Closed Ingo-Albrecht closed 9 months ago
I'm not really sure, since dbus (at least from what I have read and understand about it) is a local-only daemon that facilitates communication between different processes. Since it's long-running and has an important role, it makes sense that it would maybe be beneficial to run in contained in an Apparmor profile. However, there doesn't appear to be any network facing functionality and I'm not sure what containing it with Apparmor would achieve, unless you only wanted it to send messages to and from specific programs?
You could try asking about it in the #apparmor channel in IRC on irc.oftc.net.
Yes, Ubuntu probably hooks into dbus messages to leverage them for apparmor. I was wondering if you had come across it being referred to somewhere (which does not seem the case then), not containing it. I may ask on IRC, thanks for your reply. I close this.
I'd like to draw on your experience for the following:
As you know, Arch moved to
dbus-broker
in January.[1] When the RFC was discussed, there was uncertainty due to its incomplete apparmor support.[2] Later they removed the notice with reference to Ubuntu unique patches for SO_PEERSEC, but I'm not sure about that line of argument.[3]Matter of fact I have a machine with the profiles (incl. extra profiles from this package) startup failing since January. I tried reverting to
dbus-daemon
and it still fails, so I don't think it is related to dbus but coincidental result due to other updates.My question: Do you have an opinion whether
dbus-broker
ordbus-daemon
brings benefit for using Apparmor on Arch?[1] https://archlinux.org/news/making-dbus-broker-our-default-d-bus-daemon/ [2] https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/25/diffs?diff_id=40371&start_sha=d2896acfb7c81e030f4d5078eda4c2904f629eef [3] https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/25#note_148291