mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(dbus): rewrite some dbus rules (7).

Browse source
This commit is contained in:
Alexandre Pujol 2023-12-05 21:01:26 +00:00
parent 081c8a4fa1
commit 538ec25001
Failed to generate hash of commit
43 changed files with 221 additions and 377 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
apparmor.d/groups/avahi/avahi-browse
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken # Copyright (C) 2022 Jeroen Rijken
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,20 +10,14 @@ include <tunables/global>
@{exec_path} = @{bin}/avahi-browse @{bin}/avahi-browse-domains @{exec_path} = @{bin}/avahi-browse @{bin}/avahi-browse-domains
profile avahi-browse @{exec_path} { profile avahi-browse @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/avahi>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
dbus send bus=system path=/ dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
interface=org.freedesktop.DBus.Peer
member=Ping,
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,ServiceTypeBrowserNew,ServiceBrowserNew},
dbus receive bus=system path=/Client[0-9]/ServiceTypeBrowser[0-9]
interface=org.freedesktop.Avahi.ServiceTypeBrowser interface=org.freedesktop.Avahi.ServiceTypeBrowser
member={ItemNew,CacheExhausted,AllForNow}, member={ItemNew,AllForNow,CacheExhausted}
peer=(name=:*, label=avahi-daemon),
@{exec_path} mr, @{exec_path} mr,

20
apparmor.d/groups/avahi/avahi-resolve
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken # Copyright (C) 2022 Jeroen Rijken
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,24 +10,19 @@ include <tunables/global>
@{exec_path} = @{bin}/avahi-resolve @{bin}/avahi-resolve-address @{bin}/avahi-resolve-host-name @{exec_path} = @{bin}/avahi-resolve @{bin}/avahi-resolve-address @{bin}/avahi-resolve-host-name
profile avahi-resolve @{exec_path} { profile avahi-resolve @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/avahi>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
dbus send bus=system path=/ dbus send bus=system path=/Client@{int}/AddressResolver@{int}
interface=org.freedesktop.DBus.Peer
member=Ping,
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,AddressResolverNew},
dbus send bus=system path=/Client[0-9]/AddressResolver[0-9]
interface=org.freedesktop.Avahi.AddressResolver interface=org.freedesktop.Avahi.AddressResolver
member={Free,HostNameResolverNew,}, member={Free,HostNameResolverNew}
peer=(name=:*, label=avahi-daemon),
dbus receive bus=system path=/Client[0-9]/AddressResolver[0-9] dbus receive bus=system path=/Client@{int}/AddressResolver@{int}
interface=org.freedesktop.Avahi.AddressResolver interface=org.freedesktop.Avahi.AddressResolver
member={Failure,Found}, member={Failure,Found}
peer=(name=:*, label=avahi-daemon),
@{exec_path} mr, @{exec_path} mr,

13
apparmor.d/groups/freedesktop/colord
View file

@ -18,20 +18,13 @@ profile colord @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
dbus bind bus=system name=org.freedesktop.ColorManager, dbus bind bus=system name=org.freedesktop.ColorManager,
dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
interface=org.freedesktop.ColorManager
peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/ColorManager{,/**} dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
peer=(name=:*), peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
interface=org.freedesktop.ColorManager
peer=(name=:*, label=gnome-shell),
dbus send bus=system path=/org/freedesktop/ColorManager{,/**} dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
interface=org.freedesktop.DBus.Properties
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager interface=org.freedesktop.ColorManager
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),

13
apparmor.d/groups/freedesktop/colord-sane
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,colord/}colord-sane @{exec_path} = @{lib}/{,colord/}colord-sane
profile colord-sane @{exec_path} flags=(attach_disconnected) { profile colord-sane @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/avahi>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/openssl> include <abstractions/openssl>
@ -18,18 +19,6 @@ profile colord-sane @{exec_path} flags=(attach_disconnected) {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.{DBus.Properties,ColorManager},
dbus send bus=system path=/
interface=org.freedesktop.{DBus.Peer,Avahi.Server}
member={GetAPIVersion,GetState,ServiceBrowserNew,Ping}
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]*
interface=org.freedesktop.Avahi.ServiceBrowser
member={CacheExhausted,AllForNow},
@{exec_path} mr, @{exec_path} mr,
/usr/share/snmp/mibs/{,*} r, /usr/share/snmp/mibs/{,*} r,

42
apparmor.d/groups/freedesktop/geoclue
View file

@ -9,6 +9,10 @@ include <tunables/global>
@{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent
profile geoclue @{exec_path} flags=(attach_disconnected) { profile geoclue @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/avahi>
include <abstractions/bus/modem-manager>
include <abstractions/bus/network-manager>
include <abstractions/bus/wpa-supplicant>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
@ -36,44 +40,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
member={GetConnectionUnixUser,GetConnectionUnixProcessID} member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label=dbus-daemon), peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,ServiceBrowserNew},
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping,
dbus send bus=system path=/fi/w1/wpa_supplicant1
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=wpa-supplicant),
dbus send bus=system path=/org/freedesktop/ModemManager[0-9]
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects,
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged},
dbus receive bus=system path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged,
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
interface=org.freedesktop.Avahi.ServiceBrowser
member={AllForNow,CacheExhausted}
peer=(name=:*, label=avahi-daemon),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,StateChanged,PropertiesChanged},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,

50
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -12,6 +12,8 @@ include <tunables/global>
profile pulseaudio @{exec_path} { profile pulseaudio @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/bus/avahi>
include <abstractions/bus/bluetooth>
include <abstractions/bus/hostname> include <abstractions/bus/hostname>
include <abstractions/bus/rtkit> include <abstractions/bus/rtkit>
include <abstractions/consoles> include <abstractions/consoles>
@ -39,37 +41,12 @@ profile pulseaudio @{exec_path} {
network bluetooth stream, network bluetooth stream,
network bluetooth seqpacket, network bluetooth seqpacket,
dbus bind bus=session name=org.freedesktop.ReserveDevice[0-9].Audio[0-9], dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio1,
dbus bind bus=session name=org.PulseAudio[0-9], dbus bind bus=session name=org.PulseAudio1,
dbus bind bus=session name=org.pulseaudio*, dbus bind bus=session name=org.pulseaudio*,
dbus send bus=session path=/Client[0-9]*/EntryGroup[0-9]*
interface=org.freedesktop.Avahi.EntryGroup
member={GetState,AddService,AddServiceSubtype,Commit}
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/Client[0-9]*/EntryGroup[0-9]*
interface=org.freedesktop.Avahi.EntryGroup
member={AddService,AddServiceSubtype,Commit,GetState,StateChanged}
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
interface=org.freedesktop.Avahi.ServiceBrowser
member={ItemNew,ItemRemove}
peer=(name=org.freedesktop.Avahi), # no peer's label
dbus receive bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
interface=org.freedesktop.Avahi.ServiceResolver
member=Found
peer=(name=org.freedesktop.Avahi),
dbus send bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
interface=org.freedesktop.Avahi.ServiceResolver
member=Free
peer=(name=org.freedesktop.Avahi),
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect
@ -80,25 +57,6 @@ profile pulseaudio @{exec_path} {
member=GetManagedObjects member=GetManagedObjects
peer=(name=org.bluez), peer=(name=org.bluez),
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,EntryGroupNew}
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/org/bluez/hci*/**
interface=org.freedesktop.DBus.Properties
peer=(name=:*),
@{exec_path} mrix, @{exec_path} mrix,
@{lib}/pulse/gsettings-helper rix, @{lib}/pulse/gsettings-helper rix,

6
apparmor.d/groups/freedesktop/upowerd
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,upower/}upowerd @{exec_path} = @{lib}/{,upower/}upowerd
profile upowerd @{exec_path} flags=(attach_disconnected) { profile upowerd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/bluetooth>
include <abstractions/bus/login> include <abstractions/bus/login>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/devices-usb> include <abstractions/devices-usb>
@ -24,11 +25,6 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
peer=(name=:*), peer=(name=:*),
dbus receive bus=system path=/org/bluez/hci@{int}{,/**}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=bluetoothd),
@{exec_path} mr, @{exec_path} mr,
/etc/UPower/ r, /etc/UPower/ r,

45
apparmor.d/groups/freedesktop/xdg-dbus-proxy
View file

@ -9,40 +9,29 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-dbus-proxy @{exec_path} = @{bin}/xdg-dbus-proxy
profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/bus/avahi>
include <abstractions/bus/desktop>
include <abstractions/bus/network-manager>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@{exec_path} mr, dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Realtime
member=MakeThreadRealtimeWithPID
peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
dbus (send,receive) bus=system path=/ dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=:*, label=at-spi2-registryd),
dbus send bus=session path=/
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={AddMatch,GetNameOwner} member={AddMatch,GetNameOwner}
peer=(label=dbus-daemon), peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus (send,receive) bus=system path=/org/freedesktop/DBus @{exec_path} mr,
interface=org.freedesktop.DBus
member={AddMatch,RemoveMatch,NameHasOwner,GetNameOwner}
peer=(label=dbus-daemon),
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=GetDevices
peer=(label=NetworkManager),
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{/Devices/[0-9]*,/ActiveConnection/[0-9]*}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=NetworkManager),
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member=ListConnections
peer=(label=NetworkManager),
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]*
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(label=NetworkManager),
owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,

6
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-desktop-portal @{exec_path} = @{lib}/xdg-desktop-portal
profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/network-manager>
include <abstractions/bus/rtkit> include <abstractions/bus/rtkit>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
@ -44,6 +45,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/net/hadess/PowerProfiles
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=power-profiles-daemon),
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
peer=(name=:*, label=xdg-permission-store), peer=(name=:*, label=xdg-permission-store),

26
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -11,6 +11,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/account-daemon> include <abstractions/bus/account-daemon>
include <abstractions/bus/desktop> include <abstractions/bus/desktop>
include <abstractions/bus/vfs/mount>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -18,15 +19,14 @@ profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-write> include <abstractions/fontconfig-cache-write>
include <abstractions/fonts> include <abstractions/gnome-strict>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/nvidia> include <abstractions/nvidia>
include <abstractions/user-download> include <abstractions/user-download>
include <abstractions/vulkan> include <abstractions/vulkan>
include <abstractions/wayland>
network unix stream,
dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome, dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome,
@ -72,14 +72,9 @@ profile xdg-desktop-portal-gnome @{exec_path} {
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), peer=(name=:*, label="{gnome-shell,gsd-xsettings}"),
dbus send bus=session path=/org/gtk/vfs/mounttracker dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gtk.vfs.MountTracker interface=org.freedesktop.DBus.Properties
member=ListMountableInfo member=PropertiesChanged
peer=(name=:*, label=gvfsd),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
@{exec_path} mr, @{exec_path} mr,
@ -88,17 +83,10 @@ profile xdg-desktop-portal-gnome @{exec_path} {
@{bin}/ r, @{bin}/ r,
@{bin}/* r, @{bin}/* r,
/usr/share/X11/xkb/{,**} r,
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
/var/lib/snapd/desktop/icons/{,**} r, /var/lib/snapd/desktop/icons/{,**} r,
owner @{HOME}/*/{,**} rw, owner @{HOME}/*/{,**} rw,
owner @{user_share_dirs}/ r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/mount/utab r, @{run}/mount/utab r,
owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/ r,

12
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View file

@ -13,6 +13,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
include <abstractions/bus/atspi> include <abstractions/bus/atspi>
include <abstractions/bus/desktop> include <abstractions/bus/desktop>
include <abstractions/bus/gnome-screensaver> include <abstractions/bus/gnome-screensaver>
include <abstractions/bus/network-manager>
include <abstractions/bus/session-manager> include <abstractions/bus/session-manager>
include <abstractions/bus/vfs/mount> include <abstractions/bus/vfs/mount>
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
@ -35,14 +36,9 @@ profile xdg-desktop-portal-gtk @{exec_path} {
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk, dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk,
dbus receive bus=session path=/org/freedesktop/portal/desktop
dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.impl.portal.Settings
interface=org.freedesktop.NetworkManager peer=(name=:*),
member=CheckPermissions,
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
dbus receive bus=session path=/org/gnome/Shell/Introspect dbus receive bus=session path=/org/gnome/Shell/Introspect
interface=org.gnome.Shell.Introspect interface=org.gnome.Shell.Introspect

5
apparmor.d/groups/gnome/evolution-alarm-notify
View file

@ -31,11 +31,6 @@ profile evolution-alarm-notify @{exec_path} {
interface=org.freedesktop.DBus.{ObjectManager,Properties} interface=org.freedesktop.DBus.{ObjectManager,Properties}
peer=(name=:*, label=evolution-*), peer=(name=:*, label=evolution-*),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr, @{exec_path} mr,
/usr/share/evolution-data-server/{,**} r, /usr/share/evolution-data-server/{,**} r,

20
apparmor.d/groups/gnome/evolution-source-registry
View file

@ -23,11 +23,12 @@ profile evolution-source-registry @{exec_path} {
network netlink raw, network netlink raw,
dbus bind bus=session name=org.gnome.evolution.dataserver.Sources@{int}, dbus bind bus=session name=org.gnome.evolution.dataserver.Sources@{int},
dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties} interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties}
peer=(name=:*), peer=(name=:*),
dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
interface=org.gnome.evolution.dataserver.Source{,.*}
peer=(name=:*),
dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
@ -51,19 +52,8 @@ profile evolution-source-registry @{exec_path} {
owner @{user_share_dirs}/evolution/{,**} r, owner @{user_share_dirs}/evolution/{,**} r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/gvfs-metadata/{,*} r,
# new user; change to 'c' owner @{user_config_dirs}/evolution/{,**/} w,
owner @{user_config_dirs}/evolution/ w, owner @{user_share_dirs}/evolution/{,**/} w,
owner @{user_share_dirs}/evolution/ w,
owner @{user_share_dirs}/evolution/addressbook/ w,
owner @{user_share_dirs}/evolution/addressbook/trash/ w,
owner @{user_share_dirs}/evolution/calendar/ w,
owner @{user_share_dirs}/evolution/calendar/trash/ w,
owner @{user_share_dirs}/evolution/mail/ w,
owner @{user_share_dirs}/evolution/mail/trash/ w,
owner @{user_share_dirs}/evolution/memos/ w,
owner @{user_share_dirs}/evolution/memos/trash/ w,
owner @{user_share_dirs}/evolution/tasks/ w,
owner @{user_share_dirs}/evolution/tasks/trash/ w,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/cmdline r, @{PROC}/cmdline r,

3
apparmor.d/groups/gnome/gjs-console
View file

@ -47,6 +47,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/org/gnome/ScreenSaver dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver interface=org.gnome.ScreenSaver
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
peer=(name=org.gnome.Shell.ScreenShield),
dbus send bus=session path=/org/gnome/ScreenSaver dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
peer=(name=:*), # all members peer=(name=:*), # all members

5
apparmor.d/groups/gnome/gnome-calculator-search-provider
View file

@ -21,6 +21,11 @@ profile gnome-calculator-search-provider @{exec_path} {
signal (send) set=kill peer=unconfined, signal (send) set=kill peer=unconfined,
dbus bind bus=session name=org.gnome.Calculator.SearchProvider,
dbus receive bus=session path=/org/gnome/Calculator/SearchProvider
interface=org.gnome.Shell.SearchProvider2
peer=(name=:*, label=gnome-shell),
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}bin/[a-z0-9]* rPUx,

29
apparmor.d/groups/gnome/gnome-calendar
View file

@ -1,5 +1,5 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -9,8 +9,14 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-calendar @{exec_path} = @{bin}/gnome-calendar
profile gnome-calendar @{exec_path} { profile gnome-calendar @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/desktop>
include <abstractions/bus/login>
include <abstractions/bus/network-manager>
include <abstractions/bus/timedate>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome> include <abstractions/gnome-strict>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl> include <abstractions/opencl>
@ -21,15 +27,28 @@ profile gnome-calendar @{exec_path} {
network netlink raw, network netlink raw,
dbus bind bus=session name=org.gnome.Calendar,
dbus receive bus=session path=/org/gnome/Calendar/SearchProvider
interface=org.gnome.Shell.SearchProvider2
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/evolution/dataserver/**
interface=org.freedesktop.DBus.Properties
peer=(name=:*, label=evolution-*),
dbus send bus=session path=/org/gnome/evolution/dataserver/**
interface=org.gnome.evolution.dataserver.*
peer=(name=:*, label=evolution-*),
dbus send bus=session path=/org/gnome/evolution/dataserver/**
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=:*, label=evolution-*),
@{exec_path} mr, @{exec_path} mr,
/usr/share/egl/{,**} r, /usr/share/egl/{,**} r,
/usr/share/evolution-data-server/{,**} r, /usr/share/evolution-data-server/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/libgweather/Locations.xml r, /usr/share/libgweather/Locations.xml r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
include if exists <local/gnome-calendar> include if exists <local/gnome-calendar>

8
apparmor.d/groups/gnome/gnome-characters
View file

@ -9,6 +9,9 @@ include <tunables/global>
@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters @{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters
profile gnome-characters @{exec_path} { profile gnome-characters @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/desktop>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
@ -18,6 +21,11 @@ profile gnome-characters @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/vulkan> include <abstractions/vulkan>
dbus bind bus=session name=org.gnome.Characters,
dbus receive bus=session path=/org/gnome/Characters/SearchProvider
interface=org.gnome.Shell.SearchProvider2
peer=(name=:*, label=gnome-shell),
@{exec_path} mr, @{exec_path} mr,
@{bin}/gjs-console rix, @{bin}/gjs-console rix,

4
apparmor.d/groups/gnome/gnome-control-center-goa-helper
View file

@ -9,6 +9,10 @@ include <tunables/global>
@{exec_path} = @{lib}/gnome-control-center-goa-helper @{exec_path} = @{lib}/gnome-control-center-goa-helper
profile gnome-control-center-goa-helper @{exec_path} { profile gnome-control-center-goa-helper @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/atspi>
include <abstractions/bus/avahi>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>

6
apparmor.d/groups/gnome/gnome-control-center-search-provider
View file

@ -18,7 +18,11 @@ profile gnome-control-center-search-provider @{exec_path} {
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/vulkan> include <abstractions/vulkan>
include <abstractions/wayland>
dbus bind bus=session name=org.gnome.Settings.SearchProvider,
dbus receive bus=session path=/org/gnome/Settings/SearchProvider
interface=org.gnome.Shell.SearchProvider2
peer=(name=:*, label=gnome-shell),
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/desktop> include <abstractions/bus/desktop>
include <abstractions/bus/login-session>
include <abstractions/bus/session-manager> include <abstractions/bus/session-manager>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>

62
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -11,6 +11,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/atspi> include <abstractions/bus/atspi>
include <abstractions/bus/gnome-screensaver> include <abstractions/bus/gnome-screensaver>
include <abstractions/bus/login-session>
include <abstractions/bus/login> include <abstractions/bus/login>
include <abstractions/bus/systemd-session> include <abstractions/bus/systemd-session>
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
@ -38,6 +39,29 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
signal (send) set=(term) peer=gsd-*, signal (send) set=(term) peer=gsd-*,
dbus bind bus=session name=org.gnome.SessionManager, dbus bind bus=session name=org.gnome.SessionManager,
dbus receive bus=session path=/org/gnome/SessionManager{,/**}
interface=org.freedesktop.DBus.Properties
peer=(name=:*),
dbus receive bus=session path=/org/gnome/SessionManager{,/**}
interface=org.gnome.SessionManager
peer=(name=:*),
dbus send bus=session path=/org/gnome/SessionManager{,/**}
interface=org.freedesktop.DBus.Properties
peer=(name=org.freedesktop.DBus),
dbus send bus=session path=/org/gnome/SessionManager{,/**}
interface=org.gnome.SessionManager
peer=(name=org.freedesktop.DBus,),
dbus send bus=session path=/org/gnome/SessionManager/Presence
interface=org.gnome.SessionManager.Presence
member=StatusChanged
peer=(name=org.freedesktop.DBus),
dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
interface=org.gnome.Mutter.IdleMonitor
member=WatchFired
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
@ -54,39 +78,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
member=SetIdleHint member=SetIdleHint
peer=(name=org.freedesktop.login1, label=systemd-logind), peer=(name=org.freedesktop.login1, label=systemd-logind),
dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/**}
interface={org.freedesktop.DBus.Introspectable,org.gnome.SessionManager**},
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=at-spi2-registryd),
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.gnome.SessionManager.ClientPrivate
member=CancelEndSession
peer=(name=org.freedesktop.DBus, label=gsd-*),
dbus send bus=session path=/org/gnome/SessionManager/Presence
interface=org.gnome.SessionManager.Presence
member=StatusChanged
peer=(name=org.freedesktop.DBus, label=gnome-shell),
dbus send bus=session path=/org/gnome/SessionManager/EndSessionDialog
interface=org.gnome.SessionManager.EndSessionDialog
member=Open
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/SessionManager/EndSessionDialog
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-shell),
dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/**}
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name="{org.freedesktop.DBus,:*}", label="{gsd-*,gnome-*,xdg-desktop-portal-*}"),
dbus send bus=session path=/org/freedesktop/systemd1 dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager interface=org.freedesktop.systemd1.Manager
peer=(name=org.freedesktop.systemd1, label=@{systemd}), peer=(name=org.freedesktop.systemd1, label=@{systemd}),
@ -106,11 +97,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
member=WatchFired member=WatchFired
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr, @{exec_path} mr,
@{bin}/{,z,ba,da}sh rix, @{bin}/{,z,ba,da}sh rix,

14
apparmor.d/groups/gnome/goa-identity-service
View file

@ -12,10 +12,13 @@ profile goa-identity-service @{exec_path} {
include <abstractions/authentication> include <abstractions/authentication>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
dbus bind bus=session name=org.gnome.Identity,
dbus receive bus=session path=/org/gnome/Identity dbus receive bus=session path=/org/gnome/Identity
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects peer=(name=:*),
peer=(name=:*, label=goa-daemon), dbus receive bus=session path=/org/gnome/Identity/Manager
interface=org.freedesktop.DBus.Properties
peer=(name=:*),
dbus send bus=session path=/org/gnome/OnlineAccounts dbus send bus=session path=/org/gnome/OnlineAccounts
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
@ -27,13 +30,6 @@ profile goa-identity-service @{exec_path} {
member=Introspect member=Introspect
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Identity/Manager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=goa-daemon),
dbus bind bus=session name=org.gnome.Identity,
@{exec_path} mr, @{exec_path} mr,
include if exists <local/goa-identity-service> include if exists <local/goa-identity-service>

4
apparmor.d/groups/gnome/gsd-media-keys
View file

@ -66,6 +66,10 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name=:*, label=gsd-rfkill), peer=(name=:*, label=gsd-rfkill),
dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gsd-rfkill),
dbus send bus=session path=/ dbus send bus=session path=/
interface=org.freedesktop.DBus interface=org.freedesktop.DBus

16
apparmor.d/groups/gnome/gsd-power
View file

@ -12,6 +12,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
include <abstractions/audio> include <abstractions/audio>
include <abstractions/bus/atspi> include <abstractions/bus/atspi>
include <abstractions/bus/gnome-screensaver> include <abstractions/bus/gnome-screensaver>
include <abstractions/bus/login-session>
include <abstractions/bus/login> include <abstractions/bus/login>
include <abstractions/bus/session-manager> include <abstractions/bus/session-manager>
include <abstractions/bus/upower> include <abstractions/bus/upower>
@ -44,23 +45,32 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/org/gnome/Mutter/** dbus send bus=session path=/org/gnome/Mutter/**
interface=org.gnome.Mutter.IdleMonitor interface=org.gnome.Mutter.IdleMonitor
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig
member=MonitorsChanged
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
interface=org.gnome.Mutter.IdleMonitor
peer=(name=:*, label=gnome-shell),
dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight
interface=org.freedesktop.UPower.KbdBacklight interface=org.freedesktop.UPower.KbdBacklight
member=GetBrightness member=GetBrightness
peer=(name=:*, label=upowerd), peer=(name=:*, label=upowerd),
dbus send bus=system path=/org/freedesktop/systemd[0-9] dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Get, member=Get,
dbus send bus=system path=/org/freedesktop/login1/session/auto dbus send bus=system path=/org/freedesktop/login1/session/auto
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll, member=GetAll
peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/session/auto dbus send bus=system path=/org/freedesktop/login1/session/auto
interface=org.freedesktop.login1.Session interface=org.freedesktop.login1.Session
member=SetBrightness, member=SetBrightness
peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/net/hadess/PowerProfiles dbus send bus=system path=/net/hadess/PowerProfiles
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties

5
apparmor.d/groups/gnome/gsd-print-notifications
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-print-notifications @{exec_path} = @{lib}/gsd-print-notifications
profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/avahi>
include <abstractions/bus/session-manager> include <abstractions/bus/session-manager>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
@ -31,10 +32,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/ dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server interface=org.freedesktop.Avahi.Server
peer=(name=org.freedesktop.Avahi, label=avahi-daemon), peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus receive bus=system path=/org/cups/cupsd/Notifier dbus receive bus=system path=/org/cups/cupsd/Notifier
interface=org.cups.cupsd.Notifier, interface=org.cups.cupsd.Notifier,

36
apparmor.d/groups/gnome/gsd-rfkill
View file

@ -9,6 +9,9 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-rfkill @{exec_path} = @{lib}/gsd-rfkill
profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/hostname>
include <abstractions/bus/modem-manager>
include <abstractions/bus/network-manager>
include <abstractions/bus/session-manager> include <abstractions/bus/session-manager>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
@ -18,41 +21,12 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
dbus bind bus=session name=org.gnome.SettingsDaemon.Rfkill, dbus bind bus=session name=org.gnome.SettingsDaemon.Rfkill,
dbus send bus=system path=/org/freedesktop/hostname[0-9]
interface=org.freedesktop.DBus.Properties
member=Get,
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/ModemManager[0-9]
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects,
dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=org.freedesktop.DBus, label=gsd-media-keys),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,StateChanged},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll peer=(name=:*),
peer=(name=:*, label="{gsd-media-keys,gnome-shell}"),
dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=PropertiesChanged peer=(name=org.freedesktop.DBus),
peer=(name=org.freedesktop.DBus, label=gnome-shell),
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable

2
apparmor.d/groups/gnome/gsd-smartcard
View file

@ -18,12 +18,10 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,
dbus bind bus=session name=org.gnome.SettingsDaemon.Smartcard, dbus bind bus=session name=org.gnome.SettingsDaemon.Smartcard,
dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects member=GetManagedObjects
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll

11
apparmor.d/groups/gnome/mutter-x11-frames
View file

@ -13,20 +13,11 @@ profile mutter-x11-frames @{exec_path} {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fonts> include <abstractions/gnome-strict>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/nvidia> include <abstractions/nvidia>
include <abstractions/vulkan> include <abstractions/vulkan>
include <abstractions/wayland>
include <abstractions/X-strict>
dbus receive bus=session path=/
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr, @{exec_path} mr,

27
apparmor.d/groups/gnome/seahorse
View file

@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = @{bin}/seahorse @{exec_path} = @{bin}/seahorse
profile seahorse @{exec_path} { profile seahorse @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/avahi>
include <abstractions/bus/desktop>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -17,24 +19,15 @@ profile seahorse @{exec_path} {
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
dbus send bus=system path=/ dbus bind bus=session name=org.gnome.seahorse.Application,
interface=org.freedesktop.DBus.Peer dbus receive bus=session path=/org/gnome/seahorse/Application
member=Ping interface=org.gnome.Shell.SearchProvider2
peer=(name=org.freedesktop.Avahi), peer=(name=:*),
dbus send bus=system path=/ dbus send bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.Avahi.Server interface=org.freedesktop.DBus.Properties
member={GetAPIVersion,GetState,ServiceBrowserNew} member=GetAll
peer=(name=org.freedesktop.Avahi), peer=(name=:*, label=gnome-keyring-daemon),
dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
interface=org.freedesktop.Avahi.ServiceBrowser
member=Free
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
interface=org.freedesktop.Avahi.ServiceBrowser
member={CacheExhausted,AllForNow},
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/groups/gnome/tracker-extract
View file

@ -39,6 +39,9 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/org/freedesktop/Tracker3/** dbus send bus=session path=/org/freedesktop/Tracker3/**
interface=org.freedesktop.Tracker3.* interface=org.freedesktop.Tracker3.*
peer=(label=tracker-miner), peer=(label=tracker-miner),
dbus send bus=session path=/org/freedesktop/Tracker3/**
interface=org.freedesktop.DBus.Peer
peer=(name=org.freedesktop.Tracker3.Miner.Files),
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor

6
apparmor.d/groups/gvfs/gvfsd-metadata
View file

@ -21,15 +21,15 @@ profile gvfsd-metadata @{exec_path} {
dbus receive bus=session path=/org/gtk/vfs/metadata dbus receive bus=session path=/org/gtk/vfs/metadata
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name=:*, label=gnome-extension-ding), peer=(name=:*),
dbus send bus=session path=/org/gtk/vfs/metadata dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata interface=org.gtk.vfs.Metadata
member=AttributeChanged member=AttributeChanged
peer=(name=org.freedesktop.DBus, label=gnome-extension-ding), peer=(name=org.freedesktop.DBus),
dbus receive bus=session path=/org/gtk/vfs/metadata dbus receive bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata interface=org.gtk.vfs.Metadata
member={GetTreeFromDevice,Remove} member={GetTreeFromDevice,Remove}
peer=(name=:*, label=gnome-shell), peer=(name=:*),
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable

6
apparmor.d/groups/kde/kded5
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile kded5 @{exec_path} { profile kded5 @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/bus/bluetooth>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -34,11 +35,6 @@ profile kded5 @{exec_path} {
signal (send) set=hup peer=xsettingsd, signal (send) set=hup peer=xsettingsd,
dbus receive bus=system path=/org/bluez/hci*/**
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*),
@{exec_path} mrix, @{exec_path} mrix,
@{bin}/kcminit rPx, @{bin}/kcminit rPx,

4
apparmor.d/groups/network/NetworkManager
View file

@ -9,9 +9,13 @@ include <tunables/global>
@{exec_path} = @{bin}/NetworkManager @{exec_path} = @{bin}/NetworkManager
profile NetworkManager @{exec_path} flags=(attach_disconnected) { profile NetworkManager @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/bluetooth>
include <abstractions/bus/hostname> include <abstractions/bus/hostname>
include <abstractions/bus/login>
include <abstractions/bus/modem-manager>
include <abstractions/bus/network-manager> include <abstractions/bus/network-manager>
include <abstractions/bus/polkit> include <abstractions/bus/polkit>
include <abstractions/bus/wpa-supplicant>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>

3
apparmor.d/groups/systemd/systemd-logind
View file

@ -47,6 +47,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/** dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/**
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
peer=(name=org.freedesktop.systemd1, label="@{systemd}"), peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/**
interface=org.freedesktop.systemd1.Scope
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
dbus send bus=system path=/org/freedesktop/systemd1 dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager interface=org.freedesktop.systemd1.Manager

21
apparmor.d/groups/systemd/systemd-timedated
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2022 Mikhail Morfikov # Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -15,19 +15,18 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
capability sys_time, capability sys_time,
dbus (send,receive) bus=system path=/org/freedesktop/DBus dbus bind bus=system name=org.freedesktop.timedate1,
interface=org.freedesktop.DBus dbus receive bus=system path=/org/freedesktop/timedate1
member={AddMatch,ReleaseName,RequestName},
dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/*
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll, peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/timedate1
interface=org.freedesktop.timedate1
peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/timedate[0-1] dbus send bus=system path=/org/freedesktop/systemd1/unit/*
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member={Get,GetAll}, member=GetAll
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
dbus bind bus=system name=org.freedesktop.timedate[0-9],
@{exec_path} mr, @{exec_path} mr,

8
apparmor.d/profiles-a-f/cups-pk-helper-mechanism
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{lib}/@{multiarch}/cups-pk-helper-mechanism @{exec_path} += @{lib}/@{multiarch}/cups-pk-helper-mechanism
profile cups-pk-helper-mechanism @{exec_path} { profile cups-pk-helper-mechanism @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/polkit>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -19,11 +20,10 @@ profile cups-pk-helper-mechanism @{exec_path} {
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
dbus bind bus=system name=org.opensuse.CupsPkHelper.Mechanism,
dbus receive bus=system path=/ dbus receive bus=system path=/
interface=org.opensuse.CupsPkHelper.Mechanism, interface=org.opensuse.CupsPkHelper.Mechanism
peer=(name=:*),
dbus bind bus=system
name=org.opensuse.CupsPkHelper.Mechanism,
@{exec_path} mr, @{exec_path} mr,

16
apparmor.d/profiles-a-f/fwupd
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,fwupd/}fwupd @{exec_path} = @{lib}/{,fwupd/}fwupd
profile fwupd @{exec_path} flags=(complain,attach_disconnected) { profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/modem-manager>
include <abstractions/bus/polkit> include <abstractions/bus/polkit>
include <abstractions/bus/udisk> include <abstractions/bus/udisk>
include <abstractions/bus/upower> include <abstractions/bus/upower>
@ -38,11 +39,9 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
peer=(name=:*, label=fwupdmgr), peer=(name=:*, label=fwupdmgr),
dbus receive bus=system path=/ dbus receive bus=system path=/
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member={GetAll,SetHints,GetPlugins,GetRemotes}
peer=(name=:*, label=fwupdmgr), peer=(name=:*, label=fwupdmgr),
dbus send bus=system path=/ dbus send bus=system path=/
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member=Changed
peer=(name=:*, label=fwupdmgr), peer=(name=:*, label=fwupdmgr),
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus
@ -50,17 +49,10 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
member={GetConnectionUnixUser,GetConnectionUnixProcessID} member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label=dbus-daemon), peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.{Properties,ObjectManager}
member={GetAll,GetManagedObjects},
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/UDisks2/Manager dbus send bus=system path=/org/freedesktop/UDisks2/Manager
interface=org.freedesktop.{DBus.Properties,UDisks2.Manager} interface=org.freedesktop.UDisks2.Manager
member={GetAll,GetBlockDevices}, member=GetBlockDevices
peer=(name=:*, label=udisksd),
@{exec_path} mr, @{exec_path} mr,

6
apparmor.d/profiles-m-r/murmurd
View file

@ -7,6 +7,7 @@ include <tunables/global>
@{exec_path} = @{bin}/murmurd @{exec_path} = @{bin}/murmurd
profile murmurd @{exec_path} { profile murmurd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/avahi>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
@ -25,11 +26,6 @@ profile murmurd @{exec_path} {
unix (send, receive) type=stream addr=none peer=(label=lsb_release), unix (send, receive) type=stream addr=none peer=(label=lsb_release),
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
@{exec_path} mr, @{exec_path} mr,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,

5
apparmor.d/profiles-m-r/obexd
View file

@ -16,6 +16,11 @@ profile obexd @{exec_path} {
network bluetooth stream, network bluetooth stream,
network bluetooth seqpacket, network bluetooth seqpacket,
dbus bind bus=session name=org.bluez.obex,
dbus receive bus=session path=/org/bluez/obex
interface=org.bluez.obex.AgentManager1
peer=(name=:*),
@{exec_path} mr, @{exec_path} mr,
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,

2
apparmor.d/profiles-m-r/power-profiles-daemon
View file

@ -21,11 +21,9 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
dbus bind bus=system name=net.hadess.PowerProfiles, dbus bind bus=system name=net.hadess.PowerProfiles,
dbus receive bus=system path=/net/hadess/PowerProfiles dbus receive bus=system path=/net/hadess/PowerProfiles
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
peer=(name=:*), peer=(name=:*),
dbus send bus=system path=/net/hadess/PowerProfiles dbus send bus=system path=/net/hadess/PowerProfiles
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),

6
apparmor.d/profiles-m-r/remmina
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile remmina @{exec_path} { profile remmina @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/atspi> include <abstractions/bus/atspi>
include <abstractions/bus/hostname>
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
@ -49,11 +50,6 @@ profile remmina @{exec_path} {
member=GetAll member=GetAll
peer=(name=:*, label=gnome-keyring-daemon), peer=(name=:*, label=gnome-keyring-daemon),
dbus send bus=system path=/org/freedesktop/hostname[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send bus=session path=/StatusNotifierWatcher dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem member=RegisterStatusNotifierItem

1
apparmor.d/profiles-s-z/spice-vdagent
View file

@ -12,6 +12,7 @@ profile spice-vdagent @{exec_path} {
include <abstractions/audio> include <abstractions/audio>
include <abstractions/bus/atspi> include <abstractions/bus/atspi>
include <abstractions/bus/desktop> include <abstractions/bus/desktop>
include <abstractions/bus/rtkit>
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>

1
apparmor.d/profiles-s-z/spice-vdagentd
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/bus/login-session>
capability sys_nice, capability sys_nice,