Dear all,
after reading lot’s of conflicting documentation about AppArmor
being able to work with DBus (thus telling DBus what an application
is allowed to do), I kindly ask for your help.
I’m running Tumbleweed (2021-05) with kernel 5.12.0.
AppArmor version is 3.0.1 and DBus version is 1.12.20.
I configured AppArmor for an example application (for simplicity
let’s say some copy of command ‘dbus-send’). Nevertheless the binary
still can send dbus messages without any restriction. I can easily
configure file access restrictions for applications. Though
AppArmor is working well, at least for file access control.
There is no ‘dbus’ feature among the AppArmor features:
ls /sys/kernel/security/apparmor/features/
capability caps domain file mount namespaces network network_v8 policy ptrace query rlimit signal
But ‘dbus’ documentation says, it will switch on AppArmor
support by default, when the AppArmor is enabled in the Kernel.
There is no indication (“apparmor mode=disabled”),
that DBus has been disabled in DBus configuration:
grep -Ri apparmor /etc/dbus-1/ /usr/share/dbus-1/
/usr/share/dbus-1/services/org.freedesktop.portal.Desktop.service:AssumedAppArmorLabel=unconfined
/usr/share/dbus-1/services/org.freedesktop.portal.Documents.service:AssumedAppArmorLabel=unconfined
/usr/share/dbus-1/system-services/org.freedesktop.fwupd.service:AssumedAppArmorLabel=unconfined
Still AppArmor is not able to control DBus access of applications.
I am aware that AppArmor is in a major version transition (2.* => 3.1).
Nevertheless the AppArmor release notes (3.0.0 and 3.0.1) show no sign
that they have disabled DBus support due to the transition.
Could you please tell me how to enable DBus support in AppArmor?
Many thanks.