profiles: add accessability abstraction
Bug #1727887 reported by
Steve Beattie
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Confirmed
|
Medium
|
Unassigned |
Bug Description
In https:/
dbus (send)
bus=session
peer=
dbus (receive)
bus=session
interface
To post a comment you must log in.
We already have dbus-accessibil ity-strict and dbus-accessibility. Snappy uses this instead of dbus-accessibility:
# accessibility (a11y) dbus-session- strict> /org/a11y/ bus org.a11y. Bus GetAddress (label= unconfined) ,
#include <abstractions/
dbus (send)
bus=session
path=
interface=
member=
peer=
#include <abstractions/ dbus-accessibil ity-strict>
# Allow the accessibility services in the user session to send us any events accessibility (label= unconfined) ,
dbus (receive)
bus=
peer=
# Allow querying for capabilities and registering accessibility "/org/a11y/ atspi/accessibl e/root" "org.a11y. atspi.Socket" (name=org. a11y.atspi. Registry, label=unconfined), accessibility "/org/a11y/ atspi/registry" "org.a11y. atspi.Registry" "GetRegisteredE vents" (name=org. a11y.atspi. Registry, label=unconfined), accessibility "/org/a11y/ atspi/registry/ deviceeventcont roller" "org.a11y. atspi.DeviceEve ntController" "Get{DeviceEven t,Keystroke} Listeners" (name=org. a11y.atspi. Registry, label=unconfined), accessibility "/org/a11y/ atspi/registry/ deviceeventcont roller" "org.a11y. atspi.DeviceEve ntController" "NotifyListener sSync" (name=org. a11y.atspi. Registry, label=unconfined),
dbus (send)
bus=
path=
interface=
member="Embed"
peer=
dbus (send)
bus=
path=
interface=
member=
peer=
dbus (send)
bus=
path=
interface=
member=
peer=
dbus (send)
bus=
path=
interface=
member=
peer=
# org.a11y.atspi is not designed for application isolation and these rules accessibility "/org/a11y/ atspi/accessibl e/root" "org.a11y. atspi.Event. Object" "ChildrenChange d" (name=org. freedesktop. DBus, label=unconfined), accessibility "/org/a11y/ atspi/accessibl e/root" "org.a11y. atspi.Accessibl e" (label= unconfined) , accessibility "/org/a11y/ atspi/accessibl e/[0-9] *" "org.a11y. atspi.Event. Object" "{ChildrenChang ed,PropertyChan ge,StateChanged ,TextCaretMoved }" (name=org. freedesktop. DBus, label=unconfined), accessibility "/org/a11y/ atspi/accessibl e/[0-9] *" "org.freedeskto p.DBus. Properties" "Get{,All} " (label= unconfined) ,
# can be used to send change events for other processes.
dbus (send)
bus=
path=
interface=
member=
peer=
dbus (send)
bus=
path=
interface=
member="Get*"
peer=
dbus (send)
bus=
path=
interface=
member=
peer=
dbus (send)
bus=
path=
interface=
member=
peer=
dbus (send) accessibility "/org/a11y/ atspi/cache" "org.a11y. atspi.Cache" "{Add,Remove} Accessible" (name=org. freedesktop. DBus, label=unconfined),
bus=
path=
interface=
member=
peer=
Note that almost all of the above is covered by this rule in the dbus-accessibility abstraction:
dbus bus=accessibility,
I *think* all we should do in apparmor is add this to dbus-accessibility:
dbus (send) /org/a11y/ bus org.a11y. Bus GetAddress (label= unconfined) ,
bus=session
path=
interface=
member=
peer=
If this isn't sufficient, I'd be interested in seeing the denials.