felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

doc: minor update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-02-23 20:14:21 +00:00
parent 4b23bccb47
commit f5084ca150
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
4 changed files with 20 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

10
docs/development/dbus.md
View file

@ -12,7 +12,9 @@ Default **system**, **session** and **accessibility** bus access are provided wi
## Dbus Abstractions
Access to common dbus interface is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read only* like view of it. For more access, use the dbus directive
Access to common dbus interface is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read-only* like view of it. It may be required to have a look at the dbus interface documentation to check what method can be safely allowed.
For more access, simply use the [`dbus: talk`](#dbus-directive) directive.
## Dbus Directive
@ -20,14 +22,16 @@ We use a special directive to generate (when running `make`) more advanced dbus
**Directive format**
```
# dbus: ( own | talk ) bus=( system | session ) name=AARE [label=AARE] [interface=AARE]
# dbus: ( own | talk ) bus=( system | session ) name=AARE [label=AARE] [interface=AARE] [path=AARE]
```
The directive format is on purpose very similar to apparmor dbus rules. However, there is some restrictions:
The directive format is on purpose very similar to apparmor dbus rules. However, there are some restrictions:
- `bus` and `name` are mandatory and will break the build if ignored.
- For the *talk* sub directive, profile name under a `label` is also mandatory
- `interface` can optionally be given when it is different to the dbus path.
- `path` can optionally be given when it is different to the dbus name.
- It is still a comment: the rule must not end with a comma, multiline directive is not supported.
**Example:**

9
docs/development/structure.md
View file

@ -152,14 +152,9 @@ Special care must be given as sometimes udev numbers are allocated dynamically b
!!! note ""
[apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/15e33a1fe6654f67a187cd5157c9968061b9511e/apparmor.d/groups/virt/libvirtd#L179-L184)
[apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/b2af7a631a2b8aca7d6bdc8f7ff4fdd5ec94220e/apparmor.d/groups/virt/libvirtd#L188)
``` aa linenums="179"
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
```
[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt