From 13072502506444bd9985d8ef7ab63894655f81d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 6 Dec 2023 19:55:48 +0000 Subject: [PATCH] feat(dbus): rewrite some dbus rules (9). --- apparmor.d/abstractions/gtk.d/complete | 2 +- apparmor.d/groups/apt/apt | 5 -- apparmor.d/groups/apt/unattended-upgrade | 20 ----- .../groups/freedesktop/xdg-desktop-portal | 18 +---- .../freedesktop/xdg-desktop-portal-gnome | 5 -- .../groups/freedesktop/xdg-document-portal | 5 -- apparmor.d/groups/freedesktop/xorg | 10 --- .../groups/gnome/evolution-calendar-factory | 4 - apparmor.d/groups/gnome/gdm | 13 +-- apparmor.d/groups/gnome/gdm-x-session | 6 +- apparmor.d/groups/gnome/gnome-extension-ding | 12 --- apparmor.d/groups/gnome/gnome-keyring-daemon | 81 +++---------------- apparmor.d/groups/gnome/gnome-session-binary | 1 - apparmor.d/groups/gnome/gsd-color | 17 ---- .../groups/gnome/gsd-print-notifications | 10 --- apparmor.d/groups/gnome/gsd-xsettings | 8 +- apparmor.d/groups/gnome/nautilus | 5 +- apparmor.d/groups/gnome/seahorse | 5 -- apparmor.d/groups/gnome/tracker-miner | 6 +- apparmor.d/groups/network/NetworkManager | 22 +---- apparmor.d/groups/systemd/systemd-logind | 2 +- .../groups/ubuntu/livepatch-notification | 2 +- .../groups/ubuntu/software-properties-dbus | 16 ++-- .../groups/ubuntu/software-properties-gtk | 14 ++-- apparmor.d/groups/ubuntu/update-manager | 12 --- apparmor.d/profiles-a-f/cups-browsed | 30 ------- apparmor.d/profiles-a-f/cupsd | 6 +- apparmor.d/profiles-a-f/evince | 20 +++-- apparmor.d/profiles-m-r/packagekitd | 18 ----- apparmor.d/profiles-m-r/pkttyagent | 17 ---- apparmor.d/profiles-m-r/remmina | 33 +------- apparmor.d/profiles-s-z/spice-vdagent | 5 -- apparmor.d/profiles-s-z/thermald | 5 -- apparmor.d/profiles-s-z/udisksd | 8 -- 34 files changed, 63 insertions(+), 380 deletions(-) diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index de1d92be..b4d353fb 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -4,7 +4,7 @@ dbus send bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties - member=GetAll + member={GetAll,PropertiesChanged} peer=(name=:*, label=gsd-xsettings), /etc/gtk-{3,4}.0/settings.ini r, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 7ea11864..28dcd35b 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -43,11 +43,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/@{hex}} interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}}, - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.{DBus.Introspectable,PackageKit} - member={StateHasChanged,Introspect} - peer=(name=org.freedesktop.PackageKit), - @{exec_path} mr, @{bin}/ r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index c252cb76..fa40f1f8 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -34,26 +34,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-http, - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.PackageKit - member=StateHasChanged, - - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.DBus.Introspectable - member=Introspect, - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Inhibit, - - dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member={PropertiesChanged,GetAll}, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved}, - @{exec_path} mr, @{bin}/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index b8f61ee9..43d32280 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,8 +9,10 @@ include @{exec_path} = @{lib}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include - include - include + include + include + include + include include include include @@ -45,18 +47,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=power-profiles-daemon), - - dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=xdg-permission-store), - dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.impl.portal.PermissionStore - peer=(name=:*, label=xdg-permission-store), - dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.DBus.Properties peer=(name=:*, label=xdg-document-portal), diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index d68daedc..d4910e0a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -73,11 +73,6 @@ profile xdg-desktop-portal-gnome @{exec_path} { interface=org.freedesktop.DBus.Properties peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), - dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, / r, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index a8043ec9..2b7061b8 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -24,11 +24,6 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), - dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=xdg-permission-store), - dbus receive bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents member=GetMountPoint diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 718e4dd5..6add25f4 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -44,16 +44,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus send bus=system path=/org/freedesktop/login1{,/session/*} - interface=org.freedesktop.{DBus.Properties,login1.Session,login1.Manager} - member={ReleaseControl,TakeControl,TakeDevice,ReleaseDevice,GetSessionByPID} - peer=(name=org.freedesktop.login1, label=systemd-logind), - - dbus receive bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.login1.Session - member=PauseDevice - peer=(name=org.freedesktop.login1, label=systemd-logind), - @{exec_path} mrix, @{bin}/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 85ed04f2..0bef231f 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -57,10 +57,6 @@ profile evolution-calendar-factory @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - peer=(name=:*, label=gvfsd), - @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index a69f7197..eaa6afb3 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -35,15 +35,18 @@ profile gdm @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=:*, label=gnome-shell), - dbus send bus=system path=/org/freedesktop/login1/seat/seat@{int} - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=:*, label=systemd-logind), - dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int} interface=org.freedesktop.DBus.Properties member={Get,PropertiesChanged} peer=(name=:*, label=systemd-logind), + dbus send bus=system path=/org/freedesktop/login1/seat/seat@{int} + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=:*, label=systemd-logind), + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={UnlockSession,ActivateSessionOnSeat} + peer=(name=org.freedesktop.login1, label=systemd-logind), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index 2e9f2048..22b35f1b 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -11,6 +11,7 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=term peer=gdm{,-session-worker}, # signal (send) set=term peer=unconfined, @@ -18,11 +19,6 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { signal (send) set=term peer=xorg, signal (send) set=term peer=gnome-session-binary, - dbus bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.systemd1), - dbus send bus=system path=/org/gnome/DisplayManager/Manager interface=org.gnome.DisplayManager.Manager member=RegisterDisplay diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index fd956094..b83c864d 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -28,11 +28,9 @@ profile gnome-extension-ding @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), dbus bind bus=session name=com.rastersoft.ding, - dbus receive bus=session path=/com/rastersoft/ding interface={org.gtk.Actions,org.freedesktop.DBus.Properties} peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/com/rastersoft/ding{,**} interface=org.gtk.Actions peer=(label=gnome-shell), @@ -42,16 +40,6 @@ profile gnome-extension-ding @{exec_path} { member={IsSupported,List} peer=(name=:*, label=gvfs-*-monitor), - dbus (send, receive) bus=session path=/org/freedesktop/FileManager1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=nautilus), - - dbus send bus=system path=/net/hadess/SwitcherooControl - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=switcheroo-control), - dbus send bus=session path=/org/gnome/Nautilus/FileOperations* interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 981a30f6..cf639f5c 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -22,91 +22,30 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=ssh-agent, - dbus send bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.login1), - - dbus receive bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=GetSession - peer=(name=org.freedesktop.login1), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=Setenv - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), - + dbus bind bus=session name=org.gnome.keyring, dbus (send, receive) bus=session path=/org/gnome/keyring/daemon interface=org.gnome.keyring.Daemon - peer=(name="{org.gnome.keyring,:*}", label=@{profile_name}), # all members + peer=(name="{org.gnome.keyring,:*}", label=@{profile_name}), - dbus receive bus=session path=/org/freedesktop/secrets + dbus bind bus=session name=org.freedesktop.secrets, + dbus receive bus=session path=/org/freedesktop/secrets{,/**} interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.Secret.Service - member=SearchItems - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/freedesktop/secrets/aliases/default + peer=(name=:*), + dbus receive bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.* + peer=(name=:*), + dbus send bus=session path=/org/freedesktop/secrets{,/**} interface=org.freedesktop.Secret.Collection - member=CreateItem - peer=(name=:*), - - dbus receive bus=session path=/org/freedesktop/secrets/aliases/default - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), - - dbus send bus=session path=/org/freedesktop/secrets/collection/login - interface=org.freedesktop.Secret.Collection - member=ItemCreated peer=(name=org.freedesktop.DBus), - - dbus send bus=session path=/org/freedesktop/secrets/collection/login + dbus send bus=session path=/org/freedesktop/secrets{,/**} interface=org.freedesktop.DBus.Properties - member=PropertiesChanged peer=(name=org.freedesktop.DBus), - dbus receive bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.Secret.Service - member={ReadAlias,OpenSession} - peer=(name=:*), - - dbus receive bus=session path=/org/freedesktop/secrets/collection/login/[0-9]* - interface=org.freedesktop.Secret.Item - member=GetSecret - peer=(name=:*), - - dbus receive bus=session path=/org/freedesktop/secrets{,/collection/**} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.Secret.Service - member={GetSecrets,SearchItems} - peer=(name=:*), # label="{unconfined,remmina}"), - - dbus bind bus=session - name=org.gnome.keyring, - - dbus bind bus=session - name=org.freedesktop.secrets, - @{exec_path} mr, @{bin}/ssh-add rix, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index b1ed21a4..8b6054a7 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -62,7 +62,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { member=WatchFired peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 54a06e32..cbce8ef9 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -32,23 +32,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), - dbus (send, receive) bus=system path=/org/freedesktop/ColorManager{,/devices/*} - interface=org.freedesktop.ColorManager*, - - dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/*,/profiles/*} - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.gnome.Mutter.DisplayConfig - member={GetResources,GetCrtcGamma} - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 158afae6..f4b93d01 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -23,16 +23,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.gnome.SettingsDaemon.PrintNotifications, - dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - peer=(name=:*, label=avahi-daemon), - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 1f996061..41d9a53d 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -37,14 +37,12 @@ profile gsd-xsettings @{exec_path} { dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties peer=(name=:*), + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.DBus), dbus bind bus=session name=org.gnome.SettingsDaemon.XSettings, - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.gnome.Mutter.DisplayConfig - member=GetCurrentState - peer=(name=org.gnome.Mutter.DisplayConfig, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5bbc9397..87fb5c64 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -27,11 +27,14 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include dbus bind bus=session name=org.gnome.Nautilus, - dbus (send, receive) bus=session path=/org/gnome/Nautilus + dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/**} interface=org.gtk.{Actions,Application}, dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/**} interface=org.freedesktop.DBus.Properties peer=(name=:*), + dbus receive bus=session path=/org/gnome/Nautilus + interface=org.freedesktop.Application + peer=(name=:*), dbus bind bus=session name=org.freedesktop.FileManager1, dbus receive bus=session path=/org/freedesktop/FileManager1 diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 0160d592..5e1845fd 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -26,11 +26,6 @@ profile seahorse @{exec_path} { interface=org.gnome.Shell.SearchProvider2 peer=(name=:*), - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-keyring-daemon), - @{exec_path} mr, @{bin}/gpgconf rPx, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index c6f35e4f..7531f964 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,9 +9,9 @@ include @{exec_path} = @{lib}/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} flags=(attach_disconnected) { include - include - include - include + include + include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 06da8c25..40d7cde2 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -49,9 +49,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties peer=(name=:*), + dbus send bus=system path=/org/freedesktop/NetworkManager{,/**} + interface=org.freedesktop.NetworkManager + peer=(name=org.freedesktop.DBus), dbus send bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties - member=PropertiesChanged peer=(name=org.freedesktop.DBus), dbus receive bus=system path=/org/freedesktop @@ -69,24 +71,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member={SetLink*,ResolveHostname} peer=(name=org.freedesktop.resolve1, label=systemd-resolved), - dbus send bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, - - dbus (send receive) bus=system path=/fi/w1/wpa_supplicant1{,/**} - interface={fi.w1.wpa_supplicant1.Interface,org.freedesktop.DBus.Properties} - member=PropertiesChanged - peer=(name=:*, label=wpa-supplicant), - - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - peer=(name=:*, label=systemd-logind), - - dbus receive bus=system path=/org/bluez/hci@{int}{,/**} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=bluetoothd), - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 737ae9cd..464ac6d7 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -41,7 +41,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.DBus), - dbus receive bus=system path=/org/freedesktop/systemd1/{unit,job}/** + dbus receive bus=system path=/org/freedesktop/systemd1{,/{unit,job}/**} interface=org.freedesktop.DBus.Properties peer=(name=:*, label="@{systemd}"), dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/** diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 1056acd8..13521edf 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 96aeaccf..2864843b 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -15,22 +15,16 @@ profile software-properties-dbus @{exec_path} { include include - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=RequestName - peer=(name=org.freedesktop.DBus), - + dbus bind bus=system name=com.ubuntu.SoftwareProperties, + dbus receive bus=system path=/ + interface=com.ubuntu.SoftwareProperties + peer=(name=:*, label=software-properties-gtk), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/ - interface=com.ubuntu.SoftwareProperties - member=Reload, - - dbus bind bus=system name=com.ubuntu.SoftwareProperties, - @{exec_path} mr, @{bin}/python3.[0-9]* rix, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 0bb3bc52..350fe94d 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -22,18 +22,20 @@ profile software-properties-gtk @{exec_path} { include include + dbus bind bus=session name=com.ubuntu.SoftwareProperties, + dbus send bus=system path=/ + interface=com.ubuntu.SoftwareProperties + peer=(name=:*), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), dbus send bus=system path=/ - interface=com.ubuntu.SoftwareProperties - member=Reload, - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 6a849761..02a76768 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -37,18 +37,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}} member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll,UpdateCache}, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=StartServiceByName, - - dbus send bus=system path=/org/freedesktop/NetworkManager{,/ActiveConnection/[0-9]*,/Devices/[0-9]*} - interface=org.freedesktop.DBus.{Properties,Introspectable} - member={Introspect,Get}, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=StateChanged, - @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed index f643ad0e..1cb1a6c1 100644 --- a/apparmor.d/profiles-a-f/cups-browsed +++ b/apparmor.d/profiles-a-f/cups-browsed @@ -25,36 +25,6 @@ profile cups-browsed @{exec_path} { network inet6 stream, network netlink raw, - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={GetAPIVersion,GetState,ServiceBrowserNew}, - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi), - - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* - interface=org.freedesktop.Avahi.ServiceBrowser - member=Free - peer=(name=org.freedesktop.Avahi), - - dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* - interface=org.freedesktop.Avahi.ServiceBrowser - member={AllForNow,CacheExhausted}, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.{DBus.Properties,NetworkManager} - member={CheckPermissions,PropertiesChanged,StateChanged,DeviceAdded}, - - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged, - @{exec_path} mr, /usr/share/cups/locale/{,**} r, diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index 84921ece..2fb50e29 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -9,6 +9,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -40,11 +41,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { network rose dgram, network x25 seqpacket, - dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/cups_*} - interface=org.freedesktop.ColorManager{,.*} - member={CreateProfile,CreateDevice,FindDeviceById,AddProfile} - peer=(name=org.freedesktop.ColorManager), - @{exec_path} mr, @{bin}/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index a2da1e9a..3d375826 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -26,20 +26,18 @@ profile evince @{exec_path} { deny network inet, deny network inet6, + dbus bind bus=session name=org.gnome.evince.Daemon, + dbus send bus=session path=/org/gnome/evince/Daemon + interface=org.gnome.evince.Daemon + peer=(name=org.gnome.evince.Daemon), + dbus receive bus=session path=/org/gnome/evince/ + peer=(name="{org.gnome.evince.Daemon,org.freedesktop.DBus,:*}", + label=@{profile_name}), # all interfaces and members + dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member={Set,GetTreeFromDevice} - peer=(name=:*), - - dbus send bus=session path=/org/gnome/evince/Daemon - interface=org.gnome.evince.Daemon - member=RegisterDocument - peer=(name=org.gnome.evince.Daemon), # no peer's labels - - dbus (send, receive) bus=session path=/org/gnome/evince/{,**} - peer=(name="{org.gnome.evince.Daemon,org.freedesktop.DBus,:*}", label=@{profile_name}), # all interfaces and members - - dbus bind bus=session name=org.gnome.evince.Daemon, + peer=(name=:*, label=gvfsd-metadata), @{exec_path} rix, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 36970e58..61d2d3b6 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -43,29 +43,11 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.{DBus.Introspectable,PackageKit} - member={Introspect,StateHasChanged} - peer=(name=:*), - - dbus (send,receive) bus=system path=/[0-9]*_@{hex} - interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction}, - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} - peer=(name=:*, label=NetworkManager), - @{exec_path} mr, @{bin}/gpg{,2} rCx -> gpg, diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index 6a18743a..a6403791 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -21,23 +21,6 @@ profile pkttyagent @{exec_path} { ptrace (read), signal (send,receive), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=RegisterAuthenticationAgentWithOptions, - - dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent - interface=org.freedesktop.PolicyKit1.AuthenticationAgent - member={BeginAuthentication,CancelAuthentication} - peer=(name=:*, label=polkitd), - - dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=Changed, - @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index ae3a11c8..0e415c3c 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -28,29 +28,16 @@ profile remmina @{exec_path} { network inet6 stream, network netlink raw, - dbus send bus=session path=/org/freedesktop/secrets{,/collection/login{,/[0-9]*}} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-keyring-daemon), + dbus bind bus=session name=org.remmina.Remmina, dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=org.kde.StatusNotifierWatcher), - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.Secret.Service - member={OpenSession,GetSecrets,SearchItems,ReadAlias} - peer=(name=:*, label=gnome-keyring-daemon), - dbus (send, receive) bus=session path=/org/ayatana/NotificationItem/remmina_icon{,/**} peer=(name="{:*,org.freedesktop.DBus}"), # all interfaces and members - dbus send bus=session path=/org/freedesktop/secrets/collection/session - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-keyring-daemon), - dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem @@ -61,24 +48,6 @@ profile remmina @{exec_path} { member={IsSupported,List} peer=(name=:*), - dbus send bus=session path=/org/freedesktop/secrets/aliases/default - interface=org.freedesktop.Secret.Collection - member=CreateItem - peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), - - dbus receive bus=session path=/org/freedesktop/secrets/collection/login - interface=org.freedesktop.Secret.Collection - member=ItemCreated - peer=(name=:*, label=gnome-keyring-daemon), - - dbus receive bus=session path=/org/freedesktop/secrets/collection/login - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gnome-keyring-daemon), - - dbus bind bus=session - name=org.remmina.Remmina, - @{exec_path} r, /usr/share/remmina/{,**} r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index af964c64..454fb5e5 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -24,11 +24,6 @@ profile spice-vdagent @{exec_path} { include include - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.gnome.Mutter.DisplayConfig - member=GetCurrentState - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThreadRealtimeWithPID diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 3d9e025a..3c628fd3 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -19,11 +19,6 @@ profile thermald @{exec_path} flags=(attach_disconnected) { dbus bind bus=system name=org.freedesktop.thermald, - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=power-profiles-daemon), - @{exec_path} mr, /etc/thermald/{,*} r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 633526aa..654903ab 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -73,14 +73,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.UDisks2.Job peer=(name=org.freedesktop.DBus), - dbus (send,receive) bus=system path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect, - - dbus (send,receive) bus=system path=/ - interface=org.freedesktop.DBus.Properties - member=Get, - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID}