From 2af165403abcac390a5b1f73b672d25eddab304d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 2 Dec 2023 16:05:40 +0000 Subject: [PATCH] feat(dbus): rewrite some dbus rules (3). --- apparmor.d/groups/browsers/firefox | 7 +-- apparmor.d/groups/bus/ibus-x11 | 5 ++ apparmor.d/groups/freedesktop/pipewire | 11 +--- .../groups/freedesktop/pipewire-media-session | 11 +--- apparmor.d/groups/freedesktop/pulseaudio | 5 +- .../groups/freedesktop/xdg-desktop-portal | 5 +- .../freedesktop/xdg-desktop-portal-gnome | 22 ++------ .../groups/freedesktop/xdg-desktop-portal-gtk | 31 ++--------- apparmor.d/groups/gnome/gdm-session-worker | 18 +++--- apparmor.d/groups/gnome/gjs-console | 3 + apparmor.d/groups/gnome/gnome-extension-ding | 4 +- apparmor.d/groups/gnome/gnome-shell | 2 + apparmor.d/groups/gnome/gnome-terminal-server | 9 +++ apparmor.d/groups/gnome/goa-daemon | 18 ++---- apparmor.d/groups/gnome/gsd-power | 1 + apparmor.d/groups/gnome/gsd-xsettings | 6 +- apparmor.d/groups/gnome/tracker-miner | 7 +-- apparmor.d/groups/kde/plasmashell | 6 +- apparmor.d/groups/network/ModemManager | 3 +- apparmor.d/groups/network/NetworkManager | 55 +++++++++---------- apparmor.d/groups/systemd/systemd-logind | 12 ++-- apparmor.d/profiles-a-f/fwupd | 23 +++----- apparmor.d/profiles-s-z/spice-vdagent | 11 ++++ apparmor.d/profiles-s-z/thermald | 6 +- apparmor.d/profiles-s-z/thunderbird | 10 +--- apparmor.d/profiles-s-z/wireplumber | 17 +----- 26 files changed, 117 insertions(+), 191 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 54fcbf0b..e6224d8a 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -17,6 +17,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -84,10 +85,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { member=Inhibit peer=(name=org.freedesktop.PowerManagement), - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - member={Get,MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID} - peer=(name=org.freedesktop.RealtimeKit1*), - dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged} @@ -106,7 +103,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=GetTreeFromDevice - peer=(name=:*), + peer=(name=:*, label=gvfsd-metadata), dbus send bus=session path=/org/mozilla/firefox/Remote interface=org.mozilla.firefox diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 23bf516b..e179828c 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -28,6 +28,11 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /var/lib/gdm{3,}/.config/ibus/bus/ r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 8860ad28..a5ec36fe 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -11,6 +11,7 @@ include profile pipewire @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -24,16 +25,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.pulseaudio.Server, - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - member=MakeThread* - peer=(name=org.freedesktop.RealtimeKit1), - - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.RealtimeKit1), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index b7d23d3a..24dcd5cf 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -11,6 +11,7 @@ include profile pipewire-media-session @{exec_path} { include include + include include include include @@ -22,16 +23,6 @@ profile pipewire-media-session @{exec_path} { network bluetooth stream, network netlink raw, - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.RealtimeKit1), - - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - member=MakeThreadRealtime - peer=(name=org.freedesktop.RealtimeKit1), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index f7f0f03d..7159be1c 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -12,6 +12,7 @@ include profile pulseaudio @{exec_path} { include include + include include include include @@ -73,10 +74,6 @@ profile pulseaudio @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - member={Get,MakeThreadHighPriority,MakeThreadRealtime} - peer=(name=org.freedesktop.RealtimeKit1), - dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 0d1f08b6..cbbb599e 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -24,10 +24,13 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.freedesktop.portal.Desktop, dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings - peer=(name=:*, label=nautilus), + peer=(name=:*), dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties peer=(name=:*), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + peer=(name=:*), dbus bind bus=session name=org.freedesktop.background.Monitor, dbus receive bus=session path=/org/freedesktop/background/monitor diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index bc7e22cb..08400838 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} { include + include include include include @@ -28,18 +29,6 @@ profile xdg-desktop-portal-gnome @{exec_path} { dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome, - dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.Accounts.User - member=Changed, - dbus send bus=session path=/org/gnome/Shell/Screenshot interface=org.freedesktop.DBus.Properties member=GetAll @@ -85,15 +74,12 @@ profile xdg-desktop-portal-gnome @{exec_path} { member=Read peer=(name=:*, label=xdg-desktop-portal), - dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.gnome.Mutter.DisplayConfig - member=GetCurrentState + dbus (send, receive) bus=session path=/org/gnome/Mutter/* + interface=org.gnome.Mutter.* peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), - dbus send bus=session path=/org/gnome/Mutter/* interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), + peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 1fc58d9a..cb3aba93 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} { include + include include include include @@ -32,31 +33,6 @@ profile xdg-desktop-portal-gtk @{exec_path} { dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk, - dbus send bus=system path=/org/freedesktop/Accounts/User@{int} - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus receive bus=system path=/org/freedesktop/Accounts/User@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus receive bus=system path=/org/freedesktop/Accounts/User@{int} - interface=org.freedesktop.Accounts.User - member=Changed, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=CheckPermissions, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus send bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gsd-xsettings), - dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member=RegisterClient @@ -121,6 +97,11 @@ profile xdg-desktop-portal-gtk @{exec_path} { member=GetAll peer=(name=:*, label=gnome-shell), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d9807f34..d27d5cf3 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -10,6 +10,7 @@ include profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -46,18 +47,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} - interface=org.freedesktop.{DBus.Properties,Accounts*} - member={GetAll,FindUserByName,SetLanguage,Changed,PropertiesChanged}, - - dbus receive bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.Accounts - member=UserAdded - peer=(name=:*, label=accounts-daemon), - dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member={CreateSession,ReleaseSession}, + member=*Session + peer=(name=org.freedesktop.login1, label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} + interface=org.freedesktop.Accounts.User + member=SetLanguage + peer=(name=:*, label=accounts-daemon), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 14c20bd5..2ad3db50 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -44,6 +44,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver peer=(name=:*), # all members + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + peer=(name=org.freedesktop.DBus), dbus send bus=session path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties peer=(name=:*), # all members diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index e3cf6d83..ee671f95 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -75,8 +75,8 @@ profile gnome-extension-ding @{exec_path} { member=Introspect peer=(name=:*, label=nautilus), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus + dbus send bus={systemd,session} path=/org/freedesktop/DBus + interface=org.freedesktop.DBus{,.Properties} peer=(name=org.freedesktop.DBus, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 4831b3d0..188e97a4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -11,7 +11,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index abcc7450..f7d7f59c 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -23,6 +23,15 @@ profile gnome-terminal-server @{exec_path} { ptrace (read) peer=unconfined, dbus bind bus=session name=org.gnome.Terminal, + dbus receive bus=session path=/org/gnome/Terminal{,/**} + interface=org.gnome.Terminal.* + peer=(name=:*), + dbus receive bus=session path=/org/gnome/Terminal{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=unconfined), + dbus receive bus=session path=/org/gnome/Terminal{,/**} + interface=org.gtk.Actions + peer=(name=:*), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index be4bbcb7..085e8672 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/goa-daemon profile goa-daemon @{exec_path} { include - include + include include include include @@ -25,10 +25,10 @@ profile goa-daemon @{exec_path} { network inet6 dgram, network netlink raw, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus bind bus=session name=org.gnome.OnlineAccounts, + dbus receive bus=session path=/org/gnome/OnlineAccounts + interface=org.freedesktop.DBus.ObjectManager + peer=(name=:*), dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties @@ -52,14 +52,6 @@ profile goa-daemon @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Identity/Manager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=goa-identity-service), - - dbus bind bus=session - name=org.gnome.OnlineAccounts, - @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index aa9b1a53..817fe132 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -11,6 +11,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index c9fd4b03..3c189467 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include + include include include include @@ -38,11 +39,6 @@ profile gsd-xsettings @{exec_path} { member=GetAll peer=(name=:*), # many peer's labels - dbus receive bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.Accounts - member={UserAdded,UserRemoved} - peer=(name=:*, label=accounts-daemon), - dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={ClientAdded,ClientRemoved,SessionRunning} diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index ac628b9c..1ec50c15 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -27,15 +28,11 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { dbus (send, receive) bus=session path=/org/freedesktop/Tracker3/** interface=org.freedesktop.Tracker3.* - peer=(name=:*), # all members + peer=(name="{:*,org.freedesktop.DBus}"), # all members dbus receive bus=session path=/org/freedesktop/Tracker3/** interface=org.freedesktop.DBus.{Peer,Properties} peer=(name=:*), - dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} - interface=org.freedesktop.DBus.Properties - member=GetAll, - dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member={ListMonitorImplementations,ListMountableInfo} diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index f4040635..0e35a845 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -11,6 +11,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include include include @@ -45,11 +46,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { signal (send), - dbus (send,receive) bus=system path=/org/freedesktop/UPower/devices/{,DisplayDevice,battery_BAT[0-9]*,mouse_hidpp_battery_[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(label=upowerd), - @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index ae3961b8..25c9be4f 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -20,8 +20,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { dbus bind bus=system name=org.freedesktop.ModemManager1, dbus receive bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.Properties - member=GetManagedObjects + interface=org.freedesktop.DBus.{ObjectManager,Properties} peer=(name=:*), dbus (send, receive) bus=system path=/org/freedesktop/login1 diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 9e4ea27f..31d3d29a 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -39,43 +39,36 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=dnsmasq, dbus bind bus=system name=org.freedesktop.NetworkManager, - - dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{,/**} - interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,NetworkManager*} + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} + interface=org.freedesktop.NetworkManager{,.*} peer=(name=:*), + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=:*), + dbus send bus=system path=/org/freedesktop/NetworkManager{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus), - dbus (send,receive) bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown,UserRemoved,PrepareForSleep} - peer=(name=:*, label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=system path=/org/freedesktop + dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name=org.freedesktop.DBus), # label="{gnome-shell,...}" + member=GetManagedObjects + peer=(name=:*), dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher member=Action peer=(name=org.freedesktop.nm_dispatcher), - dbus send bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, - dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager - member={SetLink*,ResolveHostname}, - # org.freedesktop.resolve1 + member={SetLink*,ResolveHostname} + peer=(name=org.freedesktop.resolve1, label=systemd-resolved), dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties - member=GetAll, + member=GetAll + peer=(name=:*, label=systemd-hostnamed), dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager @@ -86,13 +79,19 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member=PropertiesChanged peer=(name=:*, label=wpa-supplicant), - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + peer=(name=:*, label=systemd-logind), - dbus receive bus=system path=/org/bluez/hci*/** + dbus receive bus=system path=/org/bluez/hci@{int}{,/**} interface=org.freedesktop.DBus.Properties - peer=(name=:*), + member=PropertiesChanged + peer=(name=:*, label=bluetoothd), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index fc32df6f..aaa95492 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -27,18 +27,18 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, dbus bind bus=system name=org.freedesktop.login1, - dbus receive bus=system path=/org/freedesktop/login1{,/**} - interface=org.freedesktop.login1.Manager + dbus (send, receive) bus=system path=/org/freedesktop/login1{,/**} + interface=org.freedesktop.login1.* peer=(name=:*), dbus receive bus=system path=/org/freedesktop/login1{,/**} interface=org.freedesktop.DBus.Properties peer=(name=:*), + dbus (send, receive) bus=system path=/org/freedesktop/login1{,/**} + interface=org.freedesktop.login1.* + peer=(name=org.freedesktop.DBus), dbus send bus=system path=/org/freedesktop/login1{,/**} interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - peer=(name=org.freedesktop.DBus), dbus receive bus=system path=/org/freedesktop/systemd1/{unit,job}/** interface=org.freedesktop.DBus.Properties @@ -56,7 +56,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} + member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 1337fba2..c8b9ec12 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -11,6 +11,7 @@ include profile fwupd @{exec_path} flags=(complain,attach_disconnected) { include include + include include include include @@ -34,6 +35,14 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { dbus receive bus=system path=/ interface=org.freedesktop.fwupd peer=(name=:*, label=fwupdmgr), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Properties + member={GetAll,SetHints,GetPlugins,GetRemotes} + peer=(name=:*, label=fwupdmgr), + dbus send bus=system path=/ + interface=org.freedesktop.DBus + member=Changed + peer=(name=:*, label=fwupdmgr), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -52,20 +61,6 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { interface=org.freedesktop.{DBus.Properties,UDisks2.Manager} member={GetAll,GetBlockDevices}, - dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/ - interface=org.freedesktop.DBus - member=Changed - peer=(label=fwupdmgr), - - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.Properties - member={GetAll,SetHints,GetPlugins,GetRemotes} - peer=(name=:*, label=fwupdmgr), - @{exec_path} mr, @{lib}/fwupd/fwupd-detect-cet rix, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 32e092bd..d988ffc4 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -13,6 +13,7 @@ profile spice-vdagent @{exec_path} { include include include + include include include include @@ -25,6 +26,16 @@ profile spice-vdagent @{exec_path} { member=GetCurrentState peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Realtime + member=MakeThreadRealtimeWithPID + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 23d6fd1d..50340488 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -11,6 +11,7 @@ include @{exec_path} = @{bin}/thermald profile thermald @{exec_path} flags=(attach_disconnected) { include + include include capability sys_boot, @@ -22,11 +23,6 @@ profile thermald @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=power-profiles-daemon), - dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=upowerd), - @{exec_path} mr, /etc/thermald/thermal-conf.xml r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 4859ec36..129ea411 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -17,6 +17,7 @@ profile thunderbird @{exec_path} { include include include + include include include include @@ -50,15 +51,6 @@ profile thunderbird @{exec_path} { dbus bind bus=session name=org.mozilla.thunderbird.*, - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - member={Get,MakeThreadHighPriority,MakeThreadRealtime} - peer=(name=org.freedesktop.RealtimeKit1*), - - dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.UPower - member=EnumerateDevices - peer=(name=org.freedesktop.UPower), - dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 06a4c908..3bd701a6 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,6 +10,8 @@ include profile wireplumber @{exec_path} { include include + include + include include include include @@ -23,19 +25,6 @@ profile wireplumber @{exec_path} { dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0, - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), - - dbus send bus=system path=/org/freedesktop/UPower/devices/DisplayDevice - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.UPower, label=upowerd), - - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect