feat(profile): add rfkill on networkd.

See #256
2025-01-18 00:48:10 +01:00 · 2023-12-01 11:09:46 +00:00 · 2023-12-01 11:09:46 +00:00 · 4382a34b9e
commit 4382a34b9e
parent 8e45076077
5 changed files with 101 additions and 41 deletions
--- a/apparmor.d/groups/gnome/evolution-addressbook-factory
+++ b/apparmor.d/groups/gnome/evolution-addressbook-factory
@ -9,13 +9,14 @@ include <tunables/global>
@{exec_path} = @{lib}/{,evolution-data-server/}evolution-addressbook-factory
 profile evolution-addressbook-factory @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/bus/network-manager>
+  include <abstractions/bus/vfs>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
-  include <abstractions/ssl_certs>
  include <abstractions/p11-kit>
+  include <abstractions/ssl_certs>

  network inet stream,
  network inet6 stream,
@ -25,18 +26,31 @@ profile evolution-addressbook-factory @{exec_path} {

  dbus bind bus=session name=org.gnome.evolution.dataserver.AddressBook@{int},

-  dbus send bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll,
+  dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/**
+       interface=org.gnome.evolution.dataserver.*
+       peer=(name=:*),

-  dbus send bus=system path=/org/freedesktop/locale[0-9]
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll,
+  dbus send bus=session path=/org/gnome/evolution/dataserver/**
+       interface=org.gnome.evolution.dataserver.*
+       peer=(name=org.freedesktop.DBus, label=evolution-*),

-  dbus receive bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.NetworkManager
-       member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved}
-       peer=(name=:*, label=NetworkManager),
+  dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/**
+       interface=org.freedesktop.DBus.Properties
+       peer=(name=:*, label=evolution-*),
+
+  dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name=:*, label=evolution-source-registry),
+
+  dbus send bus=session path=/org/gnome/evolution/dataserver/**
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name=org.freedesktop.DBus, label=evolution-calendar-factory),
+
+  dbus send bus=system path=/org/freedesktop/locale1
+       interface=org.freedesktop.DBus.Properties
+       peer=(name=:*, label=systemd-localed),

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/gnome/evolution-alarm-notify
+++ b/apparmor.d/groups/gnome/evolution-alarm-notify
@ -9,7 +9,9 @@ include <tunables/global>
@{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify
 profile evolution-alarm-notify @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dbus-session>
+  include <abstractions/bus/atspi>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/gnome>
@ -19,6 +21,21 @@ profile evolution-alarm-notify @{exec_path} {

  network netlink raw,

+  dbus bind bus=session name=org.gnome.Evolution-alarm-notify,
+
+  dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/**
+       interface=org.gnome.evolution.dataserver.Calendar*
+       peer=(name=:*, label=evolution-*),
+
+  dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/**
+       interface=org.freedesktop.DBus.{ObjectManager,Properties}
+       peer=(name=:*, label=evolution-*),
+
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect 
+       peer=(name=:*, label=gnome-shell),
+
  @{exec_path} mr,

  /usr/share/evolution-data-server/{,**} r,
--- a/apparmor.d/groups/gnome/evolution-calendar-factory
+++ b/apparmor.d/groups/gnome/evolution-calendar-factory
@ -9,13 +9,12 @@ include <tunables/global>
@{exec_path} = @{lib}/{,evolution-data-server/}evolution-calendar-factory
 profile evolution-calendar-factory @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dbus-network-manager-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
-  include <abstractions/ssl_certs>
  include <abstractions/p11-kit>
+  include <abstractions/ssl_certs>

  network inet stream,
  network inet6 stream,
@ -23,24 +22,42 @@ profile evolution-calendar-factory @{exec_path} {
  network inet6 dgram,
  network netlink raw,

-  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.DBus.Properties
-       member={PropertiesChanged,GetAll},
+  dbus bind bus=session name=org.gnome.evolution.dataserver.Calendar@{int},

-  dbus receive bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.NetworkManager
-       member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved}
-       peer=(name=:*, label=NetworkManager),
+  dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/**
+       interface=org.gnome.evolution.dataserver.*
+       peer=(name=:*),
+
+  dbus send bus=session path=/org/gnome/evolution/dataserver/**
+       interface=org.gnome.evolution.dataserver.*
+       peer=(name=org.freedesktop.DBus, label="{evolution-*,gnome-shell-*-server}"),
+
+  dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/**
+       interface=org.freedesktop.DBus.Properties
+       peer=(name=:*),
+
+  dbus send bus=session path=/org/gnome/evolution/dataserver/**
+       interface=org.freedesktop.DBus.Properties
+       peer=(name=org.freedesktop.DBus, label=evolution-*),
+
+  dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name=:*, label=evolution-source-registry),
+
+  dbus send bus=session path=/org/gnome/evolution/dataserver/**
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name=org.freedesktop.DBus, label=gnome-shell-calendar-server),

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
       peer=(name=:*, label=gnome-shell),

-  dbus (send,receive) bus=session path=/org/gnome/evolution/dataserver{,/**}
-       interface={org.freedesktop.DBus.{ObjectManager,Properties},org.gnome.evolution.dataserver.*},
-
-  dbus bind bus=session name=org.gnome.evolution.dataserver.Calendar[0-9]*,
+  dbus send bus=session path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       peer=(name=:*, label=gvfsd),

  @{exec_path} mr,
  @{exec_path}-subprocess rix,
--- a/apparmor.d/groups/gnome/gnome-shell-calendar-server
+++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server
@ -14,26 +14,37 @@ profile gnome-shell-calendar-server @{exec_path} {
  include <abstractions/nameservice-strict>

  dbus bind bus=session name=org.gnome.Shell.CalendarServer,
+  dbus receive bus=session path=/org/gnome/Shell/CalendarServer
+       interface=org.gnome.Shell.CalendarServer
+       peer=(name=:*, label=gnome-shell),
+
+  dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/{,**}
+       interface=org.freedesktop.DBus.Properties
+       peer=(name=:*, label=evolution-*),
+
+  dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/{,**}
+       interface=org.gnome.evolution.dataserver.Calendar*
+       peer=(name=:*, label=evolution-*),
+
+  dbus (send receive) bus=session path=/org/gnome/Shell/CalendarServer
+       interface=org.freedesktop.DBus.Properties
+       peer=(name=:*, label=gnome-shell),
+
+  dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name=:*, label=evolution-source-registry),
+
+  dbus send bus=session path=/org/gnome/Shell/CalendarServer
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name=org.freedesktop.DBus, label=gnome-shell),

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect 
       peer=(name=:*, label=gnome-shell),

-  dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/{,**}
-       interface=org.gnome.evolution.dataserver.CalendarView
-       peer=(name=:*, label=evolution-calendar-factory),
-
-  dbus receive bus=session path=/org/gnome/Shell/CalendarServer
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll 
-       peer=(name=:*, label=gnome-shell),
-
-  dbus receive bus=session path=/org/gnome/Shell/CalendarServer
-       interface=org.gnome.Shell.CalendarServer
-       member=SetTimeRange 
-       peer=(name=:*, label=gnome-shell),
-
  @{exec_path} mr,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -70,6 +70,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {

  @{run}/udev/data/n@{int} r,

+  @{sys}/devices/@{pci}/rfkill@{int}/* r,
  @{sys}/devices/**/net/** r,
  @{sys}/devices/pci[0-9]*/**/ r,
  @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,