From 032d8056664dc168746a953d3d318ad125de9077 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Dec 2023 14:34:38 +0000 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/apt/dpkg-genbuildinfo | 21 +++++----- apparmor.d/groups/browsers/firefox | 1 + apparmor.d/groups/gnome/gdm-wayland-session | 6 +-- apparmor.d/groups/gnome/gdm-x-session | 14 +++---- apparmor.d/groups/gnome/gio-launch-desktop | 3 ++ apparmor.d/groups/gnome/gnome-extension-ding | 12 +----- apparmor.d/groups/gnome/gnome-shell | 10 +---- .../groups/gnome/gnome-shell-calendar-server | 9 ----- apparmor.d/groups/gnome/gnome-terminal-server | 4 ++ apparmor.d/groups/gnome/mutter-x11-frames | 2 + apparmor.d/groups/gnome/nautilus | 34 ++++++---------- apparmor.d/groups/gnome/seahorse | 1 + apparmor.d/groups/gnome/tracker-extract | 39 ++++--------------- apparmor.d/groups/gnome/tracker-miner | 26 +++++-------- .../groups/gvfs/gvfs-afc-volume-monitor | 4 +- .../groups/gvfs/gvfs-goa-volume-monitor | 6 +-- .../groups/gvfs/gvfs-gphoto2-volume-monitor | 17 ++++---- .../groups/gvfs/gvfs-mtp-volume-monitor | 6 +-- .../groups/gvfs/gvfs-udisks2-volume-monitor | 8 +--- apparmor.d/groups/kde/xdm-xsession | 3 +- .../groups/ubuntu/livepatch-notification | 3 -- apparmor.d/groups/ubuntu/update-notifier | 15 +------ apparmor.d/groups/whonix/torbrowser-start | 1 - apparmor.d/profiles-a-f/engrampa | 8 +--- apparmor.d/profiles-a-f/fwupd | 4 +- apparmor.d/profiles-g-l/gsettings | 2 - apparmor.d/profiles-m-r/remmina | 6 +-- apparmor.d/profiles-m-r/run-parts | 3 +- 28 files changed, 82 insertions(+), 186 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index caae59bb..316b77cb 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -8,27 +8,27 @@ abi , include @{exec_path} = @{bin}/dpkg-genbuildinfo -profile dpkg-genbuildinfo @{exec_path} flags=(complain) { +profile dpkg-genbuildinfo @{exec_path} { include include include - # For "mk-build-deps -i" capability dac_override, @{exec_path} r, + @{bin}/perl r, - - /usr/share/lto-disabled-list/lto-disabled-list r, - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, - /usr/local/bin/ r, - /usr/local/sbin/ r, + /usr/local/etc/ r, + /usr/local/include/ r, /usr/local/lib/ r, /usr/local/lib/**/ r, - /usr/local/include/ r, - /usr/local/etc/ r, + /usr/local/sbin/ r, + + /usr/share/dpkg/abitable r, + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + /usr/share/lto-disabled-list/lto-disabled-list r, /etc/dpkg/origins/* r, @@ -36,7 +36,6 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) { owner @{user_config_dirs}/dpkg/buildflags.conf r, - # For package building owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, include if exists diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index d1da16fb..ac3d74e5 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -23,6 +23,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 7207994c..941ef817 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -13,6 +13,7 @@ profile gdm-wayland-session @{exec_path} { include include include + include include include include @@ -24,11 +25,6 @@ profile gdm-wayland-session @{exec_path} { signal (send) set=(term) peer=dbus-daemon, signal (send) set=(term) peer=gnome-session-binary, - dbus send bus=system path=/org/gnome/DisplayManager/Manager - interface=org.gnome.DisplayManager.Manager - member=RegisterDisplay - peer=(name=:*, label=gdm), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index 23666260..df9d7bad 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -12,6 +12,7 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=term peer=gdm{,-session-worker}, # signal (send) set=term peer=unconfined, @@ -19,11 +20,6 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { signal (send) set=term peer=xorg, signal (send) set=term peer=gnome-session-binary, - dbus send bus=system path=/org/gnome/DisplayManager/Manager - interface=org.gnome.DisplayManager.Manager - member=RegisterDisplay - peer=(name=:*, label=gdm), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=UpdateActivationEnvironment @@ -42,13 +38,13 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, /etc/sysconfig/displaymanager r, - - /var/lib/gdm{3,}/.cache/gdm/Xauthority rw, - /var/lib/gdm{3,}/.cache/gdm/ rw, + /var/lib/gdm{3,}/.cache/gdm/ rw, + /var/lib/gdm{3,}/.cache/gdm/Xauthority rw, + + @{run}/gdm{3,}/custom.conf r, owner @{run}/user/@{uid}/gdm/ w, owner @{run}/user/@{uid}/gdm/Xauthority rw, - @{run}/gdm{3,}/custom.conf r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 368e776a..61f131a7 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -14,6 +14,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -29,5 +30,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, + deny @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 45f35800..e26a2522 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -16,6 +16,8 @@ profile gnome-extension-ding @{exec_path} { include include include + include + include include include include @@ -35,16 +37,6 @@ profile gnome-extension-ding @{exec_path} { interface=org.gtk.Actions peer=(label=gnome-shell), - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - member={IsSupported,List} - peer=(name=:*, label=gvfs-*-monitor), - - dbus send bus=session path=/org/gnome/Nautilus/FileOperations* - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=nautilus), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 5fc8cf02..fb472573 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -35,6 +35,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -170,15 +171,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { ## Session bus - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - member={IsSupported,List,VolumeMount} - peer=(name=:*, label=gvfs-*-monitor), - dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - member={MountAdded,VolumeChanged} - peer=(name=:*, label=gvfs-*-monitor), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index d9062fec..0d92dc7a 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -32,20 +32,11 @@ profile gnome-shell-calendar-server @{exec_path} { interface=org.gnome.evolution.dataserver.Calendar* peer=(name=:*, label=evolution-*), - dbus (send receive) bus=session path=/org/gnome/Shell/CalendarServer - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=:*, label=evolution-source-registry), - dbus send bus=session path=/org/gnome/Shell/CalendarServer - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=gnome-shell), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index f3926950..189e9e92 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -38,6 +38,10 @@ profile gnome-terminal-server @{exec_path} { interface=org.gtk.Actions peer=(name=org.freedesktop.DBus), + dbus receive bus=session path=/org/gnome/Terminal/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=StartTransientUnit diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 7a700e36..1d44b610 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -9,7 +9,9 @@ include @{exec_path} = @{lib}/mutter-x11-frames profile mutter-x11-frames @{exec_path} { include + include include + include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 65d0083b..6737183a 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -15,6 +15,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include + include + include + include include include include @@ -28,38 +31,23 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.gnome.Nautilus, dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/**} - interface=org.gtk.{Actions,Application}, - dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus receive bus=session path=/org/gnome/Nautilus - interface=org.freedesktop.Application - peer=(name=:*), + interface={org.gnome.Nautilus,org.freedesktop.{Application,DBus.Properties},org.gtk.{Actions,Application}} + peer=(name="{:*,org.gnome.Nautilus,org.freedesktop.DBus}"), dbus bind bus=session name=org.freedesktop.FileManager1, - dbus receive bus=session path=/org/freedesktop/FileManager1 + dbus (send, receive) bus=session path=/org/freedesktop/FileManager1 interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus send bus=session path=/org/freedesktop/FileManager1 - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.DBus), + peer=(name="{:*,org.freedesktop.DBus}"), + + dbus receive bus=session path=/org/gnome/Nautilus/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gnome/Nautilus/* interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-extension-ding), - dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint - interface=org.freedesktop.DBus.Peer - peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), - dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint - interface=org.freedesktop.Tracker3.Endpoint - peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), - - dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - peer=(name=:*, label=gvfs-*-monitor), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member={GetAll,ListActivatableNames} diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 309da110..ca94397f 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index dbe28719..907996d6 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -10,67 +10,43 @@ include profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include + include include include include include include + include include - include - include + include include include include include - include network netlink raw, signal (receive) set=(term) peer=gdm, dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Extract, - dbus receive bus=session path=/org/freedesktop/Tracker3/** - interface=org.freedesktop.Tracker3.* - peer=(name=:*), # all members - dbus send bus=session path=/org/freedesktop/Tracker3/** - interface=org.freedesktop.DBus.{Peer,Properties} - peer=(label=tracker-miner), - dbus send bus=session path=/org/freedesktop/Tracker3/** - interface=org.freedesktop.Tracker3.* - peer=(label=tracker-miner), - dbus send bus=session path=/org/freedesktop/Tracker3/** - interface=org.freedesktop.DBus.Peer - peer=(name=org.freedesktop.Tracker3.Miner.Files), - - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - member={List,IsSupported,MountAdded} - peer=(name=:*, label=gvfs-*-volume-monitor), - dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - member={MountAdded,VolumeChanged} - peer=(name=:*, label=gvfs-*-volume-monitor), + # Talk to tracker-miner + dbus send bus=session path=/org/freedesktop/Tracker3/{Files,Endpoint,Miner/Extract} + interface={org.freedesktop.Tracker3.{Miner,Endpoint,Files},org.freedesktop.DBus.{Peer,Properties}} + peer=(name="{:*,org.freedesktop.Tracker3.Miner.Files,org.freedesktop.DBus}", label=tracker-miner), dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member={GetTreeFromDevice,Remove} peer=(name=:*, label=gvfsd-metadata), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/dconf/profile/gdm r, - /usr/share/drirc.d/{,*.conf} r, /usr/share/gdm/greeter/applications/*.desktop r, /usr/share/gvfs/remote-volume-monitors/{,*} r, /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, /usr/share/tracker3-miners/{,**} r, @@ -91,7 +67,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/applications/mimeinfo.cache r, /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/lib/snapd/desktop/applications/*.desktop r, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 262172ad..aed01c71 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -12,12 +12,13 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include - include + include include include include @@ -27,24 +28,15 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, kill) peer=gdm, signal (receive) set=(hup) peer=gdm-session-worker, - dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Files{,.Control}, - - dbus (send, receive) bus=session path=/org/freedesktop/Tracker3/** - interface=org.freedesktop.Tracker3.* - peer=(name="{:*,org.freedesktop.DBus}"), # all members - dbus receive bus=session path=/org/freedesktop/Tracker3/** - interface=org.freedesktop.DBus.{Peer,Properties} + dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Files{,.*}, + dbus (send, receive) bus=session path=/org/freedesktop/Tracker3/Endpoint + interface={org.freedesktop.Tracker3.Endpoint,org.freedesktop.DBus.Peer} peer=(name=:*), - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - member={List,IsSupported,VolumeChanged,MountAdded} - peer=(name=:*, label=gvfs-*-volume-monitor), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + # Talk from tracker-extract + dbus receive bus=session path=/org/freedesktop/Tracker3/{Files,Endpoint,Miner/Extract} + interface={org.freedesktop.Tracker3.{Miner,Endpoint,Files},org.freedesktop.DBus.{Peer,Properties}} + peer=(name=:*, label=tracker-extract), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 806d6fcb..eb443ad3 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -13,9 +13,9 @@ profile gvfs-afc-volume-monitor @{exec_path} { include dbus bind bus=session name=org.gtk.vfs.AfcVolumeMonitor, - dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor - peer=(name=:*), + peer=(name="{:*,org.freedesktop.DBus}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 059c0a1f..adcc7c98 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -13,11 +13,9 @@ profile gvfs-goa-volume-monitor @{exec_path} { include dbus bind bus=session name=org.gtk.vfs.GoaVolumeMonitor, - - dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor - member={List,IsSupported} - peer=(name=:*, label="{gnome-shell,nautilus,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + peer=(name="{:*,org.freedesktop.DBus}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index e99eddd2..d636d8c8 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -16,27 +16,24 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, - dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + dbus bind bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor, + dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor - member={List,IsSupported} - peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,nautilus,tracker-*,unconfined}"), + peer=(name="{:*,org.freedesktop.DBus}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gtk.vfs.GPhoto2VolumeMonitor, - @{exec_path} mr, + /etc/fstab r, + + @{sys}/class/scsi_generic/ r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - @{sys}/class/scsi_generic/ r, - - /etc/fstab r, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 06d2e3b0..4664b4b5 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -16,11 +16,9 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, dbus bind bus=session name=org.gtk.vfs.MTPVolumeMonitor, - - dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor - member={List,IsSupported} - peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,nautilus,tracker-*,unconfined}"), + peer=(name="{:*,org.freedesktop.DBus}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index b7e6bfdc..46bacc06 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -31,13 +31,9 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { ptrace (read), dbus bind bus=session name=org.gtk.vfs.UDisks2VolumeMonitor, - - dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor - peer=(name=:*), - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - peer=(name=org.freedesktop.DBus), + peer=(name="{:*,org.freedesktop.DBus}"), dbus send bus=system path=/org/freedesktop/UDisks2/** interface=org.freedesktop.UDisks2.Filesystem diff --git a/apparmor.d/groups/kde/xdm-xsession b/apparmor.d/groups/kde/xdm-xsession index 3a115539..b59a4894 100644 --- a/apparmor.d/groups/kde/xdm-xsession +++ b/apparmor.d/groups/kde/xdm-xsession @@ -92,13 +92,12 @@ profile xdm-xsession @{exec_path} { profile dbus { include + include @{bin}/dbus-update-activation-environment mr, owner @{user_share_dirs}/sddm/xorg-session.log rw, - owner @{run}/user/@{uid}/bus rw, - include if exists } diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 9f74579a..4801ea04 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -22,9 +22,6 @@ profile livepatch-notification @{exec_path} { /usr/share/icons/{,**} r, /usr/share/X11/{,**} r, - owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/bus rw, - @{run}/user/@{uid}/gdm/Xauthority r, include if exists diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 73f7f4d6..56e1c153 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -16,13 +16,10 @@ profile update-notifier @{exec_path} { include include include - include - include - include + include include include include - include dbus receive bus=session path=/org/ayatana/NotificationItem{,/**} interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties} @@ -33,11 +30,6 @@ profile update-notifier @{exec_path} { member=RegisterStatusNotifierItem peer=(name=:*, label=gnome-shell), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, @{bin}/{,ba,da}sh rix, @@ -70,20 +62,17 @@ profile update-notifier @{exec_path} { /etc/machine-id r, /var/lib/snapd/desktop/applications/{,**} r, - /var/lib/snapd/desktop/icons/ r, /var/lib/update-notifier/user.d/ r, owner @{user_config_dirs}/update-notifier/ w, owner @{user_share_dirs}/applications/ r, - owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/update-notifier.pid rwk, owner /tmp/#@{int} rw, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/whonix/torbrowser-start b/apparmor.d/groups/whonix/torbrowser-start index 3cf0368c..79d75872 100644 --- a/apparmor.d/groups/whonix/torbrowser-start +++ b/apparmor.d/groups/whonix/torbrowser-start @@ -29,7 +29,6 @@ profile torbrowser-start @{exec_path} { @{bin}/rm rix, @{bin}/sed rix, @{bin}/sh rix, - @{bin}/sh rix, @{lib_dirs}/abicheck rix, @{lib_dirs}/firefox rix, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index cf3d79f8..1a68da43 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -13,6 +13,7 @@ profile engrampa @{exec_path} { include include include + include include include include @@ -30,17 +31,12 @@ profile engrampa @{exec_path} { member=GetId peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - member={IsSupported,List} - peer=(name=:*), - dbus receive bus=session path=/org/gtk/Application/anonymous interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*), - dbus receive bus=session path=/org/gtk/Application/anonymous{,/window/[0-9]*} + dbus receive bus=session path=/org/gtk/Application/anonymous{,/window/@{int}} interface=org.gtk.Actions member=DescribeAll peer=(name=:*), diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index dd4efe52..b2cc30f8 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -34,8 +34,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { network netlink raw, dbus bind bus=system name=org.freedesktop.fwupd, - dbus (send, receive) bus=session path=/ - interface={org.freedesktop.fwupd,org.freedesktop.DBus} + dbus (send, receive) bus=system path=/ + interface={org.freedesktop.fwupd,org.freedesktop.DBus{,.Properties}} peer=(name="{:*,org.freedesktop.fwupd,org.freedesktop.DBus}"), dbus send bus=system path=/org/freedesktop/DBus diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index f5da2bf7..7b708358 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -21,8 +21,6 @@ profile gsettings @{exec_path} { /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, - owner @{run}/user/@{uid}/bus rw, - /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index a93687ea..1a580dac 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -15,6 +15,7 @@ profile remmina @{exec_path} { include include include + include include include include @@ -43,11 +44,6 @@ profile remmina @{exec_path} { member=RegisterStatusNotifierItem peer=(name=:*), - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - member={IsSupported,List} - peer=(name=:*), - @{exec_path} r, /usr/share/remmina/{,**} r, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 5a0ff0a0..cab49941 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -145,6 +145,7 @@ profile run-parts @{exec_path} { profile motd { include + include @{bin}/{,ba,da}sh rix, @{bin}/{e,}grep rix, @@ -167,7 +168,7 @@ profile run-parts @{exec_path} { / r, /etc/default/motd-news r, /etc/lsb-release r, - /etc/update-motd.d/@{int}-[a-z]* r, + /etc/update-motd.d/* r, /var/cache/motd-news rw, /var/lib/update-notifier/updates-available r,