interfaces/builtin: remove the name=org.freedesktop.DBus restriction in cups-control AppArmor rules #11843
Conversation
…in cups-control AppArmor rules This seems to have been included erroneously: the org.freedesktop.DBus bus name is owned by the bus itself rather than any particular peer connected to the bus. While it makes sense to use in a rule dealing with communication with the bus, it seems to block legitimate traffic in this case.
|
I'll also note that there are other interfaces using this |
I had a quick look, and they are all either from Ubuntu Phone obsolete interfaces, or legitimate (because they are about (un)registering D-Bus names or getting the ID of the D-Bus session. The only exceptions I've found are in the "desktop" interface: and similar ones (though not 100% equivalent) in the unity7 interface. I will propose a PR, then we can discuss on it. |
alexmurray
removed
the
Needs security review
|
@jhenstridge @alexmurray @mardy @mvo5 Thanks a lot for your quick fix, verification, and merge! |
While testing the CUPS snap, @tillkamppeter noticed that some D-Bus broadcast signals were being blocked by AppArmor.
On closer inspection, the rules related to the
org.cups.cupsd.NotifierD-Bus interface all had a restriction likepeer=(name=org.freedesktop.DBus,label=...). This seemed weird to me, as that name is reserved for dbus-daemon, and these messages are not being sent to or received from the bus. Removing thename=restriction allowed the messages to be delivered.I asked @alexmurray for his opinion, and he couldn't think of a reason the name conditional was included here either, so I've submitted this PR to remove it.
In this case, there isn't a different D-Bus name that could be used in the rule. The messages are sent by a short lived notifier plugin process:
https://github.com/OpenPrinting/cups/blob/master/notifier/dbus.c
It does not try to own a name, and the clients watching for the signal broadcasts don't match on a well known bus name either.