dbus-broker icon indicating copy to clipboard operation
dbus-broker copied to clipboard
verified publisher icon bus1

Incomplete dbus mediation with apparmor on kernel 6.17

Open roddhjav opened this issue 1 month ago • 0 comments

This issue was initially reported on apparmor, but after further research it may be better placed here. See https://gitlab.com/apparmor/apparmor/-/issues/565 for the original issue.

I did some tests with dbus mediation on Archlinux with the now default kernel 6.17. I used the current master branch of apparmor (commit 455d50e), moved all profiles to abi 5.0, and dbus-broker with apparmor enabled from the master branch too. With such a setup, dbus mediation works(TM).

However, it seems to be incomplete. The Peer name seems to be completely ignored. This results in hundreds of denials like the following one:

apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" method="GetAll" mask="send" label="goa-daemon" peer_label="NetworkManager" exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'

This log should translate to the following rule:

  dbus send bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(label=NetworkManager),

But the same rule with peer_name set is already present in the goa-daemon profile (through abstractions/network-manager-observe):

  dbus send bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=@{busname}, label=NetworkManager),

It is only an example with a specific profile. It applies to all profiles using dbus mediation.

Removing the peer_name in the rule fixes the issue. However:

  • it makes the profiles incompatible across dbus implementation,
  • it would have security implication when the peer name is not an anonymous one (eg: peer_name=org.freedesktop.fwupd, instead of peer_name=@{busname}).

Looking at the sources, it seems peer_name is not logged at all, e.g: https://github.com/bus1/dbus-broker/blob/e3324b3736fd40d95e7943fca6e485013d15d643/src/util/apparmor.c#L571 However, it's only half of the issue, the rule should be validated with it anyway.

roddhjav avatar Nov 30 '25 21:11 roddhjav