AppArmorDbus

  • Launchpad Entry: security-o-apparmor-dbus

  • Created: 2011-07-11

  • Contributors: jdstrand, jjohansen

  • Packages affected: dbus, apparmor, linux

Summary

DBus should be modified to query AppArmor for access to applications and should fallback gracefully to the current mode when AppArmor is not available.

Release Note

DBus applications can now be mediated by AppArmor. By default DBus is a trusted application which runs under a permissive AppArmor profile, and DBus applications in Ubuntu are not mediated by default. Administrators can now create AppArmor policy to limit which applications a specific application is allowed to talk to over DBus. See man apparmor for details.

Rationale

DBus aware applications currently cannot be properly mediated with AppArmor. While a confined application can be disallowed access to the DBus system bus, this is too coarse-grained. Furthermore, because AppArmor does not currently mediate IPC (and therefore the abstract unix domain sockets that DBus uses in Ubuntu for the per-user session bus), applications currently confined by A!ppArmor are allowed to talk to any application with an interface on the session bus.

User stories

John does not trust an application he downloaded from the Internet. He would like for it to integrate with his desktop, but not have access to all applications on the session bus.

David is developing an application that handles untrusted content. He would like to provide an AppArmor profile to provide an extra layer of security and enforce that the application can only talk to the services it needs on the session bus, and no others.

Evan would like to limit access for his application that runs with privileges to only talk to certain services on the system bus.

Steve would like to ensure that only specific applications can talk to the DBus service he has implemented.

Design

The design consists of 3 parts:

  1. IPC mediation is implemented in the kernel
  2. libapparmor is modified with new query API (TODO: need link to list)
  3. DBus is modified to use new query API

Implementation

The kernel is updated to mediate IPC.

libapparmor is updated with new API (TODO: show here)

DBus is updated to provide a compile time configuration for AppArmor support. It should degrade gracefully if AppArmor support is not supported by the kernel, disabled, or DBus is running unconfined. DBus itself will be considered a trusted binary and run in a permissive AppArmor profile. When messages and signals are recevied, DBus will query the kernel via the libapparmor API on whether the source can send messages to the target. DBus should reply with an appropriate message is AppArmor denies access.

Migration

  • there is no data to migrate
  • upgrades will not require any user interaction for the new behavior

Test/Demo Plan

Test1,2

Result

DBus works when AppArmor is not installed

DBus works when AppArmor is disabled

DBus works when AppArmor is enabled, but DBus is unconfined

DBus works when AppArmor is enabled, but kernel doesn't support IPC mediation

listener registration

exceptions on missing objects

object send/receive

signature validation

DBus test plan has no regressions

glib bindings work*

python bindings work*

python/gdbus bindings work

vala/glib bindings work

vala/gdbus bindings work

apparmor policy (AP): unconfined to unconfined (session)

(AP) unconfined to confined allow (session)

(AP) unconfined to confined deny (session)

(AP) confined allow to unconfined (session)

(AP) confined allow to confined allow (session)

(AP) confined allow to confined deny (session)

(AP) confined deny to unconfined (session)

(AP) confined deny to confined allow (session)

(AP) confined deny to confined deny (session)

(AP) unconfined to unconfined (system)

(AP) unconfined to confined allow (system)

(AP) unconfined to confined deny (system)

(AP) confined allow to unconfined (system)

(AP) confined allow to confined allow (system)

(AP) confined allow to confined deny (system)

(AP) confined deny to unconfined (system)

(AP) confined deny to confined allow (system)

(AP) confined deny to confined deny (system)

(AP) private buses work

(AP) deny audit works

  1. these should be implemented as part of lp:qa-regression-testing
  2. test should be done on both the 1.4 and 1.5 series

Unresolved issues

This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved.

BoF agenda and discussion

Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected.


CategorySpec

SecurityTeam/Specifications/Oneiric/AppArmorDbus (last edited 2011-07-12 17:01:14 by jdstrand)