mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
feat(dbus): rewrite some dbus rules (7).
This commit is contained in:
Alexandre Pujol
parent
081c8a4fa1
commit
538ec25001
43 changed files with 221 additions and 377 deletions
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022 Jeroen Rijken
|
||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -9,20 +10,14 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/avahi-browse @{bin}/avahi-browse-domains
|
||||
profile avahi-browse @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/avahi>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping,
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member={GetAPIVersion,GetState,ServiceTypeBrowserNew,ServiceBrowserNew},
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]/ServiceTypeBrowser[0-9]
|
||||
dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
|
||||
interface=org.freedesktop.Avahi.ServiceTypeBrowser
|
||||
member={ItemNew,CacheExhausted,AllForNow},
|
||||
member={ItemNew,AllForNow,CacheExhausted}
|
||||
peer=(name=:*, label=avahi-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022 Jeroen Rijken
|
||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -9,24 +10,19 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/avahi-resolve @{bin}/avahi-resolve-address @{bin}/avahi-resolve-host-name
|
||||
profile avahi-resolve @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/avahi>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping,
|
||||
dbus send bus=system path=/Client@{int}/AddressResolver@{int}
|
||||
interface=org.freedesktop.Avahi.AddressResolver
|
||||
member={Free,HostNameResolverNew}
|
||||
peer=(name=:*, label=avahi-daemon),
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member={GetAPIVersion,GetState,AddressResolverNew},
|
||||
|
||||
dbus send bus=system path=/Client[0-9]/AddressResolver[0-9]
|
||||
interface=org.freedesktop.Avahi.AddressResolver
|
||||
member={Free,HostNameResolverNew,},
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]/AddressResolver[0-9]
|
||||
interface=org.freedesktop.Avahi.AddressResolver
|
||||
member={Failure,Found},
|
||||
dbus receive bus=system path=/Client@{int}/AddressResolver@{int}
|
||||
interface=org.freedesktop.Avahi.AddressResolver
|
||||
member={Failure,Found}
|
||||
peer=(name=:*, label=avahi-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -18,20 +18,13 @@ profile colord @{exec_path} flags=(attach_disconnected) {
|
|||
network netlink raw,
|
||||
|
||||
dbus bind bus=system name=org.freedesktop.ColorManager,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
|
||||
interface=org.freedesktop.ColorManager
|
||||
peer=(name=:*),
|
||||
dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
|
||||
interface=org.freedesktop.ColorManager
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/ColorManager
|
||||
interface=org.freedesktop.ColorManager
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/{,colord/}colord-sane
|
||||
profile colord-sane @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/avahi>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/openssl>
|
||||
|
|
@ -18,18 +19,6 @@ profile colord-sane @{exec_path} flags=(attach_disconnected) {
|
|||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager
|
||||
interface=org.freedesktop.{DBus.Properties,ColorManager},
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.{DBus.Peer,Avahi.Server}
|
||||
member={GetAPIVersion,GetState,ServiceBrowserNew,Ping}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]*
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member={CacheExhausted,AllForNow},
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/snmp/mibs/{,*} r,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent
|
||||
profile geoclue @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/avahi>
|
||||
include <abstractions/bus/modem-manager>
|
||||
include <abstractions/bus/network-manager>
|
||||
include <abstractions/bus/wpa-supplicant>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/p11-kit>
|
||||
|
|
@ -36,44 +40,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
|
|||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member={GetAPIVersion,GetState,ServiceBrowserNew},
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping,
|
||||
|
||||
dbus send bus=system path=/fi/w1/wpa_supplicant1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=:*, label=wpa-supplicant),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/ModemManager[0-9]
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,PropertiesChanged},
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=StateChanged,
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member={AllForNow,CacheExhausted}
|
||||
peer=(name=:*, label=avahi-daemon),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member={CheckPermissions,StateChanged,PropertiesChanged},
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
|
|
|||
|
|
@ -12,6 +12,8 @@ include <tunables/global>
|
|||
profile pulseaudio @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/bus/avahi>
|
||||
include <abstractions/bus/bluetooth>
|
||||
include <abstractions/bus/hostname>
|
||||
include <abstractions/bus/rtkit>
|
||||
include <abstractions/consoles>
|
||||
|
|
@ -39,37 +41,12 @@ profile pulseaudio @{exec_path} {
|
|||
network bluetooth stream,
|
||||
network bluetooth seqpacket,
|
||||
|
||||
dbus bind bus=session name=org.freedesktop.ReserveDevice[0-9].Audio[0-9],
|
||||
dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio1,
|
||||
|
||||
dbus bind bus=session name=org.PulseAudio[0-9],
|
||||
dbus bind bus=session name=org.PulseAudio1,
|
||||
|
||||
dbus bind bus=session name=org.pulseaudio*,
|
||||
|
||||
dbus send bus=session path=/Client[0-9]*/EntryGroup[0-9]*
|
||||
interface=org.freedesktop.Avahi.EntryGroup
|
||||
member={GetState,AddService,AddServiceSubtype,Commit}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]*/EntryGroup[0-9]*
|
||||
interface=org.freedesktop.Avahi.EntryGroup
|
||||
member={AddService,AddServiceSubtype,Commit,GetState,StateChanged}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member={ItemNew,ItemRemove}
|
||||
peer=(name=org.freedesktop.Avahi), # no peer's label
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
|
||||
interface=org.freedesktop.Avahi.ServiceResolver
|
||||
member=Found
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus send bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
|
||||
interface=org.freedesktop.Avahi.ServiceResolver
|
||||
member=Free
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
|
|
@ -79,25 +56,6 @@ profile pulseaudio @{exec_path} {
|
|||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
peer=(name=org.bluez),
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping
|
||||
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member={GetAPIVersion,GetState,EntryGroupNew}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member=StateChanged
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=system path=/org/bluez/hci*/**
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/{,upower/}upowerd
|
||||
profile upowerd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/bluetooth>
|
||||
include <abstractions/bus/login>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/devices-usb>
|
||||
|
|
@ -24,11 +25,6 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*),
|
||||
|
||||
dbus receive bus=system path=/org/bluez/hci@{int}{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=:*, label=bluetoothd),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/UPower/ r,
|
||||
|
|
|
|||
|
|
@ -9,40 +9,29 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/xdg-dbus-proxy
|
||||
profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/bus/avahi>
|
||||
include <abstractions/bus/desktop>
|
||||
include <abstractions/bus/network-manager>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Realtime
|
||||
member=MakeThreadRealtimeWithPID
|
||||
peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
|
||||
|
||||
dbus (send,receive) bus=system path=/
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=GetRegisteredEvents
|
||||
peer=(name=:*, label=at-spi2-registryd),
|
||||
|
||||
dbus send bus=session path=/
|
||||
interface=org.freedesktop.DBus
|
||||
member={AddMatch,GetNameOwner}
|
||||
peer=(label=dbus-daemon),
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={AddMatch,RemoveMatch,NameHasOwner,GetNameOwner}
|
||||
peer=(label=dbus-daemon),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member=GetDevices
|
||||
peer=(label=NetworkManager),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{/Devices/[0-9]*,/ActiveConnection/[0-9]*}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(label=NetworkManager),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings
|
||||
interface=org.freedesktop.NetworkManager.Settings
|
||||
member=ListConnections
|
||||
peer=(label=NetworkManager),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]*
|
||||
interface=org.freedesktop.NetworkManager.Settings.Connection
|
||||
member=GetSettings
|
||||
peer=(label=NetworkManager),
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/xdg-desktop-portal
|
||||
profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/network-manager>
|
||||
include <abstractions/bus/rtkit>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
|
@ -44,6 +45,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus send bus=system path=/net/hadess/PowerProfiles
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=power-profiles-daemon),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label=xdg-permission-store),
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bus/account-daemon>
|
||||
include <abstractions/bus/desktop>
|
||||
include <abstractions/bus/vfs/mount>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
@ -18,15 +19,14 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/nvidia>
|
||||
include <abstractions/user-download>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
network unix stream,
|
||||
|
||||
dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome,
|
||||
|
||||
|
|
@ -72,14 +72,9 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label="{gnome-shell,gsd-xsettings}"),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=ListMountableInfo
|
||||
peer=(name=:*, label=gvfsd),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
@ -88,17 +83,10 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
@{bin}/ r,
|
||||
@{bin}/* r,
|
||||
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
|
||||
/var/lib/snapd/desktop/icons/{,**} r,
|
||||
|
||||
owner @{HOME}/*/{,**} rw,
|
||||
|
||||
owner @{user_share_dirs}/ r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
owner @{PROC}/@{pid}/ r,
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
include <abstractions/bus/atspi>
|
||||
include <abstractions/bus/desktop>
|
||||
include <abstractions/bus/gnome-screensaver>
|
||||
include <abstractions/bus/network-manager>
|
||||
include <abstractions/bus/session-manager>
|
||||
include <abstractions/bus/vfs/mount>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
|
|
@ -35,14 +36,9 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
|
||||
|
||||
dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member=CheckPermissions,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.impl.portal.Settings
|
||||
peer=(name=:*),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Shell/Introspect
|
||||
interface=org.gnome.Shell.Introspect
|
||||
|
|
|
|||
|
|
@ -31,11 +31,6 @@ profile evolution-alarm-notify @{exec_path} {
|
|||
interface=org.freedesktop.DBus.{ObjectManager,Properties}
|
||||
peer=(name=:*, label=evolution-*),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/evolution-data-server/{,**} r,
|
||||
|
|
|
|||
|
|
@ -23,11 +23,12 @@ profile evolution-source-registry @{exec_path} {
|
|||
network netlink raw,
|
||||
|
||||
dbus bind bus=session name=org.gnome.evolution.dataserver.Sources@{int},
|
||||
|
||||
dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
|
||||
interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
|
||||
interface=org.gnome.evolution.dataserver.Source{,.*}
|
||||
peer=(name=:*),
|
||||
dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
|
@ -51,19 +52,8 @@ profile evolution-source-registry @{exec_path} {
|
|||
owner @{user_share_dirs}/evolution/{,**} r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
|
||||
# new user; change to 'c'
|
||||
owner @{user_config_dirs}/evolution/ w,
|
||||
owner @{user_share_dirs}/evolution/ w,
|
||||
owner @{user_share_dirs}/evolution/addressbook/ w,
|
||||
owner @{user_share_dirs}/evolution/addressbook/trash/ w,
|
||||
owner @{user_share_dirs}/evolution/calendar/ w,
|
||||
owner @{user_share_dirs}/evolution/calendar/trash/ w,
|
||||
owner @{user_share_dirs}/evolution/mail/ w,
|
||||
owner @{user_share_dirs}/evolution/mail/trash/ w,
|
||||
owner @{user_share_dirs}/evolution/memos/ w,
|
||||
owner @{user_share_dirs}/evolution/memos/trash/ w,
|
||||
owner @{user_share_dirs}/evolution/tasks/ w,
|
||||
owner @{user_share_dirs}/evolution/tasks/trash/ w,
|
||||
owner @{user_config_dirs}/evolution/{,**/} w,
|
||||
owner @{user_share_dirs}/evolution/{,**/} w,
|
||||
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/cmdline r,
|
||||
|
|
|
|||
|
|
@ -47,6 +47,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
dbus send bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
peer=(name=org.gnome.Shell.ScreenShield),
|
||||
dbus send bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*), # all members
|
||||
|
|
|
|||
|
|
@ -21,6 +21,11 @@ profile gnome-calculator-search-provider @{exec_path} {
|
|||
|
||||
signal (send) set=kill peer=unconfined,
|
||||
|
||||
dbus bind bus=session name=org.gnome.Calculator.SearchProvider,
|
||||
dbus receive bus=session path=/org/gnome/Calculator/SearchProvider
|
||||
interface=org.gnome.Shell.SearchProvider2
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mrix,
|
||||
/{usr/,}bin/[a-z0-9]* rPUx,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -9,8 +9,14 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/gnome-calendar
|
||||
profile gnome-calendar @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/desktop>
|
||||
include <abstractions/bus/login>
|
||||
include <abstractions/bus/network-manager>
|
||||
include <abstractions/bus/timedate>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl>
|
||||
|
|
@ -21,15 +27,28 @@ profile gnome-calendar @{exec_path} {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
dbus bind bus=session name=org.gnome.Calendar,
|
||||
dbus receive bus=session path=/org/gnome/Calendar/SearchProvider
|
||||
interface=org.gnome.Shell.SearchProvider2
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gnome/evolution/dataserver/**
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label=evolution-*),
|
||||
dbus send bus=session path=/org/gnome/evolution/dataserver/**
|
||||
interface=org.gnome.evolution.dataserver.*
|
||||
peer=(name=:*, label=evolution-*),
|
||||
dbus send bus=session path=/org/gnome/evolution/dataserver/**
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
peer=(name=:*, label=evolution-*),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/evolution-data-server/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/libgweather/Locations.xml r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
include if exists <local/gnome-calendar>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,9 @@ include <tunables/global>
|
|||
@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters
|
||||
profile gnome-characters @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/desktop>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
|
|
@ -18,6 +21,11 @@ profile gnome-characters @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
dbus bind bus=session name=org.gnome.Characters,
|
||||
dbus receive bus=session path=/org/gnome/Characters/SearchProvider
|
||||
interface=org.gnome.Shell.SearchProvider2
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/gjs-console rix,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/gnome-control-center-goa-helper
|
||||
profile gnome-control-center-goa-helper @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/atspi>
|
||||
include <abstractions/bus/avahi>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
|
|
|
|||
|
|
@ -18,7 +18,11 @@ profile gnome-control-center-search-provider @{exec_path} {
|
|||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
dbus bind bus=session name=org.gnome.Settings.SearchProvider,
|
||||
dbus receive bus=session path=/org/gnome/Settings/SearchProvider
|
||||
interface=org.gnome.Shell.SearchProvider2
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/desktop>
|
||||
include <abstractions/bus/login-session>
|
||||
include <abstractions/bus/session-manager>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bus/atspi>
|
||||
include <abstractions/bus/gnome-screensaver>
|
||||
include <abstractions/bus/login-session>
|
||||
include <abstractions/bus/login>
|
||||
include <abstractions/bus/systemd-session>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
|
|
@ -38,6 +39,29 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
signal (send) set=(term) peer=gsd-*,
|
||||
|
||||
dbus bind bus=session name=org.gnome.SessionManager,
|
||||
dbus receive bus=session path=/org/gnome/SessionManager{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*),
|
||||
dbus receive bus=session path=/org/gnome/SessionManager{,/**}
|
||||
interface=org.gnome.SessionManager
|
||||
peer=(name=:*),
|
||||
dbus send bus=session path=/org/gnome/SessionManager{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
dbus send bus=session path=/org/gnome/SessionManager{,/**}
|
||||
interface=org.gnome.SessionManager
|
||||
peer=(name=org.freedesktop.DBus,),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager/Presence
|
||||
interface=org.gnome.SessionManager.Presence
|
||||
member=StatusChanged
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
|
||||
interface=org.gnome.Mutter.IdleMonitor
|
||||
member=WatchFired
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
|
|
@ -54,39 +78,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
member=SetIdleHint
|
||||
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
||||
|
||||
dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/**}
|
||||
interface={org.freedesktop.DBus.Introspectable,org.gnome.SessionManager**},
|
||||
|
||||
dbus receive bus=session path=/org/gnome/SessionManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=at-spi2-registryd),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
|
||||
interface=org.gnome.SessionManager.ClientPrivate
|
||||
member=CancelEndSession
|
||||
peer=(name=org.freedesktop.DBus, label=gsd-*),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager/Presence
|
||||
interface=org.gnome.SessionManager.Presence
|
||||
member=StatusChanged
|
||||
peer=(name=org.freedesktop.DBus, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager/EndSessionDialog
|
||||
interface=org.gnome.SessionManager.EndSessionDialog
|
||||
member=Open
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager/EndSessionDialog
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,PropertiesChanged}
|
||||
peer=(name="{org.freedesktop.DBus,:*}", label="{gsd-*,gnome-*,xdg-desktop-portal-*}"),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
peer=(name=org.freedesktop.systemd1, label=@{systemd}),
|
||||
|
|
@ -106,11 +97,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
member=WatchFired
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/{,z,ba,da}sh rix,
|
||||
|
|
|
|||
|
|
@ -12,10 +12,13 @@ profile goa-identity-service @{exec_path} {
|
|||
include <abstractions/authentication>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
dbus bind bus=session name=org.gnome.Identity,
|
||||
dbus receive bus=session path=/org/gnome/Identity
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
peer=(name=:*, label=goa-daemon),
|
||||
peer=(name=:*),
|
||||
dbus receive bus=session path=/org/gnome/Identity/Manager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=session path=/org/gnome/OnlineAccounts
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
|
|
@ -27,13 +30,6 @@ profile goa-identity-service @{exec_path} {
|
|||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Identity/Manager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=goa-daemon),
|
||||
|
||||
dbus bind bus=session name=org.gnome.Identity,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
include if exists <local/goa-identity-service>
|
||||
|
|
|
|||
|
|
@ -66,6 +66,10 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gsd-rfkill),
|
||||
dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=:*, label=gsd-rfkill),
|
||||
|
||||
dbus send bus=session path=/
|
||||
interface=org.freedesktop.DBus
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/audio>
|
||||
include <abstractions/bus/atspi>
|
||||
include <abstractions/bus/gnome-screensaver>
|
||||
include <abstractions/bus/login-session>
|
||||
include <abstractions/bus/login>
|
||||
include <abstractions/bus/session-manager>
|
||||
include <abstractions/bus/upower>
|
||||
|
|
@ -44,23 +45,32 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=session path=/org/gnome/Mutter/**
|
||||
interface=org.gnome.Mutter.IdleMonitor
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
|
||||
interface=org.gnome.Mutter.DisplayConfig
|
||||
member=MonitorsChanged
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
|
||||
interface=org.gnome.Mutter.IdleMonitor
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight
|
||||
interface=org.freedesktop.UPower.KbdBacklight
|
||||
member=GetBrightness
|
||||
peer=(name=:*, label=upowerd),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/systemd[0-9]
|
||||
dbus send bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1/session/auto
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
member=GetAll
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1/session/auto
|
||||
interface=org.freedesktop.login1.Session
|
||||
member=SetBrightness,
|
||||
member=SetBrightness
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus send bus=system path=/net/hadess/PowerProfiles
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/gsd-print-notifications
|
||||
profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/avahi>
|
||||
include <abstractions/bus/session-manager>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
|
@ -31,10 +32,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping
|
||||
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
|
||||
|
||||
dbus receive bus=system path=/org/cups/cupsd/Notifier
|
||||
interface=org.cups.cupsd.Notifier,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,9 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/gsd-rfkill
|
||||
profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/hostname>
|
||||
include <abstractions/bus/modem-manager>
|
||||
include <abstractions/bus/network-manager>
|
||||
include <abstractions/bus/session-manager>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
|
@ -18,41 +21,12 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
|
|||
network netlink raw,
|
||||
|
||||
dbus bind bus=session name=org.gnome.SettingsDaemon.Rfkill,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/hostname[0-9]
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/ModemManager[0-9]
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects,
|
||||
|
||||
dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=org.freedesktop.DBus, label=gsd-media-keys),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member={CheckPermissions,StateChanged},
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
|
||||
dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label="{gsd-media-keys,gnome-shell}"),
|
||||
|
||||
peer=(name=:*),
|
||||
dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=org.freedesktop.DBus, label=gnome-shell),
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
|
|||
|
|
@ -18,12 +18,10 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
|
|||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
dbus bind bus=session name=org.gnome.SettingsDaemon.Smartcard,
|
||||
|
||||
dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
|
|
|
|||
|
|
@ -13,20 +13,11 @@ profile mutter-x11-frames @{exec_path} {
|
|||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/nvidia>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
dbus receive bus=session path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/seahorse
|
||||
profile seahorse @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/avahi>
|
||||
include <abstractions/bus/desktop>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
@ -17,24 +19,15 @@ profile seahorse @{exec_path} {
|
|||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
dbus bind bus=session name=org.gnome.seahorse.Application,
|
||||
dbus receive bus=session path=/org/gnome/seahorse/Application
|
||||
interface=org.gnome.Shell.SearchProvider2
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.Avahi.Server
|
||||
member={GetAPIVersion,GetState,ServiceBrowserNew}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member=Free
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member={CacheExhausted,AllForNow},
|
||||
dbus send bus=session path=/org/freedesktop/secrets
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-keyring-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -39,6 +39,9 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=session path=/org/freedesktop/Tracker3/**
|
||||
interface=org.freedesktop.Tracker3.*
|
||||
peer=(label=tracker-miner),
|
||||
dbus send bus=session path=/org/freedesktop/Tracker3/**
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
peer=(name=org.freedesktop.Tracker3.Miner.Files),
|
||||
|
||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
|
|
|
|||
|
|
@ -21,15 +21,15 @@ profile gvfsd-metadata @{exec_path} {
|
|||
dbus receive bus=session path=/org/gtk/vfs/metadata
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-extension-ding),
|
||||
peer=(name=:*),
|
||||
dbus send bus=session path=/org/gtk/vfs/metadata
|
||||
interface=org.gtk.vfs.Metadata
|
||||
member=AttributeChanged
|
||||
peer=(name=org.freedesktop.DBus, label=gnome-extension-ding),
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
dbus receive bus=session path=/org/gtk/vfs/metadata
|
||||
interface=org.gtk.vfs.Metadata
|
||||
member={GetTreeFromDevice,Remove}
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
peer=(name=:*),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile kded5 @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/bus/bluetooth>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
@ -34,11 +35,6 @@ profile kded5 @{exec_path} {
|
|||
|
||||
signal (send) set=hup peer=xsettingsd,
|
||||
|
||||
dbus receive bus=system path=/org/bluez/hci*/**
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=:*),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/kcminit rPx,
|
||||
|
|
|
|||
|
|
@ -9,9 +9,13 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/NetworkManager
|
||||
profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/bluetooth>
|
||||
include <abstractions/bus/hostname>
|
||||
include <abstractions/bus/login>
|
||||
include <abstractions/bus/modem-manager>
|
||||
include <abstractions/bus/network-manager>
|
||||
include <abstractions/bus/polkit>
|
||||
include <abstractions/bus/wpa-supplicant>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
|
|
|||
|
|
@ -47,6 +47,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||
dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/**
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
|
||||
dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/**
|
||||
interface=org.freedesktop.systemd1.Scope
|
||||
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -15,19 +15,18 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
capability sys_time,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={AddMatch,ReleaseName,RequestName},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/*
|
||||
dbus bind bus=system name=org.freedesktop.timedate1,
|
||||
dbus receive bus=system path=/org/freedesktop/timedate1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
peer=(name=:*),
|
||||
dbus receive bus=system path=/org/freedesktop/timedate1
|
||||
interface=org.freedesktop.timedate1
|
||||
peer=(name=:*),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/timedate[0-1]
|
||||
dbus send bus=system path=/org/freedesktop/systemd1/unit/*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll},
|
||||
|
||||
dbus bind bus=system name=org.freedesktop.timedate[0-9],
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} += @{lib}/@{multiarch}/cups-pk-helper-mechanism
|
||||
profile cups-pk-helper-mechanism @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/polkit>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
@ -19,11 +20,10 @@ profile cups-pk-helper-mechanism @{exec_path} {
|
|||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
dbus bind bus=system name=org.opensuse.CupsPkHelper.Mechanism,
|
||||
dbus receive bus=system path=/
|
||||
interface=org.opensuse.CupsPkHelper.Mechanism,
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.opensuse.CupsPkHelper.Mechanism,
|
||||
interface=org.opensuse.CupsPkHelper.Mechanism
|
||||
peer=(name=:*),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/{,fwupd/}fwupd
|
||||
profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/modem-manager>
|
||||
include <abstractions/bus/polkit>
|
||||
include <abstractions/bus/udisk>
|
||||
include <abstractions/bus/upower>
|
||||
|
|
@ -38,11 +39,9 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
|||
peer=(name=:*, label=fwupdmgr),
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,SetHints,GetPlugins,GetRemotes}
|
||||
peer=(name=:*, label=fwupdmgr),
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus
|
||||
member=Changed
|
||||
peer=(name=:*, label=fwupdmgr),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
|
|
@ -50,17 +49,10 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
|||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/ModemManager1
|
||||
interface=org.freedesktop.DBus.{Properties,ObjectManager}
|
||||
member={GetAll,GetManagedObjects},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UDisks2/Manager
|
||||
interface=org.freedesktop.{DBus.Properties,UDisks2.Manager}
|
||||
member={GetAll,GetBlockDevices},
|
||||
interface=org.freedesktop.UDisks2.Manager
|
||||
member=GetBlockDevices
|
||||
peer=(name=:*, label=udisksd),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/murmurd
|
||||
profile murmurd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/avahi>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
|
@ -25,11 +26,6 @@ profile murmurd @{exec_path} {
|
|||
|
||||
unix (send, receive) type=stream addr=none peer=(label=lsb_release),
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping
|
||||
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
|
|
|
|||
|
|
@ -16,6 +16,11 @@ profile obexd @{exec_path} {
|
|||
network bluetooth stream,
|
||||
network bluetooth seqpacket,
|
||||
|
||||
dbus bind bus=session name=org.bluez.obex,
|
||||
dbus receive bus=session path=/org/bluez/obex
|
||||
interface=org.bluez.obex.AgentManager1
|
||||
peer=(name=:*),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
|
|
|
|||
|
|
@ -21,11 +21,9 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
network netlink raw,
|
||||
|
||||
dbus bind bus=system name=net.hadess.PowerProfiles,
|
||||
|
||||
dbus receive bus=system path=/net/hadess/PowerProfiles
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=system path=/net/hadess/PowerProfiles
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile remmina @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/atspi>
|
||||
include <abstractions/bus/hostname>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
|
@ -49,11 +50,6 @@ profile remmina @{exec_path} {
|
|||
member=GetAll
|
||||
peer=(name=:*, label=gnome-keyring-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/hostname[0-9]*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=session path=/StatusNotifierWatcher
|
||||
interface=org.kde.StatusNotifierWatcher
|
||||
member=RegisterStatusNotifierItem
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ profile spice-vdagent @{exec_path} {
|
|||
include <abstractions/audio>
|
||||
include <abstractions/bus/atspi>
|
||||
include <abstractions/bus/desktop>
|
||||
include <abstractions/bus/rtkit>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/bus/login-session>
|
||||
|
||||
capability sys_nice,
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue