Interface network-manager should grant access to org.freedesktop.DBus.Introspectable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Released
|
Medium
|
Zygmunt Krynicki |
Bug Description
When using D-Bus wrappers like ruby-dbus or python-
python-
ruby-dbus: https:/
On Ubuntu Desktop (classic), this is not an issue because the network-manager interface hands off everything to the network-manager deb. On Core, however, attempts to call `org.freedeskto
```
[331939.872130] audit: type=1107 audit(157173768
[331939.872272] audit: type=1107 audit(157173768
```
The second line shows that the network-manager snap itself is denied from using the Introspectable interface on its own system bus service – which is to be expected because the network-manager interface policies don't include it: https:/
I'd argue that exposing Introspectable is reasonably safe, especially when regarding the alternative that wrapper libraries like the two above won't work without it.
Changed in snapd: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
tags: | added: papercut |
Changed in snapd: | |
milestone: | none → 2.43 |
Changed in snapd: | |
milestone: | 2.43 → 2.42 |
Changed in snapd: | |
status: | Fix Committed → Fix Released |
As a general principle, introspection would be something we want to allow, but we have to be careful when release.OnClassic since there is no 'path' that we can mediate on to make it specific to the service, and we don't want to inadvertently end up with a rule like this:
# TOO LENIENT "org.freedeskto p.DBus. Introspectable" "Introspect" (label= unconfined) ,
dbus (send)
bus=system
interface=
member=
peer=
Looking at the bug report, the reporter stated everything works fine on classic (though, looking at the rules, I'm not sure why. Perhaps because of org.freedesktop .DBus.ObjectMan ager?), so, while there are different ways to implement this, the basic idea is when !release.OnClassic, in AppArmorConnect edSlot( ) we make it so that this is used:
# Allow plugs to introspect us "org.freedeskto p.DBus. Introspectable" "Introspect" (label= ###PLUG_ SECURITY_ TAGS### ),
dbus (receive)
bus=system
interface=
member=
peer=
and also when !release.OnClassic, in AppArmorConnect edPlug( ) this is used:
# Allow us to introspect the network-manager providing snap "org.freedeskto p.DBus. Introspectable" "Introspect" (label= ###SLOT_ SECURITY_ TAGS### ),
dbus (send)
bus=system
interface=
member=
peer=
(performing the ###PLUG_ SECURITY_ TAGS### /###SLOT_ SECURITY_ TAGS### rewrite as appropriate. We check for !release.OnClassic so we don't inadvertently end up with peer=(label= unconfined) )