diff --git a/apparmor.d/abstractions/bus/polkit b/apparmor.d/abstractions/bus/polkit index fc94dbc6..e8544108 100644 --- a/apparmor.d/abstractions/bus/polkit +++ b/apparmor.d/abstractions/bus/polkit @@ -11,6 +11,10 @@ interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization peer=(name=org.freedesktop.PolicyKit1, label=polkitd), + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=CheckAuthorization + peer=(name=:*, label=polkitd), dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 10b97937..0d1f08b6 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -22,6 +22,12 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { ptrace (read), dbus bind bus=session name=org.freedesktop.portal.Desktop, + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + peer=(name=:*, label=nautilus), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + peer=(name=:*), dbus bind bus=session name=org.freedesktop.background.Monitor, dbus receive bus=session path=/org/freedesktop/background/monitor @@ -35,15 +41,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=:*, label=xdg-permission-store), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=gnome-keyring-daemon), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - peer=(name=:*, label=xdg-desktop-portal-gnome), - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings - peer=(name=:*, label=nautilus), dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 671cfb01..0a31e1e9 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -26,34 +26,41 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus bind bus=session name=org.gnome.SettingsDaemon.MediaKeys, + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties - member=GetAll, + member=GetAll + peer=(name=:*, label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member=Inhibit, + member=Inhibit + peer=(name=:*, label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member=PowerOff, + member=PowerOff + peer=(name=:*, label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member={SessionNew,SessionRemoved,PrepareForShutdown,UserNew,UserRemoved,PrepareForSleep} peer=(name=:*, label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + member=PropertiesChanged + peer=(name=:*, label=systemd-logind), dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties - member=Get, + member=GetAll + peer=(name=:*, label=systemd-hostnamed), dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} interface=org.freedesktop.DBus.Properties - member=GetAll, + member=GetAll + peer=(name=:*, label=upowerd), dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} interface=org.freedesktop.DBus.Properties @@ -135,9 +142,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gnome.SettingsDaemon.MediaKeys, - @{exec_path} mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index cf774c06..54d3aeff 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -24,21 +24,94 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/*} - interface={org.freedesktop.DBus.{Properties,Introspectable},org.gtk.Actions}, - - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - member={IsSupported,List} - peer=(name=:*), - dbus bind bus=session name=org.gnome.Nautilus, + dbus send bus=session path=/org/gnome/Nautilus + interface=org.gtk.{Actions,Application}, + dbus send bus=session path=/org/gnome/Nautilus{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=:*), + dbus send bus=session path=/org/gnome/Nautilus + interface=org.gtk.Application + peer=(name=org.gnome.Nautilus, label="{nautilus,gnome-shell}"), dbus bind bus=session name=org.freedesktop.FileManager1, + dbus receive bus=session path=/org/freedesktop/FileManager1 + interface=org.freedesktop.DBus.Properties + peer=(name=:*), + dbus send bus=session path=/org/freedesktop/FileManager1 + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.DBus), + + dbus receive bus=session path=/org/gnome/Nautilus/* + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-extension-ding), + + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.DBus.Peer + peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + + dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + peer=(name=:*, label=gvfs-*-monitor), + + dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=Read + peer=(name=:*, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member={GetAll,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + # talk: org.gtk.vfs.* + dbus send bus=session path=/org/gtk/vfs/** + interface=org.gtk.vfs.* + peer=(name=:*, label=gvfsd), + + # talk: org.gtk.MountOperationHandler + dbus send bus=session path=/org/gtk/MountOperationHandler + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/Notifications + interface=org.gtk.Notifications + member=AddNotification + peer=(name=org.gtk.Notifications, label=gnome-shell), + + dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine + interface=org.gtk.private.CommandLine + member=Print + peer=(name=:*, label=nautilus), + + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=systemd-hostnamed), + + dbus send bus=session path=/com/canonical/unity/launcherentry/@{int} + interface=com.canonical.Unity.LauncherEntry + member=Update + peer=(name=org.freedesktop.DBus, label=gnome-shell), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListActivatableNames + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/dbus + interface=org.freedesktop.DBus + member=NameHasOwner + peer=(name=org.freedesktop.DBus, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 14f45c0d..ae3961b8 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -21,7 +21,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { dbus bind bus=system name=org.freedesktop.ModemManager1, dbus receive bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.Properties - member=GetManagedObjects, + member=GetManagedObjects peer=(name=:*), dbus (send, receive) bus=system path=/org/freedesktop/login1 diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f68411c3..9e4ea27f 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -10,6 +10,7 @@ include profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 44ea4c2c..fc32df6f 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -26,40 +26,39 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, - dbus (send,receive) bus=system path=/org/freedesktop/login1{,/**} - interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,login[0-9].*}, - - dbus (send,receive) bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd[0-9].Manager - member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading,Subscribe,StopUnit}, - - dbus (send,receive) bus=system path=/org/freedesktop/systemd1/{unit,job}/** + dbus bind bus=system name=org.freedesktop.login1, + dbus receive bus=system path=/org/freedesktop/login1{,/**} + interface=org.freedesktop.login1.Manager + peer=(name=:*), + dbus receive bus=system path=/org/freedesktop/login1{,/**} interface=org.freedesktop.DBus.Properties - member={Get,PropertiesChanged}, + peer=(name=:*), + dbus send bus=system path=/org/freedesktop/login1{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.DBus), + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/org/freedesktop/systemd1/{unit,job}/** + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label="@{systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/** + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.systemd1, label="@{systemd}"), + + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + peer=(name=org.freedesktop.systemd1), + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + peer=(name=:*, label="@{systemd}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser} + member={GetConnectionUnixUser,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization, - - dbus send bus=system path=/org/freedesktop/systemd1/unit/** - interface=org.freedesktop.systemd[0-9].Scope - member=Abandon, - - dbus receive bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.Properties - member=Get, - - dbus bind bus=system name=org.freedesktop.login1, - @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index b7f7557c..1d0f0d2a 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -11,7 +11,6 @@ profile remmina @{exec_path} { include include include - include include include include @@ -27,11 +26,6 @@ profile remmina @{exec_path} { network inet6 stream, network netlink raw, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/freedesktop/secrets{,/collection/login{,/[0-9]*}} interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index e38f2d9b..afc1642c 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,rtkit/}rtkit-daemon profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 0332b2e7..2972c8e8 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -40,7 +40,7 @@ profile snap @{exec_path} { dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents member=GetMountPoint - peer=(name=org.freedesktop.portal.Documents), + peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), @{exec_path} mrix,