From 459fe7c9050d9156c8e2429124e2b653e5bffa6d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 30 Nov 2023 00:22:34 +0000 Subject: [PATCH] feat(profile): use the new bus/atspi abstraction in the profiles. --- apparmor.d/abstractions/bus/atspi | 7 --- apparmor.d/groups/browsers/firefox | 2 +- apparmor.d/groups/gnome/gnome-control-center | 26 +--------- .../gnome/gnome-control-center-print-renderer | 6 +-- apparmor.d/groups/gnome/gnome-extension-ding | 7 +-- apparmor.d/groups/gnome/gnome-session-binary | 6 +-- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/gsd-color | 26 +--------- apparmor.d/groups/gnome/gsd-keyboard | 21 +------- apparmor.d/groups/gnome/gsd-media-keys | 11 +--- apparmor.d/groups/gnome/gsd-power | 21 +------- apparmor.d/groups/gnome/gsd-wacom | 26 +--------- apparmor.d/groups/gnome/gsd-xsettings | 26 +--------- apparmor.d/groups/gnome/nautilus | 2 + .../groups/ubuntu/check-new-release-gtk | 6 +-- .../groups/ubuntu/livepatch-notification | 6 +-- .../ubuntu/ubuntu-advantage-notification | 1 + apparmor.d/groups/ubuntu/update-notifier | 1 + apparmor.d/profiles-a-f/atril | 32 ++---------- apparmor.d/profiles-a-f/engrampa | 12 +---- apparmor.d/profiles-a-f/evince | 29 +---------- apparmor.d/profiles-m-r/qbittorrent | 52 +++++++------------ apparmor.d/profiles-m-r/remmina | 26 +--------- apparmor.d/profiles-m-r/rustdesk | 34 +++--------- apparmor.d/profiles-s-z/spice-vdagent | 32 +----------- apparmor.d/profiles-s-z/vlc | 20 +------ 26 files changed, 59 insertions(+), 380 deletions(-) diff --git a/apparmor.d/abstractions/bus/atspi b/apparmor.d/abstractions/bus/atspi index fbcbed16..36eeefeb 100644 --- a/apparmor.d/abstractions/bus/atspi +++ b/apparmor.d/abstractions/bus/atspi @@ -38,10 +38,3 @@ peer=(name=org.a11y.Bus, label="{at-spi-bus-launcher,dbus-daemon}"), include if exists -# include - -# From dbus-gtk: -# dbus (send) bus=session path=/org/a11y/bus -# interface=org.freedesktop.DBus.Properties -# member=Get -# peer=(name=org.a11y.Bus), diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index fd509058..78d2ea76 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -16,7 +16,7 @@ include profile firefox @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index d6192c02..b17f60fe 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,6 +10,7 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -37,31 +38,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - @{exec_path} mr, @{bin}/{,b,d,rb}ash rUx, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 779b9561..359212a4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include + include include include include @@ -22,11 +23,6 @@ profile gnome-control-center-print-renderer @{exec_path} { include include - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), - @{exec_path} mr, /usr/share/egl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 7e15a5ed..16ab52de 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,14 +9,15 @@ include @{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js profile gnome-extension-ding @{exec_path} { include - include - include - include + include include + include + include include include include include + include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index e8762ddb..bc49b34e 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -120,11 +121,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { member=ActiveChanged peer=(name=:*, label=gjs-console), - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), # all peer's labels - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b4185765..e3ce59f1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -11,6 +11,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 55a017c5..979b1616 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -83,31 +84,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { member=ListMountableInfo peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), # all peer's labels - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 649b72ca..015e2e16 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -60,26 +61,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} peer=(name=:*, label=gnome-session-binary), - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), # all peer's labels - dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index be405377..5e5d99e5 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,6 +10,7 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -139,16 +140,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { member=ListMountableInfo peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), # all peer's labels - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=:*, label=at-spi2-registryd), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 7cf79777..6d6f6c1a 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,6 +10,7 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -105,26 +106,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { member=GetResources peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), # all peer's labels - dbus (send, receive) bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged,Set} diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 134bdea7..2e095643 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -50,31 +51,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} peer=(name=:*, label=gnome-session-binary), - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus receive bus=session path=/org/gnome/SettingsDaemon/Wacom - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 3979cbcc..e7d94cc5 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include + include include include include @@ -75,31 +76,6 @@ profile gsd-xsettings @{exec_path} { member=GetAll peer=(name=:*), # many peer's labels - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), # all peer's labels - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member=GetCurrentState diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index fcab66c4..cf774c06 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include + include + include include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 5d6dc4a9..d681b458 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -10,6 +10,7 @@ include profile check-new-release-gtk @{exec_path} { include include + include include include include @@ -27,11 +28,6 @@ profile check-new-release-gtk @{exec_path} { network inet6 stream, network netlink raw, - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), # all peer's labels - @{exec_path} mr, @{bin}/dpkg rPx, diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 0e7725b3..1056acd8 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,17 +9,13 @@ include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include + include include include include include include - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), - @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index 43f45267..8f7e5b15 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index ba22f65d..457eb109 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -11,6 +11,7 @@ profile update-notifier @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index ea018648..efc1aa83 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -10,45 +10,21 @@ include @{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include + include + include + include include include include include include + include include include include - include - include - include network netlink raw, - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=:*, label=at-spi2-registryd), - dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index edf0d8e9..414ab709 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include + include include - include include include include @@ -34,16 +34,6 @@ profile engrampa @{exec_path} { member={IsSupported,List} peer=(name=:*), - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*), - dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member={ListMounts2,LookupMount} diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index b7950c8f..0d174862 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include + include include include include @@ -52,33 +53,7 @@ profile evince @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evince/{,**} peer=(name="{org.gnome.evince.Daemon,org.freedesktop.DBus,:*}", label=@{profile_name}), # all interfaces and members - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=:*, label=at-spi2-registryd), - - dbus bind bus=session - name=org.gnome.evince.Daemon, + dbus bind bus=session name=org.gnome.evince.Daemon, @{exec_path} rix, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index a9cc491c..d8edda56 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -12,32 +12,31 @@ include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include + include include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include include - include - include + include + include + include include include - include + include + include + include + include + include include - include - include + include include + include + include + include + include + include + include + include + include + include signal send set=(term, kill) peer=qbittorrent//python3, @@ -93,18 +92,7 @@ profile qbittorrent @{exec_path} { member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} peer=(name=:*), - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*), - - dbus bind bus=session - name=org.kde.StatusNotifierItem-*, + dbus bind bus=session name=org.kde.StatusNotifierItem-*, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 57fec09c..b7f7557c 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/remmina profile remmina @{exec_path} { include + include include include include @@ -49,26 +50,6 @@ profile remmina @{exec_path} { dbus (send, receive) bus=session path=/org/ayatana/NotificationItem/remmina_icon{,/**} peer=(name="{:*,org.freedesktop.DBus}"), # all interfaces and members - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry), - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=:*), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*), - dbus send bus=session path=/org/freedesktop/secrets/collection/session interface=org.freedesktop.DBus.Properties member=GetAll @@ -84,11 +65,6 @@ profile remmina @{exec_path} { member=RegisterStatusNotifierItem peer=(name=:*), - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry), - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={IsSupported,List} diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index ca4a91b5..da2e5e24 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -8,16 +8,16 @@ include @{exec_path} = /{,usr/}{,local/}bin/rustdesk profile rustdesk @{exec_path} { include - include include + include + include + include + include + include + include + include include include - include - include - include - include - include - include capability dac_read_search, capability dac_override, @@ -28,26 +28,6 @@ profile rustdesk @{exec_path} { network inet6 stream, network netlink raw, # discovery - dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), - - dbus (send) bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry), - - dbus (send) bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry), - - dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*), - @{exec_path} mrix, @{bin}/w rPx, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index f76cf3fc..779b5468 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -10,12 +10,14 @@ include profile spice-vdagent @{exec_path} { include include + include include include include include include include + include include dbus send bus=session path=/org/gnome/Mutter/DisplayConfig @@ -23,36 +25,6 @@ profile spice-vdagent @{exec_path} { member=GetCurrentState peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=:*, label=at-spi2-registryd), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), # all peer's labels - dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index dbd26f0b..51060943 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -11,6 +11,7 @@ include profile vlc @{exec_path} { include include + include include include include @@ -40,11 +41,6 @@ profile vlc @{exec_path} { member={RequestName,ReleaseName,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus), - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.a11y.Bus), - dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -97,20 +93,6 @@ profile vlc @{exec_path} { interface=org.mpris.MediaPlayer2.* peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members - dbus send bus=accessibility - interface=org.a11y.atspi.Socket - peer=(name=org.a11y.atspi.Registry), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*), - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=:*), - dbus bind bus=session name=org.kde.StatusNotifierItem-*, dbus bind bus=session name=org.mpris.MediaPlayer2.vlc*,