From 1edf507abf33a7edc6ee2c69d947d3b36e7878b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 3 Dec 2023 16:53:25 +0000 Subject: [PATCH] feat(dbus): rewrite some dbus rules (4). --- apparmor.d/abstractions/bus/login | 10 +++++ apparmor.d/abstractions/bus/rtkit | 2 +- apparmor.d/abstractions/bus/udisk | 11 ++++++ .../groups/apt/unattended-upgrade-shutdown | 18 ++------- apparmor.d/groups/freedesktop/upowerd | 39 +++++-------------- .../groups/freedesktop/xdg-desktop-portal | 15 ++++--- .../groups/gnome/evolution-calendar-factory | 1 + apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/nautilus | 7 +--- .../groups/gvfs/gvfs-udisks2-volume-monitor | 1 + apparmor.d/groups/systemd/systemd-logind | 1 + apparmor.d/profiles-a-f/boltd | 24 +++--------- apparmor.d/profiles-m-r/packagekitd | 17 ++------ apparmor.d/profiles-s-z/system-config-printer | 10 +---- apparmor.d/profiles-s-z/udisksd | 36 ++++++----------- apparmor.d/profiles-s-z/wpa-supplicant | 9 +---- 16 files changed, 74 insertions(+), 129 deletions(-) create mode 100644 apparmor.d/abstractions/bus/login create mode 100644 apparmor.d/abstractions/bus/udisk diff --git a/apparmor.d/abstractions/bus/login b/apparmor.d/abstractions/bus/login new file mode 100644 index 00000000..96f6116a --- /dev/null +++ b/apparmor.d/abstractions/bus/login @@ -0,0 +1,10 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Inhibit + peer=(name=org.freedesktop.login1, label=systemd-logind), + + include if exists diff --git a/apparmor.d/abstractions/bus/rtkit b/apparmor.d/abstractions/bus/rtkit index b14b161a..1ee671d4 100644 --- a/apparmor.d/abstractions/bus/rtkit +++ b/apparmor.d/abstractions/bus/rtkit @@ -10,6 +10,6 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member=MakeThread* - peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), + peer=(name="{:*,org.freedesktop.RealtimeKit1}", label=rtkit-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/udisk b/apparmor.d/abstractions/bus/udisk new file mode 100644 index 00000000..e2ffe326 --- /dev/null +++ b/apparmor.d/abstractions/bus/udisk @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=system path=/org/freedesktop/UDisks2 + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=udisksd), + + + include if exists diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index c17e29c6..380230d6 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,26 +9,16 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include - include + include + include include include include - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Inhibit, - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.{Introspectable,Properties} - member={Introspect,Get}, - - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=GetAll, - dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member=PrepareForShutdown, + member=PrepareForShutdown + peer=(name=:*, label=systemd-logind), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 843bd1d0..41fcb264 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -10,43 +10,24 @@ include @{exec_path} = @{lib}/{,upower/}upowerd profile upowerd @{exec_path} flags=(attach_disconnected) { include + include include include network netlink raw, - dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*}, - - dbus (send,receive) bus=system path=/org/freedesktop/login1 + dbus bind bus=system name=org.freedesktop.UPower, + dbus receive bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.UPower{,.*} + peer=(name=:*), + dbus receive bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.DBus.Properties - member={PropertiesChanged,GetAll}, - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Inhibit, - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=bluetoothd), - - dbus receive bus=system path=/org/bluez/hci0 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=bluetoothd), - - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={UserNew,UserRemoved,SessionNew,SessionRemoved,PrepareForShutdown,PrepareForSleep} - peer=(name=:*, label=systemd-logind), - - dbus receive bus=system path=/org/bluez/hci*/** - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged peer=(name=:*), - dbus bind bus=system name=org.freedesktop.UPower, + dbus receive bus=system path=/org/bluez/hci@{int}{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=bluetoothd), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index cbbb599e..7dfcbbf5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -22,14 +23,17 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { ptrace (read), dbus bind bus=session name=org.freedesktop.portal.Desktop, - dbus receive bus=session path=/org/freedesktop/portal/desktop + dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings - peer=(name=:*), - dbus send bus=session path=/org/freedesktop/portal/desktop + dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties peer=(name=:*), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings + dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.* + peer=(name=:*), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Realtime + member=MakeThread* peer=(name=:*), dbus bind bus=session name=org.freedesktop.background.Monitor, @@ -44,7 +48,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=:*, label=xdg-permission-store), - dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.DBus.Properties peer=(name=:*, label=xdg-document-portal), diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 1db9c4e0..0c157241 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,evolution-data-server/}evolution-calendar-factory profile evolution-calendar-factory @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 471a3e3a..8a2bc371 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -128,7 +128,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver - member=ActiveChanged + member={ActiveChanged,WakeUpScreen} peer=(name=:*, label=gjs-console), dbus receive bus=session diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 54d3aeff..ba776d89 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -25,14 +25,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include dbus bind bus=session name=org.gnome.Nautilus, - dbus send bus=session path=/org/gnome/Nautilus + dbus (send, receive) bus=session path=/org/gnome/Nautilus interface=org.gtk.{Actions,Application}, - dbus send bus=session path=/org/gnome/Nautilus{,/**} + dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/**} interface=org.freedesktop.DBus.Properties peer=(name=:*), - dbus send bus=session path=/org/gnome/Nautilus - interface=org.gtk.Application - peer=(name=org.gnome.Nautilus, label="{nautilus,gnome-shell}"), dbus bind bus=session name=org.freedesktop.FileManager1, dbus receive bus=session path=/org/freedesktop/FileManager1 diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index c26fead7..5af0db06 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfs-udisks2-volume-monitor profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index aaa95492..62319b44 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/systemd/systemd-logind profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { include + include include include include diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 7f19e22c..d0d162a9 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -17,29 +17,15 @@ profile boltd @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=RequestName, - - dbus receive bus=system path=/org/freedesktop/bolt - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=Changed - peer=(name=:*, label=polkitd), + dbus bind bus=system name=org.freedesktop.bolt, dbus receive bus=system path=/org/freedesktop/bolt interface=org.freedesktop.bolt1.Manager member=ListDevices, - - dbus bind bus=system - name=org.freedesktop.bolt, + + dbus receive bus=system path=/org/freedesktop/bolt + interface=org.freedesktop.DBus.Properties + member=GetAll, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 6b2a8beb..3ada1a8c 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -35,6 +36,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { signal send set=int peer=apt-methods-*, + dbus bind bus=system name=org.freedesktop.PackageKit, dbus receive bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Properties peer=(name=:*, label=gnome-shell), @@ -49,7 +51,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={RequestName,GetConnectionUnixUser} + member={GetConnectionUnixUser,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus send bus=system path=/org/freedesktop/NetworkManager @@ -62,24 +64,11 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} peer=(name=:*, label=NetworkManager), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=polkitd), - - dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=Changed - peer=(name=:*, label=polkitd), - dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved,PrepareForSleep} peer=(name=:*, label=systemd-logind), - dbus bind bus=system - name=org.freedesktop.PackageKit, - @{exec_path} mr, @{bin}/gpg{,2} rCx -> gpg, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 78b6ed4b..05873b98 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -28,15 +28,7 @@ profile system-config-printer @{exec_path} flags=(complain) { network inet6 stream, network netlink raw, - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization, - - dbus send bus=system path=/org/freedesktop/hostname[0-9] + dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=GetAll, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 63823851..d5c1c76c 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,udisks2/}udisksd profile udisksd @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -58,6 +59,14 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { signal (receive) set=(int) peer=@{systemd}, + dbus bind bus=system name=org.freedesktop.UDisks2, + dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.UDisks2.* + peer=(name="{:*,org.freedesktop.DBus}"), + dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.DBus.{Properties,ObjectManager} + peer=(name=:*), + dbus (send,receive) bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect, @@ -66,37 +75,16 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=Get, - dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} - interface=org.freedesktop.{DBus*,UDisks2*}, - - dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=Changed - peer=(name=:*, label=polkitd), - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={ReleaseName,GetConnectionUnixUser,RequestName}, - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Inhibit, + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus receive bus=system path=/org/freedesktop/login1* - interface=org.freedesktop.login1*.Manager + interface=org.freedesktop.login1.Manager member={PrepareForSleep,PrepareForShutdown} peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization, - - dbus bind bus=system name=org.freedesktop.UDisks2, - @{exec_path} mr, @{bin}/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 0c83be71..941d64f6 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -26,16 +26,11 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { network packet raw, network packet dgram, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=RequestName, - - dbus receive bus=system path=/fi/w[0-9]/wpa_supplicant1 + dbus bind bus=system name=fi.w1.wpa_supplicant1, + dbus receive bus=system path=/fi/w1/wpa_supplicant1 interface=org.freedesktop.DBus.Properties member=GetAll, - dbus bind bus=system name=fi.w1.wpa_supplicant1, - @{exec_path} mr, /etc/wpa_supplicant/wpa_supplicant.conf rw,