I think I was wrong about rild and was hitting another issue.
I seem to have this all working locally by creating profiles for:
usr.bin.nuntium
usr.bin.powerd
usr.bin.system-settings
usr.lib.indicator-network-service
usr.lib.urfkilld
usr.sbin.NetworkManager
usr.sbin.ofonod
then adjusting these upstart jobs to load the profile prior to launch (I may
end up adjusting all the upstart jobs to be sure):
ofono.conf
powerd.conf
urfkill.conf
To demonstrate what this looks like, the ofonod profile has:
# Permissive profile limit dbus access
/usr/sbin/ofonod (attach_disconnected) {
...
# We can do anything on dbus
dbus (bind, send),
# Some methods are ok by anyone (ie, dbus-daemon itself)
dbus (receive)
bus=system
interface="org.freedesktop.DBus.Properties",
# Limit who can connect on DBus to processes with these apparmor labels (LP:
#1296415)
dbus (receive)
peer=(label=/usr/lib/*/indicator-network/indicator-network-service),
dbus (receive) peer=(label=/usr/sbin/NetworkManager),
dbus (receive) peer=(label=/usr/bin/nuntium),
dbus (receive) peer=(label=/usr/bin/powerd),
dbus (receive) peer=(label=/usr/bin/system-settings),
dbus (receive) peer=(label=/usr/lib/*/urfkill/urfkilld),
dbus (receive) peer=(label=/usr/lib/telepathy/telepathy-ofono),
dbus (receive) peer=(label=ofono_scripts),
...
}
profile ofono_scripts /usr/share/ofono/scripts/* (attach_disconnected) {
capability,
mount,
remount,
umount,
network,
dbus,
ptrace,
signal,
/ rwkl,
/** rwlkmix,
}
All of the peers have permissive profiles ala the 'ofono_scripts' policy
above. Each then gets an apparmor label for it, and the ofonod apparmor
policy allows connections from only those labels (not even unconfined
can connect). Light testing shows that 'list-modems' and 'online-modem'
from /usr/share/ofono/scripts work fine and on reboot the phone comes up
and connects to 3G and generally seems to work ok. indicator-network and
settings all work correctly when switching back and forth between wifi
and 3g). Toggling cellular data works.
I did notice that ubuntu-download-manager gets a denial:
Jun 4 10:19:42 ubuntu-phablet dbus[756]: apparmor="DENIED"
operation="dbus_method_call" bus="system" path="/"
interface="org.ofono.Manager" member="GetModems" name=":1.77" mask="receive"
pid=1350 profile="/usr/sbin/ofonod" peer_pid=4086 peer_profile="unconfined"
Jun 4 10:19:42 ubuntu-phablet dbus[756]: message repeated 16 times: [
apparmor="DENIED" operation="dbus_method_call" bus="system" path="/"
interface="org.ofono.Manager" member="GetModems" name=":1.77" mask="receive"
pid=1350 profile="/usr/sbin/ofonod" peer_pid=4086 peer_profile="unconfined"]
# ps auxww|grep 4086
root 4086 2.0 0.4 65996 7776 ? Sl 10:19 0:00
/usr/bin/ubuntu-download-manager
Should ubuntu-download-manager be added to the list?
** Changed in: indicator-network (Ubuntu)
Status: New => In Progress
** Changed in: network-manager (Ubuntu)
Status: New => In Progress
** Changed in: nuntium (Ubuntu)
Status: New => In Progress
** Changed in: ofono (Ubuntu)
Status: Confirmed => In Progress
** Changed in: powerd (Ubuntu)
Status: New => In Progress
** Changed in: ubuntu-system-settings (Ubuntu)
Status: New => In Progress
** Changed in: urfkill (Ubuntu)
Status: New => In Progress
** Tags added: apparmor application-confinement rtm14
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1296415
Title:
[security] please use apparmor to restrict access to ofono to approved
services
Status in “indicator-network” package in Ubuntu:
In Progress
Status in “network-manager” package in Ubuntu:
In Progress
Status in “nuntium” package in Ubuntu:
In Progress
Status in “ofono” package in Ubuntu:
In Progress
Status in “powerd” package in Ubuntu:
In Progress
Status in “ubuntu-system-settings” package in Ubuntu:
In Progress
Status in “urfkill” package in Ubuntu:
In Progress
Bug description:
We should try to find ways to restrict certain properties and
interfaces to well known callers, for example Modem 'Online' should be
settable by urfkill only. We don't want to allow other processes to
set these properties. This would also help to identify if some
unintended process is trying to set such properties by accident.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
