diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index a0d9d6ad..6c79b187 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -40,6 +40,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xsession-errors w, owner /tmp/runtime-*/xauth_@{rand6} r, + owner /tmp/xauth_@{rand6} r, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 80c92b3d..2a7e4d5c 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -29,9 +29,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/gnome/SessionManager + dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager - member=RegisterClient peer=(name=:*, label=gnome-session-binary), dbus receive bus=session path=/org/gnome/SessionManager diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 0505f336..c3a188fc 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -131,6 +131,10 @@ profile pulseaudio @{exec_path} { member=Get peer=(name=org.freedesktop.hostname[0-9]), + dbus receive bus=system path=/org/bluez/hci*/** + interface=org.freedesktop.DBus.Properties + peer=(name=:*), + @{exec_path} mrix, @{lib}/pulse/gsettings-helper mrix, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 59b9eddd..6c0c2a67 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -36,6 +36,11 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { member={UserNew,UserRemoved,SessionNew,SessionRemoved,PrepareForShutdown,PrepareForSleep} peer=(name=:*, label=systemd-logind), + dbus receive bus=system path=/org/bluez/hci*/** + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*), + dbus bind bus=system name=org.freedesktop.UPower, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index c112829b..b228a050 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -25,6 +25,28 @@ profile evolution-source-registry @{exec_path} { interface=org.freedesktop.DBus.Introspectable peer=(name=:*, label=gnome-shell), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager + interface=org.freedesktop.DBus.ObjectManager + peer=(name=:*, label=evolution-*), + + dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/*} + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=evolution-*-factory), + + dbus send bus=session path=/org/gnome/OnlineAccounts + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=goa-daemon), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + dbus bind bus=session name=org.gnome.evolution.dataserver.Sources[0-9], @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 4d6bca09..be073f23 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -37,8 +37,7 @@ profile goa-identity-service @{exec_path} { member=GetAll peer=(name=:*, label=goa-daemon), - dbus bind bus=session - name=org.gnome.Identity, + dbus bind bus=session name=org.gnome.Identity, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 548c81b3..b6fb6267 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -30,12 +30,12 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer member=Ping peer=(name=org.freedesktop.Tracker3.Miner.Files), - dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.Tracker3.Endpoint peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), # all members @@ -54,16 +54,30 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor - member={List,IsSupported} + member={List,IsSupported,MountAdded} peer=(name=:*, label=gvfs-*-volume-monitor), - dbus receive bus=session path=/ + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.freedesktop.Tracker3.Miner.Extract, + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={Mounted,ListMounts2} + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=ListMonitorImplementations + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member={GetTreeFromDevice,Remove} + peer=(name=:*, label=gvfsd-metadata), + + dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Extract, @{exec_path} mr, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index d0f57d0e..1e767c58 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -86,7 +86,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/bluez/hci*/** interface=org.freedesktop.DBus.Properties - member=PropertiesChanged peer=(name=:*), dbus bind bus=system diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 0c8288cd..4ac52cd3 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -26,14 +26,14 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, - dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} + dbus (send,receive) bus=system path=/org/freedesktop/login1{,/**} interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,login[0-9].*}, - dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9] + dbus (send,receive) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd[0-9].Manager member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading,Subscribe,StopUnit}, - dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/{unit,job}/** + dbus (send,receive) bus=system path=/org/freedesktop/systemd1/{unit,job}/** interface=org.freedesktop.DBus.Properties member={Get,PropertiesChanged}, @@ -41,15 +41,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { interface=org.freedesktop.DBus member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit[0-9].Authority member=CheckAuthorization, - dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/** + dbus send bus=system path=/org/freedesktop/systemd1/unit/** interface=org.freedesktop.systemd[0-9].Scope member=Abandon, - dbus receive bus=system path=/org/freedesktop/systemd[0-9] + dbus receive bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged, @@ -57,8 +57,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { interface=org.freedesktop.DBus.Properties member=Get, - dbus bind bus=system - name=org.freedesktop.login[0-9], + dbus bind bus=system name=org.freedesktop.login1, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index eb4d7264..d9324bdb 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -26,8 +26,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus bind bus=system - name=org.freedesktop.timesync1, + dbus bind bus=system name=org.freedesktop.timesync1, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index da3ade1f..bf5163ab 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2015-2020 Mikhail Morfikov # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2022-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 63252226..f2be2542 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -65,8 +65,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} interface=org.freedesktop.{DBus*,UDisks2*}, - dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority member=Changed, dbus send bus=system path=/org/freedesktop/DBus @@ -82,16 +82,15 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { member={PrepareForSleep,PrepareForShutdown} peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll, - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization, - dbus bind bus=system - name=org.freedesktop.UDisks2, + dbus bind bus=system name=org.freedesktop.UDisks2, @{exec_path} mr,