From dcc6c72cbd240c43393cb4ee6c7d1b16cc9e14a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 13 Mar 2025 19:08:56 +0100 Subject: [PATCH] build(directive): add the dbus common subdirective for bus abstraction. --- pkg/prebuild/directive/dbus.go | 55 ++++++++++++++++++++++++++++- pkg/prebuild/directive/dbus_test.go | 41 ++++++++++++++++++--- 2 files changed, 90 insertions(+), 6 deletions(-) diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 99a8f6138..8cea267d1 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -33,6 +33,7 @@ func init() { Help: []string{ "own bus= name= [interface=AARE] [path=AARE]", "talk bus= name= label= [interface=AARE] [path=AARE]", + "common bus= name= label=", }, }}, ) @@ -50,6 +51,8 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { r = d.own(opt.ArgMap) case "talk": r = d.talk(opt.ArgMap) + case "common": + r = d.common(opt.ArgMap) } aa.IndentationLevel = strings.Count( @@ -67,7 +70,7 @@ func (d Dbus) sanityCheck(opt *Option) (string, error) { return "", fmt.Errorf("Unknown dbus action: %s in %s", opt.Name, opt.File) } action := opt.ArgList[0] - if action != "own" && action != "talk" { + if action != "own" && action != "talk" && action != "common" { return "", fmt.Errorf("Unknown dbus action: %s in %s", opt.Name, opt.File) } @@ -208,3 +211,53 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { ) return res } + +func (d Dbus) common(rules map[string]string) aa.Rules { + res := aa.Rules{ + + // DBus.Properties: read all properties from the interface + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Properties: read all properties from the interface", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + nil, + + // DBus.Properties: receive property changed events + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Properties: receive property changed events", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "PropertiesChanged", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + nil, + + // DBus.Introspectable: allow clients to introspect the service + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Introspectable: allow clients to introspect the service", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + } + return res +} diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index 5f8d57d10..7aaa21607 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -6,8 +6,6 @@ package directive import ( "testing" - - "github.com/roddhjav/apparmor.d/pkg/paths" ) const dbusOwnSystemd1 = ` dbus bind bus=system name=org.freedesktop.systemd1{,.*}, @@ -52,7 +50,7 @@ func TestDbus_Apply(t *testing.T) { "own": "", }, ArgList: []string{"own", "bus=system", "name=org.freedesktop.systemd1"}, - File: paths.New("fake-own"), + File: nil, Raw: " #aa:dbus own bus=system name=org.freedesktop.systemd1", }, profile: " #aa:dbus own bus=system name=org.freedesktop.systemd1", @@ -69,7 +67,7 @@ func TestDbus_Apply(t *testing.T) { "own": "", }, ArgList: []string{"own", "bus=session", "name=com.rastersoft.ding", "interface+=org.gtk.Actions"}, - File: paths.New("fake-interface"), + File: nil, Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", @@ -114,7 +112,7 @@ func TestDbus_Apply(t *testing.T) { "talk": "", }, ArgList: []string{"talk", "bus=system", "name=org.freedesktop.Accounts", "label=accounts-daemon"}, - File: paths.New("gdm-session-worker"), + File: nil, Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", @@ -138,6 +136,39 @@ func TestDbus_Apply(t *testing.T) { member={InterfacesAdded,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, }, + { + name: "common", + opt: &Option{ + Name: "dbus", + ArgMap: map[string]string{ + "bus": "system", + "name": "net.hadess.PowerProfiles", + "label": "power-profiles-daemon", + "talk": "", + }, + ArgList: []string{"common", "bus=system", "name=net.hadess.PowerProfiles", "power-profiles-daemon"}, + File: nil, + Raw: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", + }, + profile: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", + want: ` # DBus.Properties: read all properties from the interface + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), + + # DBus.Properties: receive property changed events + dbus receive bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), + + # DBus.Introspectable: allow clients to introspect the service + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon),`, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {