From 2432414ae2e7c36e0275493d68a256ee32514f90 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Dec 2023 18:52:10 +0000 Subject: [PATCH] feat(dbus): rewrite some dbus rules (4). --- apparmor.d/groups/gnome/gsd-power | 118 ++++++------------ apparmor.d/groups/systemd/systemd-localed | 12 +- apparmor.d/groups/systemd/systemd-networkd | 8 +- .../groups/systemd/systemd-user-runtime-dir | 6 +- apparmor.d/profiles-a-f/fprintd | 6 +- apparmor.d/profiles-g-l/login | 7 +- .../profiles-m-r/needrestart-apt-pinvoke | 6 +- apparmor.d/profiles-m-r/power-profiles-daemon | 10 +- apparmor.d/profiles-s-z/su | 7 +- apparmor.d/profiles-s-z/sudo | 4 +- apparmor.d/profiles-s-z/switcheroo-control | 11 +- apparmor.d/profiles-s-z/thunderbird | 4 +- apparmor.d/profiles-s-z/udisksd | 5 - 13 files changed, 61 insertions(+), 143 deletions(-) diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 817fe132..f914d431 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -11,8 +11,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include - include + include include include include @@ -27,17 +28,43 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.{DBus.Properties,UPower*}, + dbus bind bus=session name=org.gnome.SettingsDaemon.Power, + dbus (send, receive) bus=session path=/org/gnome/SettingsDaemon/Power + interface=org.freedesktop.DBus.Properties + peer=(name="{org.freedesktop.DBus,:*}", label="{gsd-media-keys,gnome-shell}"), + + dbus send bus=session path=/org/gnome/SessionManager{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=:*), + dbus send bus=session path=/org/gnome/SessionManager{,/**} + interface=org.gnome.SessionManager + peer=(name=:*), + dbus receive bus=session path=/org/gnome/SessionManager{,/**} + interface=org.gnome.SessionManager{,.*} + peer=(name=:*, label=gnome-session-binary), + dbus receive bus=session path=/org/gnome/SessionManager{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/Mutter/** + interface=org.freedesktop.DBus.{Properties,ObjectManager} + peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gnome/Mutter/** + interface=org.gnome.Mutter.DisplayConfig + peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gnome/Mutter/** + interface=org.gnome.Mutter.IdleMonitor + peer=(name=:*, label=gnome-shell), + + dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight + interface=org.freedesktop.UPower.KbdBacklight + member=GetBrightness + peer=(name=:*, label=upowerd), dbus send bus=system path=/org/freedesktop/systemd[0-9] interface=org.freedesktop.DBus.Properties member=Get, - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member=GetAll, - dbus send bus=system path=/org/freedesktop/login1/session/auto interface=org.freedesktop.DBus.Properties member=GetAll, @@ -46,96 +73,31 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login1.Session member=SetBrightness, - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Inhibit, - - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={SessionNew,SessionRemoved,PrepareForShutdown,UserNew,UserRemoved,PrepareForSleep} - peer=(name=:*, label=systemd-logind), - - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - dbus send bus=system path=/net/hadess/PowerProfiles interface=org.freedesktop.DBus.Properties - member=GetAll, + member=GetAll + peer=(name=:*, label=power-profiles-daemon), dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged} peer=(name=:*, label=gnome-session-binary), - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorAdded,InhibitorRemoved} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member={GetAll,GetResources,Set} - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*, label=gsd-power), - - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.gnome.Mutter.DisplayConfig - member=GetResources - peer=(name=:*, label=gnome-shell), - - dbus (send, receive) bus=session path=/org/gnome/SettingsDaemon/Power - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged,Set} - peer=(name="{org.freedesktop.DBus,:*}", label="{gsd-media-keys,gnome-shell}"), - - dbus send bus=session path=/org/gnome/Mutter/IdleMonitor - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core - interface=org.gnome.Mutter.IdleMonitor - member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core - interface=org.gnome.Mutter.IdleMonitor - member=WatchFired - peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member=ActiveChanged peer=(name=:*, label=gjs-console), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.systemd1, label="@{systemd}"), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gnome.SettingsDaemon.Power, - @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 1f2bf155..4dbb7ead 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -17,17 +17,11 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { # Needed? audit capability net_admin, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={ReleaseName,RequestName} - peer=(name=org.freedesktop.DBus), - + dbus bind bus=system name=org.freedesktop.locale1, dbus receive bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus bind bus=system - name=org.freedesktop.locale[0-9], + member=GetAll + peer=(name=:*, label=evolution-addressbook-factory), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 390a8e86..d6501465 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -26,10 +26,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { network packet dgram, network packet raw, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=RequestName - peer=(name=org.freedesktop.DBus), + dbus bind bus=system name=org.freedesktop.network1, dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.hostname1 @@ -45,9 +42,6 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { member=PropertiesChanged peer=(name=org.freedesktop.DBus), - dbus bind bus=system - name=org.freedesktop.network1, - @{exec_path} mr, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 18166ec9..eddb8276 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/systemd/systemd-user-runtime-dir profile systemd-user-runtime-dir @{exec_path} { include + include include include include @@ -22,11 +23,6 @@ profile systemd-user-runtime-dir @{exec_path} { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.login1), - @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 414606d7..8e19b1e4 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/fprintd profile fprintd @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -23,11 +24,6 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { interface={org.freedesktop.DBus.Properties,net.reactivated.Fprint.Manager} peer=(name=:*), - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Inhibit - peer=(name=org.freedesktop.login1), - @{exec_path} mr, /etc/fprintd.conf r, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index d97105d8..554cb6f4 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -10,10 +10,11 @@ include profile login @{exec_path} flags=(attach_disconnected) { include include + include include + include include include - include capability audit_write, capability chown, @@ -34,10 +35,6 @@ profile login @{exec_path} flags=(attach_disconnected) { ptrace read, - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.* - peer=(name=org.freedesktop.login1), - @{exec_path} mr, @{bin}/{,z,ba,da}sh rUx, diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index edc1adb6..35b26db4 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -9,14 +9,10 @@ include @{exec_path} = @{lib}/needrestart/apt-pinvoke profile needrestart-apt-pinvoke @{exec_path} { include + include include include - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.login1, label=systemd-logind), - @{exec_path} mr, @{bin}/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index f7097355..83c4551f 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/power-profiles-daemon profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -29,15 +30,6 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=systemd-logind), - - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - peer=(name=:*, label=systemd-logind), - @{exec_path} mr, /var/lib/power-profiles-daemon/{,**} rw, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index e5175f3f..7f2240f8 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -37,9 +37,10 @@ profile su @{exec_path} { network netlink raw, - dbus (send) bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={CreateSession,ReleaseSession}, + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.logi1.Manager + member={CreateSession,ReleaseSession} + peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 9a1faa04..971fc9e1 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -43,8 +43,8 @@ profile sudo @{exec_path} { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.logi1.Manager - member=CreateSession - peer=(name=org.freedesktop.login1), + member={CreateSession,ReleaseSession} + peer=(name=org.freedesktop.login1, label=systemd-logind), dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 829cdcc4..17a85d3b 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -15,16 +15,11 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus bind bus=system name=net.hadess.SwitcherooControl, dbus receive bus=system path=/net/hadess/SwitcherooControl interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=RequestName, - - dbus bind bus=system - name=net.hadess.SwitcherooControl, + member=GetAll + peer=(name=:*), @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 129ea411..85ede64b 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -61,8 +61,8 @@ profile thunderbird @{exec_path} { member=Read peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/login1* - interface=org.freedesktop.login1*.Manager + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager member={UserAdded,UserRemoved} peer=(name=:*, label=systemd-logind), diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index d5c1c76c..59624d04 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -80,11 +80,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { member={GetConnectionUnixUser,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus receive bus=system path=/org/freedesktop/login1* - interface=org.freedesktop.login1.Manager - member={PrepareForSleep,PrepareForShutdown} - peer=(name=:*, label=systemd-logind), - @{exec_path} mr, @{bin}/{,ba,da}sh rix,