mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
feat(dbus): rewrite some dbus rules (2).
This commit is contained in:
Alexandre Pujol
parent
6d1ff256af
commit
505770cd5a
10 changed files with 141 additions and 68 deletions
|
|
@ -11,6 +11,10 @@
|
|||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
member=CheckAuthorization
|
||||
peer=(name=org.freedesktop.PolicyKit1, label=polkitd),
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
member=CheckAuthorization
|
||||
peer=(name=:*, label=polkitd),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
|
|
|
|||
|
|
@ -22,6 +22,12 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
ptrace (read),
|
||||
|
||||
dbus bind bus=session name=org.freedesktop.portal.Desktop,
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Settings
|
||||
peer=(name=:*, label=nautilus),
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*),
|
||||
|
||||
dbus bind bus=session name=org.freedesktop.background.Monitor,
|
||||
dbus receive bus=session path=/org/freedesktop/background/monitor
|
||||
|
|
@ -35,15 +41,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label=xdg-permission-store),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label=gnome-keyring-daemon),
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.impl.portal.Settings
|
||||
peer=(name=:*, label=xdg-desktop-portal-gnome),
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Settings
|
||||
peer=(name=:*, label=nautilus),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/documents
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
|
|
|||
|
|
@ -26,34 +26,41 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
dbus bind bus=session name=org.gnome.SettingsDaemon.MediaKeys,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
member=GetAll
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member=Inhibit,
|
||||
member=Inhibit
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member=PowerOff,
|
||||
member=PowerOff
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member={SessionNew,SessionRemoved,PrepareForShutdown,UserNew,UserRemoved,PrepareForSleep}
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
member=PropertiesChanged
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/hostname1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get,
|
||||
member=GetAll
|
||||
peer=(name=:*, label=systemd-hostnamed),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
member=GetAll
|
||||
peer=(name=:*, label=upowerd),
|
||||
|
||||
dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
|
@ -135,9 +142,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.gnome.SettingsDaemon.MediaKeys,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -24,21 +24,94 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/trash>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/hostname1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/*}
|
||||
interface={org.freedesktop.DBus.{Properties,Introspectable},org.gtk.Actions},
|
||||
|
||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
member={IsSupported,List}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus bind bus=session name=org.gnome.Nautilus,
|
||||
dbus send bus=session path=/org/gnome/Nautilus
|
||||
interface=org.gtk.{Actions,Application},
|
||||
dbus send bus=session path=/org/gnome/Nautilus{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*),
|
||||
dbus send bus=session path=/org/gnome/Nautilus
|
||||
interface=org.gtk.Application
|
||||
peer=(name=org.gnome.Nautilus, label="{nautilus,gnome-shell}"),
|
||||
|
||||
dbus bind bus=session name=org.freedesktop.FileManager1,
|
||||
dbus receive bus=session path=/org/freedesktop/FileManager1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*),
|
||||
dbus send bus=session path=/org/freedesktop/FileManager1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Nautilus/*
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-extension-ding),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
|
||||
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
|
||||
interface=org.freedesktop.Tracker3.Endpoint
|
||||
peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
|
||||
|
||||
dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
peer=(name=:*, label=gvfs-*-monitor),
|
||||
|
||||
dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Settings
|
||||
member=Read
|
||||
peer=(name=:*, label=xdg-desktop-portal),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=xdg-desktop-portal),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,ListActivatableNames}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
# talk: org.gtk.vfs.*
|
||||
dbus send bus=session path=/org/gtk/vfs/**
|
||||
interface=org.gtk.vfs.*
|
||||
peer=(name=:*, label=gvfsd),
|
||||
|
||||
# talk: org.gtk.MountOperationHandler
|
||||
dbus send bus=session path=/org/gtk/MountOperationHandler
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gtk/Notifications
|
||||
interface=org.gtk.Notifications
|
||||
member=AddNotification
|
||||
peer=(name=org.gtk.Notifications, label=gnome-shell),
|
||||
|
||||
dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine
|
||||
interface=org.gtk.private.CommandLine
|
||||
member=Print
|
||||
peer=(name=:*, label=nautilus),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/hostname1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=systemd-hostnamed),
|
||||
|
||||
dbus send bus=session path=/com/canonical/unity/launcherentry/@{int}
|
||||
interface=com.canonical.Unity.LauncherEntry
|
||||
member=Update
|
||||
peer=(name=org.freedesktop.DBus, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=ListActivatableNames
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/dbus
|
||||
interface=org.freedesktop.DBus
|
||||
member=NameHasOwner
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
|
|||
dbus bind bus=system name=org.freedesktop.ModemManager1,
|
||||
dbus receive bus=system path=/org/freedesktop/ModemManager1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetManagedObjects,
|
||||
member=GetManagedObjects
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (send, receive) bus=system path=/org/freedesktop/login1
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/network-manager>
|
||||
include <abstractions/bus/polkit>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
|
|
|||
|
|
@ -26,40 +26,39 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/login1{,/**}
|
||||
interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,login[0-9].*},
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd[0-9].Manager
|
||||
member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading,Subscribe,StopUnit},
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/systemd1/{unit,job}/**
|
||||
dbus bind bus=system name=org.freedesktop.login1,
|
||||
dbus receive bus=system path=/org/freedesktop/login1{,/**}
|
||||
interface=org.freedesktop.login1.Manager
|
||||
peer=(name=:*),
|
||||
dbus receive bus=system path=/org/freedesktop/login1{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,PropertiesChanged},
|
||||
peer=(name=:*),
|
||||
dbus send bus=system path=/org/freedesktop/login1{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/systemd1/{unit,job}/**
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label="@{systemd}"),
|
||||
dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/**
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
peer=(name=org.freedesktop.systemd1),
|
||||
dbus receive bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
peer=(name=:*, label="@{systemd}"),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser}
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
member=CheckAuthorization,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/systemd1/unit/**
|
||||
interface=org.freedesktop.systemd[0-9].Scope
|
||||
member=Abandon,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get,
|
||||
|
||||
dbus bind bus=system name=org.freedesktop.login1,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ profile remmina @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bus/atspi>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-gtk>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
@ -27,11 +26,6 @@ profile remmina @{exec_path} {
|
|||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/secrets{,/collection/login{,/[0-9]*}}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/{,rtkit/}rtkit-daemon
|
||||
profile rtkit-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/polkit>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ profile snap @{exec_path} {
|
|||
dbus send bus=session path=/org/freedesktop/portal/documents
|
||||
interface=org.freedesktop.portal.Documents
|
||||
member=GetMountPoint
|
||||
peer=(name=org.freedesktop.portal.Documents),
|
||||
peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue