feat(dbus): add more dbus abstraction.

2025-01-18 00:48:10 +01:00 · 2023-12-04 18:58:03 +00:00 · 2023-12-04 18:58:03 +00:00 · 16c2bf5662
commit 16c2bf5662
parent 2432414ae2
24 changed files with 60 additions and 76 deletions
--- a/apparmor.d/abstractions/bus/vfs/daemon
+++ b/apparmor.d/abstractions/bus/vfs/daemon
@ -0,0 +1,10 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  dbus send bus=session path=/org/gtk/vfs/Daemon
+       interface=org.gtk.vfs.Daemon
+       member={ListMonitorImplementations,ListMountableInfo}
+       peer=(name=:*, label=gvfsd),
+
+  include if exists <abstractions/bus/vfs/daemon.d>
--- a/apparmor.d/abstractions/bus/vfs/metadata
+++ b/apparmor.d/abstractions/bus/vfs/metadata
@ -0,0 +1,15 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  dbus send bus=session path=/org/gtk/vfs/metadata
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*, label=gvfsd-metadata),
+
+  dbus receive bus=session path=/org/gtk/vfs/metadata
+       interface=org.gtk.vfs.Metadata
+       member=AttributeChanged
+       peer=(name=:*, label=gvfsd-metadata),
+
+  include if exists <abstractions/bus/vfs/metadata.d>
--- a/apparmor.d/abstractions/bus/vfs/mount
+++ b/apparmor.d/abstractions/bus/vfs/mount
@ -12,9 +12,4 @@
       member=ListMounts2
       peer=(name=:*, label=gvfsd),

-  dbus send bus=session path=/org/gtk/vfs/Daemon
-       interface=org.gtk.vfs.Daemon
-       member=ListMonitorImplementations
-       peer=(name=:*, label=gvfsd),
-
-  include if exists <abstractions/bus/vfs.d>
+  include if exists <abstractions/bus/vfs/mount.d>
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@ -16,6 +16,7 @@ include <tunables/global>
 profile calibre @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus/atspi>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/chromium-common>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
@ -48,11 +49,6 @@ profile calibre @{exec_path} {
  unix (bind, listen)  type=stream addr="@*-calibre-gui.socket",
  unix (bind)          type=stream addr="@calibre-*",

-  dbus send bus=session path=/org/gtk/vfs/mounttracker
-       interface=org.gtk.vfs.MountTracker
-       member=ListMountableInfo
-       peer=(name=:*),
-
  @{exec_path} mrix,
  @{bin}/python3.[0-9]* r,

--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -11,6 +11,7 @@ include <tunables/global>
 profile apt @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/apt-common>
+  include <abstractions/bus/login>
  include <abstractions/bus/polkit>
  include <abstractions/consoles>
  include <abstractions/dbus-strict>
@ -36,6 +37,8 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  unix (send, receive) type=stream peer=(label=apt-esm-json-hook),
  unix (send, receive) type=stream peer=(label=snapd),

+  dbus bind bus=system name=org.debian.apt,
+
  dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/@{hex}}
       interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}},

@ -44,22 +47,6 @@ profile apt @{exec_path} flags=(attach_disconnected) {
       member={StateHasChanged,Introspect}
       peer=(name=org.freedesktop.PackageKit),

-  dbus send bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.login1.Manager
-       member=Inhibit
-       peer=(name=org.freedesktop.login1),
-
-  dbus send bus=system path=/org/freedesktop/DBus{,/Bus}
-       interface=org.freedesktop.DBus{,.Introspectable}
-       member={RequestName,GetConnectionUnixProcessID,Introspect}
-       peer=(name=org.freedesktop.DBus),
-
-  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
-       interface=org.freedesktop.{DBus.Introspectable,PolicyKit1.Authority}
-       member={CheckAuthorization,Introspect},
-
-  dbus bind bus=system name=org.debian.apt,
-
  @{exec_path} mr,

  @{bin}/ r,
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -11,6 +11,7 @@ include <tunables/global>
 profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/apt-common>
+  include <abstractions/bus/login>
  include <abstractions/consoles>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/apt/unattended-upgrade-shutdown
+++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown
@ -15,11 +15,6 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
  include <abstractions/nameservice-strict>
  include <abstractions/python>

-  dbus receive bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.login1.Manager
-       member=PrepareForShutdown
-       peer=(name=:*, label=systemd-logind),
-
  @{exec_path} mr,

  @{bin}/ischroot  rix,
--- a/apparmor.d/groups/bus/ibus-daemon
+++ b/apparmor.d/groups/bus/ibus-daemon
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/ibus-daemon
 profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-session-strict>
  include <abstractions/ibus>
  include <abstractions/nameservice-strict>
@ -21,6 +21,9 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
  unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=ibus-*),
  unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=gnome-shell),

+  dbus bind bus=session name=org.freedesktop.portal.IBus,
+
+  dbus bind bus=session name=org.freedesktop.IBus,
  dbus send bus=session path=/org/freedesktop/IBus
       interface=org.freedesktop.DBus.Peer
       peer=(name=org.freedesktop.portal.IBus), # all members, all peer's labels
@ -30,10 +33,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
       member=Introspect
       peer=(name=:*, label=gnome-shell),

-  dbus bind bus=session name=org.freedesktop.portal.IBus,
-
-  dbus bind bus=session name=org.freedesktop.IBus,
-
  @{exec_path} mrix,

  @{bin}/{,ba,da}sh      rix,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -11,7 +11,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus/account-daemon>
  include <abstractions/bus/atspi>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
--- a/apparmor.d/groups/gnome/evolution-addressbook-factory
+++ b/apparmor.d/groups/gnome/evolution-addressbook-factory
@ -10,7 +10,7 @@ include <tunables/global>
 profile evolution-addressbook-factory @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus/network-manager>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gnome/evolution-source-registry
+++ b/apparmor.d/groups/gnome/evolution-source-registry
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,evolution-data-server/}evolution-source-registry
 profile evolution-source-registry @{exec_path} {
  include <abstractions/base>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -10,7 +10,9 @@ include <tunables/global>
 profile gnome-extension-ding @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus/atspi>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/daemon>
+  include <abstractions/bus/vfs/metadata>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
@ -52,20 +54,6 @@ profile gnome-extension-ding @{exec_path} {
       member=GetAll
       peer=(name=:*, label=nautilus),

-  dbus send bus=session path=/org/gtk/vfs/Daemon
-       interface=org.gtk.vfs.Daemon
-       member=ListMonitorImplementations
-       peer=(name=:*, label=gvfsd),
-
-  dbus send bus=session path=/org/gtk/vfs/metadata
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=gvfsd-metadata),
-  dbus receive bus=session path=/org/gtk/vfs/metadata
-       interface=org.gtk.vfs.Metadata
-       member=AttributeChanged
-       peer=(name=:*, label=gvfsd-metadata),
-
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect 
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -13,10 +13,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/audio>
  include <abstractions/bus/account-daemon>
  include <abstractions/bus/atspi>
-  include <abstractions/bus/upower>
  include <abstractions/bus/network-manager>
  include <abstractions/bus/polkit>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/upower>
+  include <abstractions/bus/vfs/metadata>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -10,7 +10,9 @@ include <tunables/global>
 profile gnome-terminal-server @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus/atspi>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/consoles>
+  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/fonts>
--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@ -10,7 +10,7 @@ include <tunables/global>
 profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/thumbnails-cache-read>
--- a/apparmor.d/groups/gnome/gsd-keyboard
+++ b/apparmor.d/groups/gnome/gsd-keyboard
@ -10,7 +10,7 @@ include <tunables/global>
 profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus/atspi>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
--- a/apparmor.d/groups/gnome/gsd-wacom
+++ b/apparmor.d/groups/gnome/gsd-wacom
@ -10,7 +10,7 @@ include <tunables/global>
 profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus/atspi>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -10,7 +10,8 @@ include <tunables/global>
 profile tracker-miner @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus/upower>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/daemon>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
@ -33,11 +34,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.DBus.{Peer,Properties}
       peer=(name=:*),

-  dbus send bus=session path=/org/gtk/vfs/Daemon
-       interface=org.gtk.vfs.Daemon
-       member={ListMonitorImplementations,ListMountableInfo}
-       peer=(name=:*, label=gvfsd),
-
  dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
       interface=org.gtk.Private.RemoteVolumeMonitor
       member={List,IsSupported}
--- a/apparmor.d/groups/gvfs/gvfsd-dnssd
+++ b/apparmor.d/groups/gvfs/gvfsd-dnssd
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,gvfs/}gvfsd-dnssd
 profile gvfsd-dnssd @{exec_path} {
  include <abstractions/base>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>

@ -37,13 +37,12 @@ profile gvfsd-dnssd @{exec_path} {
       member=Mount
       peer=(name=:*, label=gvfsd),

-  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]*
+  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
       interface=org.gtk.vfs.Spawner
       member=Spawned
       peer=(name=:*, label=gvfsd),

-  dbus bind bus=session
-       name=org.gtk.vfs.mountpoint_dnssd,
+  dbus bind bus=session name=org.gtk.vfs.mountpoint_dnssd,

  @{exec_path} mr,

--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,gvfs/}gvfsd-fuse
 profile gvfsd-fuse @{exec_path} {
  include <abstractions/base>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-session-strict>

  unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount),
--- a/apparmor.d/groups/gvfs/gvfsd-network
+++ b/apparmor.d/groups/gvfs/gvfsd-network
@ -13,7 +13,7 @@ profile gvfsd-network @{exec_path} {
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>

-  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]*
+  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
       interface=org.gtk.vfs.Spawner
       member=Spawned
       peer=(name=:*, label=gvfsd),
--- a/apparmor.d/groups/gvfs/gvfsd-smb-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,gvfs/}gvfsd-smb-browse
 profile gvfsd-smb-browse @{exec_path} {
  include <abstractions/base>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
@ -33,7 +33,7 @@ profile gvfsd-smb-browse @{exec_path} {
       member=Mount
       peer=(name=:*, label=gvfsd),

-  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]*
+  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
       interface=org.gtk.vfs.Spawner
       member=Spawned
       peer=(name=:*, label=gvfsd),
--- a/apparmor.d/profiles-a-f/atril
+++ b/apparmor.d/profiles-a-f/atril
@ -11,7 +11,7 @@ include <tunables/global>
 profile atril @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus/atspi>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
--- a/apparmor.d/profiles-a-f/engrampa
+++ b/apparmor.d/profiles-a-f/engrampa
@ -11,7 +11,7 @@ include <tunables/global>
 profile engrampa @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus/atspi>
-  include <abstractions/bus/vfs>
+  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>