From 24ea5f0a3acbccdbf5ddb4157c48d5df413de9a0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 13 Nov 2024 12:23:36 +0000 Subject: [PATCH] feat(tunable): add p_dbus_* variables. This allow for better integration for system when dbus is not confined. --- apparmor.d/abstractions/bus-accessibility | 4 ++-- apparmor.d/abstractions/bus-session | 4 ++-- apparmor.d/abstractions/bus-system | 4 ++-- apparmor.d/abstractions/bus/org.a11y | 2 +- apparmor.d/groups/_full/systemd | 2 +- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/bus/at-spi2-registryd | 2 +- apparmor.d/groups/freedesktop/accounts-daemon | 2 +- apparmor.d/groups/freedesktop/colord | 2 +- apparmor.d/groups/freedesktop/geoclue | 2 +- apparmor.d/groups/freedesktop/pipewire | 2 +- apparmor.d/groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/freedesktop/polkitd | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/gnome/gdm | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 6 +++--- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-shell | 10 +++++----- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gnome/nautilus | 4 ++-- apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/groups/ssh/ssh-agent-launch | 2 +- apparmor.d/groups/systemd/busctl | 2 +- apparmor.d/groups/systemd/systemd-hostnamed | 2 +- apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/systemd/systemd-resolved | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/rtkit-daemon | 2 +- apparmor.d/profiles-s-z/udisksd | 2 +- apparmor.d/tunables/multiarch.d/profiles | 5 +++++ docs/development/guidelines.md | 2 +- 33 files changed, 47 insertions(+), 42 deletions(-) diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index ee0a16b9..eba12457 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -7,12 +7,12 @@ dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 811787ba..95325d7d 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -11,12 +11,12 @@ dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 0bfe9681..87044300 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -7,12 +7,12 @@ dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{run}/dbus/system_bus_socket rw, diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 357c0647..bb31a079 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -36,7 +36,7 @@ dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=GetAddress - peer=(name=org.a11y.Bus, label=dbus-accessibility), + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 9e1737a2..9f611cf3 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -138,7 +138,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{bin}/** Px, @{lib}/** Px, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 19f187cc..9d7ba9b7 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -43,7 +43,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus/Bus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index fd970709..9838ba40 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -20,7 +20,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { signal receive set=hup peer=gdm-session-worker, #aa:dbus own bus=accessibility name=org.a11y.atspi - #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility + #aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}" dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 539a2a57..42758585 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -28,7 +28,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index ffdfe08a..26a07d8a 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -25,7 +25,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index ec1633a9..383360ad 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -29,7 +29,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index f6f4c12a..e2b1b22d 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -28,7 +28,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 212898a8..fa1e44d0 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -26,7 +26,7 @@ profile pipewire-media-session @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixProcessID - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 14edf32c..5e3d3ee7 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -26,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 489a0426..57b17b65 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -47,7 +47,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index b0f5e81a..6bafb132 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -40,7 +40,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index f74afdea..06846960 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -38,14 +38,14 @@ profile gnome-extension-ding @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 42c1265a..babd12c3 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -37,7 +37,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} - peer=(name=org.freedesktop.DBus label=dbus-session), + peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d8ae32fd..7cc73949 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -112,22 +112,22 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), # Session bus dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/ interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket @@ -161,7 +161,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/gnome/*/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 3c2ef3da..d9b0e5e2 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -43,7 +43,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/ interface=org.freedesktop.DBus member=ListNames - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 51bcf2e1..c7478292 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -41,7 +41,7 @@ profile gsd-xsettings @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetId - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index e4990a3e..890e5b34 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -43,12 +43,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/dbus interface=org.freedesktop.DBus member=NameHasOwner - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), @{exec_path} mr, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index e20ea48b..de4644bd 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -70,7 +70,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 7e0422c5..c9f0c637 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -27,7 +27,7 @@ profile ssh-agent-launch @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index dcb60493..3cea03c9 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -33,7 +33,7 @@ profile busctl @{exec_path} { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Monitoring member=BecomeMonitor - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 878884ad..46786c65 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -25,7 +25,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 012a8978..6b01f514 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -43,7 +43,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index f6867f43..f693cbee 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -34,7 +34,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 6cee42be..45b2ccfb 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -42,7 +42,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system path=/org/freedesktop/UDisks2/Manager interface=org.freedesktop.UDisks2.Manager diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index b97c5e9a..6847476e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -43,7 +43,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index ddb62cb5..d3a88d78 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -26,7 +26,7 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index b89d9c72..530373ef 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -67,7 +67,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index a24cefc0..2d1fccb3 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -11,4 +11,9 @@ @{p_systemd}=unconfined @{p_systemd_user}=unconfined +# Name of the dbus daemon profiles +@{p_dbus_system}=dbus-system +@{p_dbus_session}=dbus-session +@{p_dbus_accessibility}=dbus-accessibility + # vim:syntax=apparmor diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index f207e58a..fad90158 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -85,7 +85,7 @@ For DBus, try to determine peer's label when possible. E.g.: dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), ``` If there is no predictable label it can be omitted.