From 538ec25001d405fbc12963959f85f405553319e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 5 Dec 2023 21:01:26 +0000 Subject: [PATCH] feat(dbus): rewrite some dbus rules (7). --- apparmor.d/groups/avahi/avahi-browse | 15 ++--- apparmor.d/groups/avahi/avahi-resolve | 24 +++---- apparmor.d/groups/freedesktop/colord | 13 +--- apparmor.d/groups/freedesktop/colord-sane | 13 +--- apparmor.d/groups/freedesktop/geoclue | 42 ++----------- apparmor.d/groups/freedesktop/pulseaudio | 50 ++------------- apparmor.d/groups/freedesktop/upowerd | 6 +- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 45 +++++--------- .../groups/freedesktop/xdg-desktop-portal | 6 ++ .../freedesktop/xdg-desktop-portal-gnome | 26 +++----- .../groups/freedesktop/xdg-desktop-portal-gtk | 12 ++-- .../groups/gnome/evolution-alarm-notify | 5 -- .../groups/gnome/evolution-source-registry | 20 ++---- apparmor.d/groups/gnome/gjs-console | 3 + .../gnome/gnome-calculator-search-provider | 5 ++ apparmor.d/groups/gnome/gnome-calendar | 29 +++++++-- apparmor.d/groups/gnome/gnome-characters | 8 +++ .../gnome/gnome-control-center-goa-helper | 4 ++ .../gnome-control-center-search-provider | 6 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + apparmor.d/groups/gnome/gnome-session-binary | 62 +++++++------------ apparmor.d/groups/gnome/goa-identity-service | 14 ++--- apparmor.d/groups/gnome/gsd-media-keys | 4 ++ apparmor.d/groups/gnome/gsd-power | 16 ++++- .../groups/gnome/gsd-print-notifications | 5 +- apparmor.d/groups/gnome/gsd-rfkill | 36 ++--------- apparmor.d/groups/gnome/gsd-smartcard | 2 - apparmor.d/groups/gnome/mutter-x11-frames | 11 +--- apparmor.d/groups/gnome/seahorse | 27 +++----- apparmor.d/groups/gnome/tracker-extract | 3 + apparmor.d/groups/gvfs/gvfsd-metadata | 6 +- apparmor.d/groups/kde/kded5 | 6 +- apparmor.d/groups/network/NetworkManager | 4 ++ apparmor.d/groups/systemd/systemd-logind | 3 + apparmor.d/groups/systemd/systemd-timedated | 21 +++---- .../profiles-a-f/cups-pk-helper-mechanism | 8 +-- apparmor.d/profiles-a-f/fwupd | 16 ++--- apparmor.d/profiles-m-r/murmurd | 6 +- apparmor.d/profiles-m-r/obexd | 5 ++ apparmor.d/profiles-m-r/power-profiles-daemon | 2 - apparmor.d/profiles-m-r/remmina | 6 +- apparmor.d/profiles-s-z/spice-vdagent | 1 + apparmor.d/profiles-s-z/spice-vdagentd | 1 + 43 files changed, 221 insertions(+), 377 deletions(-) diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 4738aa33..822e1df7 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,20 +10,14 @@ include @{exec_path} = @{bin}/avahi-browse @{bin}/avahi-browse-domains profile avahi-browse @{exec_path} { include + include include include - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping, - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={GetAPIVersion,GetState,ServiceTypeBrowserNew,ServiceBrowserNew}, - - dbus receive bus=system path=/Client[0-9]/ServiceTypeBrowser[0-9] + dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} interface=org.freedesktop.Avahi.ServiceTypeBrowser - member={ItemNew,CacheExhausted,AllForNow}, + member={ItemNew,AllForNow,CacheExhausted} + peer=(name=:*, label=avahi-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index 07a8b977..7ad8604d 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,24 +10,19 @@ include @{exec_path} = @{bin}/avahi-resolve @{bin}/avahi-resolve-address @{bin}/avahi-resolve-host-name profile avahi-resolve @{exec_path} { include + include include include - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping, + dbus send bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member={Free,HostNameResolverNew} + peer=(name=:*, label=avahi-daemon), - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={GetAPIVersion,GetState,AddressResolverNew}, - - dbus send bus=system path=/Client[0-9]/AddressResolver[0-9] - interface=org.freedesktop.Avahi.AddressResolver - member={Free,HostNameResolverNew,}, - - dbus receive bus=system path=/Client[0-9]/AddressResolver[0-9] - interface=org.freedesktop.Avahi.AddressResolver - member={Failure,Found}, + dbus receive bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member={Failure,Found} + peer=(name=:*, label=avahi-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index aaa5ed53..d4463bbf 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -18,20 +18,13 @@ profile colord @{exec_path} flags=(attach_disconnected) { network netlink raw, dbus bind bus=system name=org.freedesktop.ColorManager, - + dbus receive bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.ColorManager + peer=(name=:*), dbus receive bus=system path=/org/freedesktop/ColorManager{,/**} interface=org.freedesktop.DBus.Properties peer=(name=:*), - - dbus receive bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.ColorManager - peer=(name=:*, label=gnome-shell), - dbus send bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.DBus), - - dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager peer=(name=org.freedesktop.DBus), diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index def8c0fc..b5149fcd 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,colord/}colord-sane profile colord-sane @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -18,18 +19,6 @@ profile colord-sane @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - dbus (send,receive) bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.{DBus.Properties,ColorManager}, - - dbus send bus=system path=/ - interface=org.freedesktop.{DBus.Peer,Avahi.Server} - member={GetAPIVersion,GetState,ServiceBrowserNew,Ping} - peer=(name=org.freedesktop.Avahi), - - dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]* - interface=org.freedesktop.Avahi.ServiceBrowser - member={CacheExhausted,AllForNow}, - @{exec_path} mr, /usr/share/snmp/mibs/{,*} r, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 6c2ad052..3b6251b7 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,6 +9,10 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include include @@ -36,44 +40,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { member={GetConnectionUnixUser,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={GetAPIVersion,GetState,ServiceBrowserNew}, - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping, - - dbus send bus=system path=/fi/w1/wpa_supplicant1 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=wpa-supplicant), - - dbus send bus=system path=/org/freedesktop/ModemManager[0-9] - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, - - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged}, - - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged, - - dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* - interface=org.freedesktop.Avahi.ServiceBrowser - member={AllForNow,CacheExhausted} - peer=(name=:*, label=avahi-daemon), - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member={CheckPermissions,StateChanged,PropertiesChanged}, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index d99efdbf..9fa3b7b7 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -12,6 +12,8 @@ include profile pulseaudio @{exec_path} { include include + include + include include include include @@ -39,37 +41,12 @@ profile pulseaudio @{exec_path} { network bluetooth stream, network bluetooth seqpacket, - dbus bind bus=session name=org.freedesktop.ReserveDevice[0-9].Audio[0-9], + dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio1, - dbus bind bus=session name=org.PulseAudio[0-9], + dbus bind bus=session name=org.PulseAudio1, dbus bind bus=session name=org.pulseaudio*, - dbus send bus=session path=/Client[0-9]*/EntryGroup[0-9]* - interface=org.freedesktop.Avahi.EntryGroup - member={GetState,AddService,AddServiceSubtype,Commit} - peer=(name=org.freedesktop.Avahi), - - dbus receive bus=system path=/Client[0-9]*/EntryGroup[0-9]* - interface=org.freedesktop.Avahi.EntryGroup - member={AddService,AddServiceSubtype,Commit,GetState,StateChanged} - peer=(name=org.freedesktop.Avahi), - - dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* - interface=org.freedesktop.Avahi.ServiceBrowser - member={ItemNew,ItemRemove} - peer=(name=org.freedesktop.Avahi), # no peer's label - - dbus receive bus=system path=/Client[0-9]*/ServiceResolver[0-9]* - interface=org.freedesktop.Avahi.ServiceResolver - member=Found - peer=(name=org.freedesktop.Avahi), - - dbus send bus=system path=/Client[0-9]*/ServiceResolver[0-9]* - interface=org.freedesktop.Avahi.ServiceResolver - member=Free - peer=(name=org.freedesktop.Avahi), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -79,25 +56,6 @@ profile pulseaudio @{exec_path} { interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={GetAPIVersion,GetState,EntryGroupNew} - peer=(name=org.freedesktop.Avahi), - - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=org.freedesktop.Avahi), - - dbus receive bus=system path=/org/bluez/hci*/** - interface=org.freedesktop.DBus.Properties - peer=(name=:*), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 41fcb264..1e032f82 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,upower/}upowerd profile upowerd @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -24,11 +25,6 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=:*), - dbus receive bus=system path=/org/bluez/hci@{int}{,/**} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=bluetoothd), - @{exec_path} mr, /etc/UPower/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 20054be4..79711fa7 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -9,40 +9,29 @@ include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include - include + include + include + include + include include + include - @{exec_path} mr, + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Realtime + member=MakeThreadRealtimeWithPID + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - dbus (send,receive) bus=system path=/ + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=session path=/ interface=org.freedesktop.DBus member={AddMatch,GetNameOwner} - peer=(label=dbus-daemon), + peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus (send,receive) bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={AddMatch,RemoveMatch,NameHasOwner,GetNameOwner} - peer=(label=dbus-daemon), - - dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=GetDevices - peer=(label=NetworkManager), - - dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{/Devices/[0-9]*,/ActiveConnection/[0-9]*} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(label=NetworkManager), - - dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings - interface=org.freedesktop.NetworkManager.Settings - member=ListConnections - peer=(label=NetworkManager), - - dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* - interface=org.freedesktop.NetworkManager.Settings.Connection - member=GetSettings - peer=(label=NetworkManager), + @{exec_path} mr, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index abb8bf1d..b8f61ee9 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -44,6 +45,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.DBus), + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=power-profiles-daemon), + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.DBus.Properties peer=(name=:*, label=xdg-permission-store), diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index a6659d14..14a3ef38 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -11,6 +11,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include include + include include include include @@ -18,15 +19,14 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include include - include - include - include + include include include include include include - include + + network unix stream, dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome, @@ -72,14 +72,9 @@ profile xdg-desktop-portal-gnome @{exec_path} { interface=org.freedesktop.DBus.Properties peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name=:*, label=gvfsd), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged peer=(name=:*, label=gnome-shell), @{exec_path} mr, @@ -88,17 +83,10 @@ profile xdg-desktop-portal-gnome @{exec_path} { @{bin}/ r, @{bin}/* r, - /usr/share/X11/xkb/{,**} r, - - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/*/{,**} rw, - owner @{user_share_dirs}/ r, - - owner @{run}/user/@{uid}/gdm/Xauthority r, - @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 39470c19..ad24af64 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -13,6 +13,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include + include include include include @@ -35,14 +36,9 @@ profile xdg-desktop-portal-gtk @{exec_path} { unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=CheckPermissions, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + peer=(name=:*), dbus receive bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 2eaf5366..45d9b5b9 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -31,11 +31,6 @@ profile evolution-alarm-notify @{exec_path} { interface=org.freedesktop.DBus.{ObjectManager,Properties} peer=(name=:*, label=evolution-*), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/evolution-data-server/{,**} r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 3e121930..f85c52ac 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -23,11 +23,12 @@ profile evolution-source-registry @{exec_path} { network netlink raw, dbus bind bus=session name=org.gnome.evolution.dataserver.Sources@{int}, - dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties} peer=(name=:*), - + dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} + interface=org.gnome.evolution.dataserver.Source{,.*} + peer=(name=:*), dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.DBus), @@ -51,19 +52,8 @@ profile evolution-source-registry @{exec_path} { owner @{user_share_dirs}/evolution/{,**} r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, - # new user; change to 'c' - owner @{user_config_dirs}/evolution/ w, - owner @{user_share_dirs}/evolution/ w, - owner @{user_share_dirs}/evolution/addressbook/ w, - owner @{user_share_dirs}/evolution/addressbook/trash/ w, - owner @{user_share_dirs}/evolution/calendar/ w, - owner @{user_share_dirs}/evolution/calendar/trash/ w, - owner @{user_share_dirs}/evolution/mail/ w, - owner @{user_share_dirs}/evolution/mail/trash/ w, - owner @{user_share_dirs}/evolution/memos/ w, - owner @{user_share_dirs}/evolution/memos/trash/ w, - owner @{user_share_dirs}/evolution/tasks/ w, - owner @{user_share_dirs}/evolution/tasks/trash/ w, + owner @{user_config_dirs}/evolution/{,**/} w, + owner @{user_share_dirs}/evolution/{,**/} w, @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 2ad3db50..08c85dad 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -47,6 +47,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver peer=(name=org.freedesktop.DBus), + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + peer=(name=org.gnome.Shell.ScreenShield), dbus send bus=session path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties peer=(name=:*), # all members diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 1bf36e05..61353bca 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -21,6 +21,11 @@ profile gnome-calculator-search-provider @{exec_path} { signal (send) set=kill peer=unconfined, + dbus bind bus=session name=org.gnome.Calculator.SearchProvider, + dbus receive bus=session path=/org/gnome/Calculator/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + peer=(name=:*, label=gnome-shell), + @{exec_path} mrix, /{usr/,}bin/[a-z0-9]* rPUx, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index ef5fa9f1..106df975 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,8 +9,14 @@ include @{exec_path} = @{bin}/gnome-calendar profile gnome-calendar @{exec_path} { include + include + include + include + include + include + include include - include + include include include include @@ -21,15 +27,28 @@ profile gnome-calendar @{exec_path} { network netlink raw, + dbus bind bus=session name=org.gnome.Calendar, + dbus receive bus=session path=/org/gnome/Calendar/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/evolution/dataserver/** + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=evolution-*), + dbus send bus=session path=/org/gnome/evolution/dataserver/** + interface=org.gnome.evolution.dataserver.* + peer=(name=:*, label=evolution-*), + dbus send bus=session path=/org/gnome/evolution/dataserver/** + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=evolution-*), + @{exec_path} mr, /usr/share/egl/{,**} r, /usr/share/evolution-data-server/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/libgweather/Locations.xml r, - owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index bebce7b5..2ed2ba2b 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -9,6 +9,9 @@ include @{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters profile gnome-characters @{exec_path} { include + include + include + include include include include @@ -18,6 +21,11 @@ profile gnome-characters @{exec_path} { include include + dbus bind bus=session name=org.gnome.Characters, + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, @{bin}/gjs-console rix, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index d6f1c9eb..95260b33 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -9,6 +9,10 @@ include @{exec_path} = @{lib}/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include + include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 42bd5775..b13ca380 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -18,7 +18,11 @@ profile gnome-control-center-search-provider @{exec_path} { include include include - include + + dbus bind bus=session name=org.gnome.Settings.SearchProvider, + dbus receive bus=session path=/org/gnome/Settings/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 28bde0c8..9ce06a22 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -11,6 +11,7 @@ include profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 18dde3e1..a9384534 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -11,6 +11,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -38,6 +39,29 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gsd-*, dbus bind bus=session name=org.gnome.SessionManager, + dbus receive bus=session path=/org/gnome/SessionManager{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=:*), + dbus receive bus=session path=/org/gnome/SessionManager{,/**} + interface=org.gnome.SessionManager + peer=(name=:*), + dbus send bus=session path=/org/gnome/SessionManager{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.DBus), + dbus send bus=session path=/org/gnome/SessionManager{,/**} + interface=org.gnome.SessionManager + peer=(name=org.freedesktop.DBus,), + + dbus send bus=session path=/org/gnome/SessionManager/Presence + interface=org.gnome.SessionManager.Presence + member=StatusChanged + peer=(name=org.freedesktop.DBus), + + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member=WatchFired + peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -54,39 +78,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { member=SetIdleHint peer=(name=org.freedesktop.login1, label=systemd-logind), - dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/**} - interface={org.freedesktop.DBus.Introspectable,org.gnome.SessionManager**}, - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member=CancelEndSession - peer=(name=org.freedesktop.DBus, label=gsd-*), - - dbus send bus=session path=/org/gnome/SessionManager/Presence - interface=org.gnome.SessionManager.Presence - member=StatusChanged - peer=(name=org.freedesktop.DBus, label=gnome-shell), - - dbus send bus=session path=/org/gnome/SessionManager/EndSessionDialog - interface=org.gnome.SessionManager.EndSessionDialog - member=Open - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/SessionManager/EndSessionDialog - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/**} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name="{org.freedesktop.DBus,:*}", label="{gsd-*,gnome-*,xdg-desktop-portal-*}"), - dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager peer=(name=org.freedesktop.systemd1, label=@{systemd}), @@ -106,11 +97,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { member=WatchFired peer=(name=:*, label=gnome-shell), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, @{bin}/{,z,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 21ab84be..9f2d9936 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -12,10 +12,13 @@ profile goa-identity-service @{exec_path} { include include + dbus bind bus=session name=org.gnome.Identity, dbus receive bus=session path=/org/gnome/Identity interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=goa-daemon), + peer=(name=:*), + dbus receive bus=session path=/org/gnome/Identity/Manager + interface=org.freedesktop.DBus.Properties + peer=(name=:*), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager @@ -27,13 +30,6 @@ profile goa-identity-service @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/Identity/Manager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=goa-daemon), - - dbus bind bus=session name=org.gnome.Identity, - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index d6456aeb..66c86cf7 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -66,6 +66,10 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=gsd-rfkill), + dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gsd-rfkill), dbus send bus=session path=/ interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index e03c5854..19813727 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -12,6 +12,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -44,23 +45,32 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gnome/Mutter/** interface=org.gnome.Mutter.IdleMonitor peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=MonitorsChanged + peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + peer=(name=:*, label=gnome-shell), dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness peer=(name=:*, label=upowerd), - dbus send bus=system path=/org/freedesktop/systemd[0-9] + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=Get, dbus send bus=system path=/org/freedesktop/login1/session/auto interface=org.freedesktop.DBus.Properties - member=GetAll, + member=GetAll + peer=(name=:*, label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/session/auto interface=org.freedesktop.login1.Session - member=SetBrightness, + member=SetBrightness + peer=(name=:*, label=systemd-logind), dbus send bus=system path=/net/hadess/PowerProfiles interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index c91aa452..40084c31 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -31,10 +32,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 801a25b7..620e63c8 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,6 +9,9 @@ include @{exec_path} = @{lib}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include @@ -18,41 +21,12 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { network netlink raw, dbus bind bus=session name=org.gnome.SettingsDaemon.Rfkill, - - dbus send bus=system path=/org/freedesktop/hostname[0-9] - interface=org.freedesktop.DBus.Properties - member=Get, - - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/ModemManager[0-9] - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, - - dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=gsd-media-keys), - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member={CheckPermissions,StateChanged}, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label="{gsd-media-keys,gnome-shell}"), - + peer=(name=:*), dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=gnome-shell), + peer=(name=org.freedesktop.DBus), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index b1c58f35..a1cb6115 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -18,12 +18,10 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, dbus bind bus=session name=org.gnome.SettingsDaemon.Smartcard, - dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 6f92672d..3a883726 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -13,20 +13,11 @@ profile mutter-x11-frames @{exec_path} { include include include - include - include - include + include include include include include - include - include - - dbus receive bus=session path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 2b00b9f5..04ad0605 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include + include + include include include include @@ -17,24 +19,15 @@ profile seahorse @{exec_path} { include include - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi), + dbus bind bus=session name=org.gnome.seahorse.Application, + dbus receive bus=session path=/org/gnome/seahorse/Application + interface=org.gnome.Shell.SearchProvider2 + peer=(name=:*), - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={GetAPIVersion,GetState,ServiceBrowserNew} - peer=(name=org.freedesktop.Avahi), - - dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* - interface=org.freedesktop.Avahi.ServiceBrowser - member=Free - peer=(name=org.freedesktop.Avahi), - - dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* - interface=org.freedesktop.Avahi.ServiceBrowser - member={CacheExhausted,AllForNow}, + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-keyring-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index ef3ba5b4..e6b436d6 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -39,6 +39,9 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/Tracker3/** interface=org.freedesktop.Tracker3.* peer=(label=tracker-miner), + dbus send bus=session path=/org/freedesktop/Tracker3/** + interface=org.freedesktop.DBus.Peer + peer=(name=org.freedesktop.Tracker3.Miner.Files), dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 7d060273..8ba651eb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -21,15 +21,15 @@ profile gvfsd-metadata @{exec_path} { dbus receive bus=session path=/org/gtk/vfs/metadata interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gnome-extension-ding), + peer=(name=:*), dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=AttributeChanged - peer=(name=org.freedesktop.DBus, label=gnome-extension-ding), + peer=(name=org.freedesktop.DBus), dbus receive bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member={GetTreeFromDevice,Remove} - peer=(name=:*, label=gnome-shell), + peer=(name=:*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index 480df077..6162f7bd 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -10,6 +10,7 @@ include profile kded5 @{exec_path} { include include + include include include include @@ -34,11 +35,6 @@ profile kded5 @{exec_path} { signal (send) set=hup peer=xsettingsd, - dbus receive bus=system path=/org/bluez/hci*/** - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*), - @{exec_path} mrix, @{bin}/kcminit rPx, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 758e43b4..a1ea9328 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -9,9 +9,13 @@ include @{exec_path} = @{bin}/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include + include include + include + include include include + include include include include diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 0358ae3a..8a2ddef6 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -47,6 +47,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/** interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.systemd1, label="@{systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/** + interface=org.freedesktop.systemd1.Scope + peer=(name=org.freedesktop.systemd1, label="@{systemd}"), dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index b2beaae9..beb7f295 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2022 Mikhail Morfikov -# Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2022-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,19 +15,18 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - dbus (send,receive) bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={AddMatch,ReleaseName,RequestName}, - - dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/* + dbus bind bus=system name=org.freedesktop.timedate1, + dbus receive bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties - member=GetAll, + peer=(name=:*), + dbus receive bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.timedate1 + peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/timedate[0-1] + dbus send bus=system path=/org/freedesktop/systemd1/unit/* interface=org.freedesktop.DBus.Properties - member={Get,GetAll}, - - dbus bind bus=system name=org.freedesktop.timedate[0-9], + member=GetAll + peer=(name=org.freedesktop.systemd1, label="@{systemd}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism index ee105584..dff453b6 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/cups-pk-helper-mechanism profile cups-pk-helper-mechanism @{exec_path} { include + include include include @@ -19,11 +20,10 @@ profile cups-pk-helper-mechanism @{exec_path} { network inet stream, network inet6 stream, + dbus bind bus=system name=org.opensuse.CupsPkHelper.Mechanism, dbus receive bus=system path=/ - interface=org.opensuse.CupsPkHelper.Mechanism, - - dbus bind bus=system - name=org.opensuse.CupsPkHelper.Mechanism, + interface=org.opensuse.CupsPkHelper.Mechanism + peer=(name=:*), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 7c3f06d2..ef21b2ea 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,fwupd/}fwupd profile fwupd @{exec_path} flags=(complain,attach_disconnected) { include + include include include include @@ -38,11 +39,9 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { peer=(name=:*, label=fwupdmgr), dbus receive bus=system path=/ interface=org.freedesktop.DBus.Properties - member={GetAll,SetHints,GetPlugins,GetRemotes} peer=(name=:*, label=fwupdmgr), dbus send bus=system path=/ interface=org.freedesktop.DBus - member=Changed peer=(name=:*, label=fwupdmgr), dbus send bus=system path=/org/freedesktop/DBus @@ -50,17 +49,10 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { member={GetConnectionUnixUser,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.{Properties,ObjectManager} - member={GetAll,GetManagedObjects}, - - dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* - interface=org.freedesktop.DBus.Properties - member=GetAll, - dbus send bus=system path=/org/freedesktop/UDisks2/Manager - interface=org.freedesktop.{DBus.Properties,UDisks2.Manager} - member={GetAll,GetBlockDevices}, + interface=org.freedesktop.UDisks2.Manager + member=GetBlockDevices + peer=(name=:*, label=udisksd), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index fbb7198b..82bcafa7 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -7,6 +7,7 @@ include @{exec_path} = @{bin}/murmurd profile murmurd @{exec_path} { include + include include include include @@ -25,11 +26,6 @@ profile murmurd @{exec_path} { unix (send, receive) type=stream addr=none peer=(label=lsb_release), - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - @{exec_path} mr, @{bin}/lsb_release rPx -> lsb_release, diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/profiles-m-r/obexd index 242115a2..b16c8ec9 100644 --- a/apparmor.d/profiles-m-r/obexd +++ b/apparmor.d/profiles-m-r/obexd @@ -16,6 +16,11 @@ profile obexd @{exec_path} { network bluetooth stream, network bluetooth seqpacket, + dbus bind bus=session name=org.bluez.obex, + dbus receive bus=session path=/org/bluez/obex + interface=org.bluez.obex.AgentManager1 + peer=(name=:*), + @{exec_path} mr, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 83c4551f..00b1489b 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -21,11 +21,9 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, dbus bind bus=system name=net.hadess.PowerProfiles, - dbus receive bus=system path=/net/hadess/PowerProfiles interface=org.freedesktop.DBus.Properties peer=(name=:*), - dbus send bus=system path=/net/hadess/PowerProfiles interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.DBus), diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 1d0f0d2a..241c2a0a 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -10,6 +10,7 @@ include profile remmina @{exec_path} { include include + include include include include @@ -49,11 +50,6 @@ profile remmina @{exec_path} { member=GetAll peer=(name=:*, label=gnome-keyring-daemon), - dbus send bus=system path=/org/freedesktop/hostname[0-9]* - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), - dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index a8547f52..3e9d69dc 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -12,6 +12,7 @@ profile spice-vdagent @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index edb5dbda..1a0064fe 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -10,6 +10,7 @@ include profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include + include capability sys_nice,