Migrate from GetConnectionAppArmorSecurityContext to GetConnectionCredentials
… and check for D-Bus mediation via AppArmor
See https://lists.ubuntu.com/archives/foundations-bugs/2015-August/250429.html for details.
Based on https://bazaar.launchpad.net/~online-accounts/ubuntu-system-settings-online-accounts/trunk/revision/397/online-accounts-service/utils.cpp
In addition to migrating to GetConnectionCredentials
, added a check for AppArmor D-Bus feature which indicates D-Bus mediation support.
If AppArmor feature is not present, treat as unconfined.
Tested with content-hub-service
and content-hub-send
:
-
Without AA mediation (NixOS 23.11):
/build/source/src/com/lomiri/content/detail/transfer.cpp 162 Charge void com::lomiri::content::detail::Transfer::Charge(const QVariantList&) /build/source/src/com/lomiri/content/utils.cpp 257 aa_profile QString {anonymous}::aa_profile(QString, QString) ":1.99" /build/source/src/com/lomiri/content/utils.cpp 275 aa_profile D-Bus has feature: "ActivatableServicesChanged" /build/source/src/com/lomiri/content/utils.cpp 275 aa_profile D-Bus has feature: "HeaderFiltering" /build/source/src/com/lomiri/content/utils.cpp 275 aa_profile D-Bus has feature: "SystemdActivation" D-Bus mediation via AppArmor is not in use /build/source/src/com/lomiri/content/detail/transfer.cpp 181 Charge void com::lomiri::content::detail::Transfer::Charge(const QVariantList&) PROFILE: ""
(The profile here ends up being
""
instead of"unconfined"
because the function gets called without the secondreturnValueOnError
argument, unlike every other call ofaa_profile
: https://gitlab.com/search?search=aa_profile&nav_source=navbar&project_id=21474333&group_id=4298794&search_code=true&repository_ref=a9932b8fef52d9d3bba7df72c986a42ef76c74e1 .
Maybe a bug?) -
With AA mediation (Ubuntu 22.04):
/build/source/src/com/lomiri/content/detail/transfer.cpp 162 Charge void com::lomiri::content::detail::Transfer::Charge(const QVariantList&) /build/source/src/com/lomiri/content/utils.cpp 257 aa_profile QString {anonymous}::aa_profile(QString, QString) ":1.149" /build/source/src/com/lomiri/content/utils.cpp 275 aa_profile D-Bus has feature: "AppArmor" /build/source/src/com/lomiri/content/utils.cpp 275 aa_profile D-Bus supports mediation via AppArmor /build/source/src/com/lomiri/content/utils.cpp 275 aa_profile AppArmor Profile: "unconfined" /build/source/src/com/lomiri/content/detail/transfer.cpp 181 Charge void com::lomiri::content::detail::Transfer::Charge(const QVariantList&) PROFILE: "unconfined"
The extra check for the AppArmor
feature is necessary because org.freedesktop.DBus.GetConnectionCredentials
' LinuxSecurityLabel
is not AppArmor specific and contains non-AppArmor information without that feature. On my system without AA mediation, it returned "kernel"
.