From f03cd71c1ad16a35548b722e4038ef456834dc0e Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 9 Nov 2016 17:53:02 +0000 Subject: [PATCH 8/9] Spec: document AppArmor mediation of auto-starting Signed-off-by: Simon McVittie --- doc/dbus-specification.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml index 39795fe..b182a5e 100644 --- a/doc/dbus-specification.xml +++ b/doc/dbus-specification.xml @@ -5181,6 +5181,72 @@ service is started by systemd during boot. + + + Mediating Activation with AppArmor + + + Please refer to AppArmor documentation for general information on + AppArmor, and how it mediates D-Bus messages when used in conjunction + with a kernel and dbus-daemon that support this. + + + + In recent versions of the reference dbus-daemon, + AppArmor policy rules of type dbus send + are also used to control auto-starting: if a message is sent to + the well-known name of an activatable service, the + dbus-daemon will attempt to determine whether + it would deliver the message to that service + beforeauto-starting it, by making some + assumptions about the resulting process's credentials. + If it does proceed with auto-starting, when the service appears, the + dbus-daemon repeats the policy check (with + the service's true credentials, which might not be identical) + before delivering the message. + + + + To support this process, service description files may contain a + AssumedAppArmorLabel key. Its value is the name + of an AppArmor label, for example + /usr/sbin/mydaemon. + If present, AppArmor mediation of messages that auto-start a + service will decide whether to allow auto-starting to occur based + on the assumption that the activated service will be confined + under the specified label; in particular, rules of the form + dbus send peer=(label=/usr/sbin/mydaemon) or + deny dbus send peer=(label=/usr/sbin/mydaemon) + will match it, allowing or denying as appropriate. + + + + Otherwise, AppArmor mediation of messages that auto-start a + service will decide whether to allow auto-starting to occur + without specifying any particular label. In particular, any rule of + the form + dbus send peer=(label=X) (for any value of X) + will not allow the auto-start, and any rule of the form + deny dbus send peer=(label=X) + will not deny it. + + + + Rules of type dbus receive are not checked + when deciding whether to allow auto-starting; they are only checked + against the service's profile after the service has started, when + deciding whether to deliver the message that caused the auto-starting + operation. + + + + Explicit activation via + is not currently + affected by this mediation: if a confined process is to be prevented + from starting arbitrary services, then it must not be allowed to call + that method. + + -- 2.10.2