If I'm reading the AppArmor user-space source code correctly, if
backwards compatibility wasn't a concern then this could be achieved by
adding an additional user-defined field to vec in
dbus_rule::gen_policy_re(Profile&) and passing the new number of fields
to add_rule_vec(), then adding that same field to the queries built by
dbus-daemon in bus/apparmor.c build_message_query().

Unfortunately, again if I'm reading correctly, the query works by
building a long string with embedded \0 bytes, then matching it against
a DFA representing a single long regular expression that also has
embedded \0 bytes - if true, this would mean the number of fields can't
usefully be varied.

If extensibility is desired, I think the ideal thing might be if extra
fields in the query were ignored (always match) and extra fields in the
rule were compared as though the query had an empty string at that point
in the vector, but I don't know how feasible that would be.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1692582

Title:
  RFE: dbus AppArmor mediation matching by message type

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1692582/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to