[pkg-apparmor] Bug#807369: apparmor: Apparmor "deny network" not working in Jessie
Simon McVittie
smcv at debian.org
Mon Jun 27 22:15:26 UTC 2016
On Thu, 11 Feb 2016 at 17:03:22 +0100, Simon Ruderich wrote:
> Without network mediation local UNIX access is a big
> problem (DBUS).
That's because D-Bus has traditionally used the Linux-specific "abstract"
Unix sockets for the session bus on Linux, to avoid issues where
the socket persists long after the session has ended. If you install
dbus-user-session, the session bus changes to a filesystem-backed Unix
socket with a predictable name on a tmpfs provided by systemd-logind,
which avoids that cleanup problem because systemd-logind also cleans up
the tmpfs.
(Read the dbus-user-session package description before installing:
it alters the scope of the session bus in ways that you might not be
expecting. I think it's a far better model for the future of D-Bus, but
it isn't 100% backwards-compatible, which is why it's "opt-in".)
Normal filesystem-backed Unix sockets are mediated by ordinary file-based
AppArmor rules, so they are much easier to sandbox. They can also be
controlled with chroots, mount namespaces and other filesystem-based
containerization primitives, whereas abstract Unix sockets are controlled
by network namespaces; this matters if you are interested in using
something like Flatpak or Firejail for app sandboxing.
S
More information about the pkg-apparmor-team
mailing list