mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profiles): improve dbus related rules.

Browse Source
This commit is contained in:
Alexandre Pujol 2023-08-27 14:46:49 +01:00
parent 2db6b12a9b
commit 19331acaa9
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
12 changed files with 70 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
apparmor.d/groups/freedesktop/at-spi-bus-launcher
View File

@ -40,6 +40,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
owner /tmp/runtime-*/xauth_@{rand6} r, owner /tmp/runtime-*/xauth_@{rand6} r,
owner /tmp/xauth_@{rand6} r,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/xauth_@{rand6} r, owner @{run}/user/@{uid}/xauth_@{rand6} r,

3
apparmor.d/groups/freedesktop/at-spi2-registryd
View File

@ -29,9 +29,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
member={RequestName,ReleaseName} member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon), peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=session path=/org/gnome/SessionManager dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager interface=org.gnome.SessionManager
member=RegisterClient
peer=(name=:*, label=gnome-session-binary), peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager dbus receive bus=session path=/org/gnome/SessionManager

4
apparmor.d/groups/freedesktop/pulseaudio
View File

@ -131,6 +131,10 @@ profile pulseaudio @{exec_path} {
member=Get member=Get
peer=(name=org.freedesktop.hostname[0-9]), peer=(name=org.freedesktop.hostname[0-9]),
dbus receive bus=system path=/org/bluez/hci*/**
interface=org.freedesktop.DBus.Properties
peer=(name=:*),
@{exec_path} mrix, @{exec_path} mrix,
@{lib}/pulse/gsettings-helper mrix, @{lib}/pulse/gsettings-helper mrix,

5
apparmor.d/groups/freedesktop/upowerd
View File

@ -36,6 +36,11 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
member={UserNew,UserRemoved,SessionNew,SessionRemoved,PrepareForShutdown,PrepareForSleep} member={UserNew,UserRemoved,SessionNew,SessionRemoved,PrepareForShutdown,PrepareForSleep}
peer=(name=:*, label=systemd-logind), peer=(name=:*, label=systemd-logind),
dbus receive bus=system path=/org/bluez/hci*/**
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*),
dbus bind bus=system dbus bind bus=system
name=org.freedesktop.UPower, name=org.freedesktop.UPower,

22
apparmor.d/groups/gnome/evolution-source-registry
View File

@ -25,6 +25,28 @@ profile evolution-source-registry @{exec_path} {
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager
interface=org.freedesktop.DBus.ObjectManager
peer=(name=:*, label=evolution-*),
dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/*}
interface=org.freedesktop.DBus.Properties
peer=(name=:*, label=evolution-*-factory),
dbus send bus=session path=/org/gnome/OnlineAccounts
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=:*, label=goa-daemon),
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo
peer=(name=:*, label=gvfsd),
dbus bind bus=session name=org.gnome.evolution.dataserver.Sources[0-9], dbus bind bus=session name=org.gnome.evolution.dataserver.Sources[0-9],
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/groups/gnome/goa-identity-service
View File

@ -37,8 +37,7 @@ profile goa-identity-service @{exec_path} {
member=GetAll member=GetAll
peer=(name=:*, label=goa-daemon), peer=(name=:*, label=goa-daemon),
dbus bind bus=session dbus bind bus=session name=org.gnome.Identity,
name=org.gnome.Identity,
@{exec_path} mr, @{exec_path} mr,

26
apparmor.d/groups/gnome/tracker-extract
View File

@ -30,12 +30,12 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
member={RequestName,ReleaseName} member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon), peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
interface=org.freedesktop.DBus.Peer interface=org.freedesktop.DBus.Peer
member=Ping member=Ping
peer=(name=org.freedesktop.Tracker3.Miner.Files), peer=(name=org.freedesktop.Tracker3.Miner.Files),
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
interface=org.freedesktop.Tracker3.Endpoint interface=org.freedesktop.Tracker3.Endpoint
peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), # all members peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), # all members
@ -54,16 +54,30 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor
member={List,IsSupported} member={List,IsSupported,MountAdded}
peer=(name=:*, label=gvfs-*-volume-monitor), peer=(name=:*, label=gvfs-*-volume-monitor),
dbus receive bus=session path=/ dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
dbus bind bus=session dbus receive bus=session path=/org/gtk/vfs/mounttracker
name=org.freedesktop.Tracker3.Miner.Extract, interface=org.gtk.vfs.MountTracker
member={Mounted,ListMounts2}
peer=(name=:*, label=gvfsd),
dbus send bus=session path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member=ListMonitorImplementations
peer=(name=:*, label=gvfsd),
dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata
member={GetTreeFromDevice,Remove}
peer=(name=:*, label=gvfsd-metadata),
dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Extract,
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/groups/network/NetworkManager
View File

@ -86,7 +86,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
dbus receive bus=system path=/org/bluez/hci*/** dbus receive bus=system path=/org/bluez/hci*/**
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*), peer=(name=:*),
dbus bind bus=system dbus bind bus=system

15
apparmor.d/groups/systemd/systemd-logind
View File

@ -26,14 +26,14 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
network netlink raw, network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} dbus (send,receive) bus=system path=/org/freedesktop/login1{,/**}
interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,login[0-9].*}, interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,login[0-9].*},
dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9] dbus (send,receive) bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd[0-9].Manager interface=org.freedesktop.systemd[0-9].Manager
member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading,Subscribe,StopUnit}, member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading,Subscribe,StopUnit},
dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/{unit,job}/** dbus (send,receive) bus=system path=/org/freedesktop/systemd1/{unit,job}/**
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member={Get,PropertiesChanged}, member={Get,PropertiesChanged},
@ -41,15 +41,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName},
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority interface=org.freedesktop.PolicyKit[0-9].Authority
member=CheckAuthorization, member=CheckAuthorization,
dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/** dbus send bus=system path=/org/freedesktop/systemd1/unit/**
interface=org.freedesktop.systemd[0-9].Scope interface=org.freedesktop.systemd[0-9].Scope
member=Abandon, member=Abandon,
dbus receive bus=system path=/org/freedesktop/systemd[0-9] dbus receive bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=PropertiesChanged, member=PropertiesChanged,
@ -57,8 +57,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Get, member=Get,
dbus bind bus=system dbus bind bus=system name=org.freedesktop.login1,
name=org.freedesktop.login[0-9],
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/groups/systemd/systemd-timesyncd
View File

@ -26,8 +26,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
member={RequestName,ReleaseName} member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon), peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus bind bus=system dbus bind bus=system name=org.freedesktop.timesync1,
name=org.freedesktop.timesync1,
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/profiles-s-z/thermald
View File

@ -1,6 +1,7 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov # Copyright (C) 2015-2020 Mikhail Morfikov
# Copyright (C) 2022 Jeroen Rijken # Copyright (C) 2022 Jeroen Rijken
# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,

13
apparmor.d/profiles-s-z/udisksd
View File

@ -65,8 +65,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**}
interface=org.freedesktop.{DBus*,UDisks2*}, interface=org.freedesktop.{DBus*,UDisks2*},
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority interface=org.freedesktop.PolicyKit1.Authority
member=Changed, member=Changed,
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus
@ -82,16 +82,15 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
member={PrepareForSleep,PrepareForShutdown} member={PrepareForSleep,PrepareForShutdown}
peer=(name=:*, label=systemd-logind), peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll, member=GetAll,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority interface=org.freedesktop.PolicyKit1.Authority
member=CheckAuthorization, member=CheckAuthorization,
dbus bind bus=system dbus bind bus=system name=org.freedesktop.UDisks2,
name=org.freedesktop.UDisks2,
@{exec_path} mr, @{exec_path} mr,