diff --git a/apparmor.d/abstractions/bus/vfs/daemon b/apparmor.d/abstractions/bus/vfs/daemon new file mode 100644 index 00000000..a669a472 --- /dev/null +++ b/apparmor.d/abstractions/bus/vfs/daemon @@ -0,0 +1,10 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member={ListMonitorImplementations,ListMountableInfo} + peer=(name=:*, label=gvfsd), + + include if exists diff --git a/apparmor.d/abstractions/bus/vfs/metadata b/apparmor.d/abstractions/bus/vfs/metadata new file mode 100644 index 00000000..68edd36d --- /dev/null +++ b/apparmor.d/abstractions/bus/vfs/metadata @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gvfsd-metadata), + + dbus receive bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=AttributeChanged + peer=(name=:*, label=gvfsd-metadata), + + include if exists diff --git a/apparmor.d/abstractions/bus/vfs b/apparmor.d/abstractions/bus/vfs/mount similarity index 69% rename from apparmor.d/abstractions/bus/vfs rename to apparmor.d/abstractions/bus/vfs/mount index 3c304a1d..65d25e48 100644 --- a/apparmor.d/abstractions/bus/vfs +++ b/apparmor.d/abstractions/bus/vfs/mount @@ -12,9 +12,4 @@ member=ListMounts2 peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=ListMonitorImplementations - peer=(name=:*, label=gvfsd), - - include if exists + include if exists diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index 7320f8b7..99a0c4e6 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -16,6 +16,7 @@ include profile calibre @{exec_path} { include include + include include include include @@ -48,11 +49,6 @@ profile calibre @{exec_path} { unix (bind, listen) type=stream addr="@*-calibre-gui.socket", unix (bind) type=stream addr="@calibre-*", - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name=:*), - @{exec_path} mrix, @{bin}/python3.[0-9]* r, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index c8bd6a76..5aaf70c9 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -11,6 +11,7 @@ include profile apt @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -36,6 +37,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), + dbus bind bus=system name=org.debian.apt, + dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/@{hex}} interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}}, @@ -44,22 +47,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { member={StateHasChanged,Introspect} peer=(name=org.freedesktop.PackageKit), - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Inhibit - peer=(name=org.freedesktop.login1), - - dbus send bus=system path=/org/freedesktop/DBus{,/Bus} - interface=org.freedesktop.DBus{,.Introspectable} - member={RequestName,GetConnectionUnixProcessID,Introspect} - peer=(name=org.freedesktop.DBus), - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.{DBus.Introspectable,PolicyKit1.Authority} - member={CheckAuthorization,Introspect}, - - dbus bind bus=system name=org.debian.apt, - @{exec_path} mr, @{bin}/ r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 6a1c4413..472dc5af 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -11,6 +11,7 @@ include profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 380230d6..0f63cd8d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -15,11 +15,6 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include include - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=PrepareForShutdown - peer=(name=:*, label=systemd-logind), - @{exec_path} mr, @{bin}/ischroot rix, diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index e5585788..6e3dab2c 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ibus-daemon profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -21,6 +21,9 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=ibus-*), unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=gnome-shell), + dbus bind bus=session name=org.freedesktop.portal.IBus, + + dbus bind bus=session name=org.freedesktop.IBus, dbus send bus=session path=/org/freedesktop/IBus interface=org.freedesktop.DBus.Peer peer=(name=org.freedesktop.portal.IBus), # all members, all peer's labels @@ -30,10 +33,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session name=org.freedesktop.portal.IBus, - - dbus bind bus=session name=org.freedesktop.IBus, - @{exec_path} mrix, @{bin}/{,ba,da}sh rix, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index cb3aba93..71ef3b90 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -11,7 +11,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index b77fd63f..6dfd61da 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -10,7 +10,7 @@ include profile evolution-addressbook-factory @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 724bcde4..3e121930 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/{,evolution-data-server/}evolution-source-registry profile evolution-source-registry @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 3c1fb4fa..4c0015cf 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -10,7 +10,9 @@ include profile gnome-extension-ding @{exec_path} { include include - include + include + include + include include include include @@ -52,20 +54,6 @@ profile gnome-extension-ding @{exec_path} { member=GetAll peer=(name=:*, label=nautilus), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=ListMonitorImplementations - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gvfsd-metadata), - dbus receive bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=AttributeChanged - peer=(name=:*, label=gvfsd-metadata), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d7d01365..acfb5ac2 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -13,10 +13,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include - include include include - include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 8461112c..7710abe2 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,7 +10,9 @@ include profile gnome-terminal-server @{exec_path} { include include + include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index c6b5aa3f..c3903382 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,7 +10,7 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 2324b15b..620b8638 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -10,7 +10,7 @@ include profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 4fde49ed..b25794ac 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -10,7 +10,7 @@ include profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 1ec50c15..27303158 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -10,7 +10,8 @@ include profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include - include + include + include include include include @@ -33,11 +34,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.{Peer,Properties} peer=(name=:*), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member={ListMonitorImplementations,ListMountableInfo} - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported} diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 328fec8f..4c377ec6 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -10,7 +10,7 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dnssd profile gvfsd-dnssd @{exec_path} { include - include + include include include @@ -37,13 +37,12 @@ profile gvfsd-dnssd @{exec_path} { member=Mount peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned peer=(name=:*, label=gvfsd), - dbus bind bus=session - name=org.gtk.vfs.mountpoint_dnssd, + dbus bind bus=session name=org.gtk.vfs.mountpoint_dnssd, @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index b7847420..d4645090 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -10,7 +10,7 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-fuse profile gvfsd-fuse @{exec_path} { include - include + include include unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index a8dfafdf..541e98ff 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -13,7 +13,7 @@ profile gvfsd-network @{exec_path} { include include - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned peer=(name=:*, label=gvfsd), diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 9f9cf640..213dee61 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -10,7 +10,7 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-smb-browse profile gvfsd-smb-browse @{exec_path} { include - include + include include include include @@ -33,7 +33,7 @@ profile gvfsd-smb-browse @{exec_path} { member=Mount peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned peer=(name=:*, label=gvfsd), diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 01046002..874a3a57 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -11,7 +11,7 @@ include profile atril @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 17af89e9..37303d3e 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -11,7 +11,7 @@ include profile engrampa @{exec_path} { include include - include + include include include include