diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index af961be6..1aa90f2c 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -18,6 +18,7 @@ profile dbus-session flags=(attach_disconnected) { include include include + include include network unix stream, @@ -29,7 +30,7 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-*, - #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} + #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus} @{exec_path} mrix, @@ -49,6 +50,9 @@ profile dbus-session flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + # Dbus can receive any user files + owner @{HOME}/** r, + owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index d6c92bae..74853231 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -15,8 +15,9 @@ include @{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper profile dbus-system flags=(attach_disconnected) { include - include include + include + include include capability audit_write, @@ -53,6 +54,9 @@ profile dbus-system flags=(attach_disconnected) { @{user_share_dirs}/icc/ r, @{user_share_dirs}/icc/edid-@{hex32}.icc r, + # Dbus can receive any user files + @{HOME}/** r, + @{run}/systemd/inhibit/@{int}.ref rw, @{run}/systemd/notify w, @{run}/systemd/sessions/*.ref rw,