feat(profile): restrict dbus in dbus

even dbus-* profiles do not need access to the full bus.

apparmor.d/groups/bus/dbus-accessibility

@@ -25,8 +25,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
   signal (receive) set=(term hup kill) peer=dbus-session,
   signal (receive) set=(term hup kill) peer=gdm{,-session-worker},
 
-  dbus bus=accessibility,
-
+  #aa:dbus own bus=accessibility name=org.freedesktop.DBus
   #aa:dbus own bus=session name=org.a11y.{B,b}us
 
   dbus receive bus=session

apparmor.d/groups/bus/dbus-session

@@ -29,7 +29,7 @@ profile dbus-session flags=(attach_disconnected) {
   signal (send)    set=(term hup kill) peer=dconf-service,
   signal (send)    set=(term hup kill) peer=xdg-*,
 
-  dbus bus=session,
+  #aa:dbus own bus=session name=org.freedesktop.DBus
 
   @{exec_path} mrix,
 

apparmor.d/groups/bus/dbus-system

@@ -32,7 +32,7 @@ profile dbus-system flags=(attach_disconnected) {
 
   ptrace (read) peer=@{p_systemd},
 
-  dbus bus=system,
+  #aa:dbus own bus=system name=org.freedesktop.DBus
 
   @{exec_path} mrix,
 

apparmor.d/tunables/multiarch.d/system

@@ -120,7 +120,7 @@
 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511
 
 # Dbus unique name
-@{busname}=:1.@{u16}
+@{busname}=:1.@{u16} :not.active.yet
 
 # Common architecture names
 @{arch}=x86_64 amd64 i386 i686