Web lists-archives.com

Re: Let's enable AppArmor by default (why not?)




On Thu, 10 Aug 2017 at 12:00:15 -0700, John Johansen wrote:
>   but ideally would be enabled by the dbus code advising the
>   kernel module it is mediating

"The" dbus code? There can be several parallel instances of dbus-daemon,
possibly different versions of the executable, certainly differently
configured, which can result in any combination of them having
AppArmor mediation enabled or disabled. For example a typical GNOME
laptop will have a system bus, a session bus for the system user
that runs the gdm greeter, and a session bus for the logged-in user
account.

It is meaningful to ask whether a specific dbus-daemon instance is
applying AppArmor mediation, and the latest development branches
advertise this by putting "apparmor" in the bus driver's Features
property. In general it isn't necessarily meaningful to say
"the dbus-daemons running on this kernel are applying AppArmor
mediation" because some of them might be an executable that doesn't
support it, and some of them might support it but have it disabled
in configuration.

So I think this is something that should be queried by asking each
dbus-daemon whether it is mediating, rather than by asking the kernel.

     S