemon is part of the TCB for isolation
# between app-bundles, because it has responsibility for enforcing 'dbus'
# rules and providing GetConnectionCredentials(); other TCB processes like
# Canterbury implicitly trust it to behave correctly. It is also not designed
# to be setuid, so it cannot safely be run by non-TCB processes.
#
# We now run dbus-daemon unconfined, from systemd --user (which is also in
# the TCB, and is also unconfined).
#
# See https://phabricator.apertis.org/T3601
#
# Status: Apertis-specific, deprecated, should be deleted
# Privilege level: elevated
# Known users: usr.sbin.nodm (disabled), usr.session-startup
# Dependencies: <tunables/global>
###
profile /bin/dbus-daemon flags=(complain) {
#include <abstractions/chaiwala-base>
#include <abstractions/nameservice>
#include <abstractions/dbus-session>
#include <abstractions/gsettings>
/bin/dbus-daemon ixr,
/etc/dbus-1/session.conf r,
/etc/dbus-1/session.d/ r,
/etc/at-spi2/accessibility.conf r,
owner @{PROC}/*/cmdline r,
owner @{PROC}/*/fd/ r,
# This is accessed by pam_systemd.so during login
/run/systemd/users/* r,
/usr/share/dbus-1/system-services/ r,
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service r,
/usr/share/dbus-1/services/ r,
/usr/share/dbus-1/services/** r,
/usr/lib/at-spi2-core/at-spi-bus-launcher rmPx,
/usr/lib/at-spi2-core/at-spi2-registryd rmPx,
/bin/* Px -> /etc/X11/Xsession//chaiwala_sanitized_helper,
/sbin/* Px -> /etc/X11/Xsession//chaiwala_sanitized_helper,
/usr/bin/* Px -> /etc/X11/Xsession//chaiwala_sanitized_helper,
/usr/sbin/* Px -> /etc/X11/Xsession//chaiwala_sanitized_helper,
}
rm_conffile /etc/apparmor.d/abstractions/chaiwala-execution UNRELEASED chaiwala-apparmor-profiles
rm_conffile /etc/apparmor.d/abstractions/chaiwala-user-read UNRELEASED chaiwala-apparmor-profiles
rm_conffile /etc/apparmor.d/abstractions/chaiwala-user-write UNRELEASED chaiwala-apparmor-profiles
rm_conffile /etc/apparmor.d/abstractions/dbus-daemon UNRELEASED chaiwala-apparmor-profiles
rm_conffile /etc/apparmor.d/tunables/chaiwala/chaiwala-user UNRELEASED chaiwala-apparmor-profiles
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment