Commit 89bef9ec authored by Simon McVittie's avatar Simon McVittie

<abstractions/dbus-daemon>: Add doc-comment and mark as deprecated

Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: André Magalhães's avatarAndré Magalhães <andre.magalhaes@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D5732
parent 17c32ab2
# vim:syntax=apparmor
###
# <abstractions/dbus-daemon>: allow running the D-Bus session bus or AT-SPI
#
# This abstraction gives the confined process a child profile that can be
# used to run a session bus.
#
# This is obsolete. The session dbus-daemon is part of the TCB for isolation
# between app-bundles, because it has responsibility for enforcing 'dbus'
# rules and providing GetConnectionCredentials(); other TCB processes like
# Canterbury implicitly trust it to behave correctly. It is also not designed
# to be setuid, so it cannot safely be run by non-TCB processes.
#
# We now run dbus-daemon unconfined, from systemd --user (which is also in
# the TCB, and is also unconfined).
#
# See https://phabricator.apertis.org/T3601
#
# Status: Apertis-specific, deprecated, should be deleted
# Privilege level: elevated
# Known users: usr.sbin.nodm (disabled), usr.session-startup
# Dependencies: <tunables/global>
###
profile /bin/dbus-daemon flags=(complain) {
#include <abstractions/chaiwala-base>
#include <abstractions/nameservice>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment