diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 04fc326b..04be8d6f 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -23,6 +23,33 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=unconfined, + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={CheckAuthorization,Changed}, + + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member={PropertiesChanged,GetAll}, + + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member={Changed,SetLanguage}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member={FindUserByName,ListCachedUsers}, + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus bind bus=system + name=org.freedesktop.Accounts, + @{exec_path} mr, /usr/share/accountsservice/{,**} r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 1aaf33ea..da7c5a33 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -17,12 +17,24 @@ profile colord @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus send - bus=system - path=/org/freedesktop/ColorManager/devices/xrandr_* + dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.{DBus.Properties,ColorManager}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus bind bus=system + name=org.freedesktop.ColorManager, + @{exec_path} mr, /{usr/,}lib/colord/colord-sane rPx, diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index 1ce827e2..9223002a 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -16,6 +16,17 @@ profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager, + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew}, + + dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow}, + @{exec_path} mr, /usr/share/snmp/mibs/{,*} r, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 180ee969..eca96bdf 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -20,6 +20,16 @@ profile pipewire-media-session @{exec_path} { network bluetooth stream, network netlink raw, + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.RealtimeKit1), + + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit1 + member=MakeThreadRealtime + peer=(name=org.freedesktop.RealtimeKit1), + @{exec_path} mr, /usr/share/alsa-card-profile/{,**} r, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 982f8f85..323ac40f 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -22,6 +22,25 @@ profile polkitd @{exec_path} { ptrace (read), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={Changed,BeginAuthentication}, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={GetAll,CheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2,EnumerateActions,CancelCheckAuthorization}, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus bind bus=system + name=org.freedesktop.PolicyKit[0-9], + @{exec_path} mr, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index f8f7cbfc..d977b692 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -16,6 +16,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.{DBus.Properties,UPower*}, + + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member={PropertiesChanged,GetAll}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus bind bus=system + name=org.freedesktop.UPower, + @{exec_path} mr, /etc/UPower/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 9fd68336..cc260c50 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -21,6 +21,22 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { ptrace (read), + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, + + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=StateChanged, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 22f60b38..cb2c7337 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -19,6 +19,14 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member=Changed, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 2e94f0ff..1d95d895 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -20,6 +20,14 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member=Changed, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index bc313353..a4ccf153 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -23,6 +23,22 @@ profile evolution-addressbook-factory @{exec_path} { network inet6 dgram, network netlink raw, + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/locale[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 132540ad..4172e513 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -23,6 +23,10 @@ profile evolution-calendar-factory @{exec_path} { network inet6 dgram, network netlink raw, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index a3cade38..1358ba23 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -26,6 +26,30 @@ profile gdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term), + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User@{uid} + interface=org.freedesktop.Accounts.User + member={Changed,GetAll,PropertiesChanged}, + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.{DBus.Properties,Accounts} + member={GetAll,ListCachedUsers,FindUserByName}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login1.Manager + member={ListSeats,ActivateSessionOnSeat,UnlockSession}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser}, + + dbus receive bus=system path=/org/freedesktop/login[0-9]/seat/seat[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/gnome/DisplayManager/Manager + interface={org.freedesktop.DBus.Properties,org.gnome.DisplayManager.Manager} + member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel}, + @{exec_path} mr, /{usr/,}{s,}prime-switch rPx, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 24b8902b..a3bf855e 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -41,6 +41,22 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface={org.freedesktop.DBus.Properties,org.freedesktop.Accounts} + member={GetAll,FindUserByName,SetLanguage,Changed,PropertiesChanged}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=CreateSession, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member=Changed, + @{exec_path} mrix, /{usr/,}bin/gnome-keyring-daemon rPx, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index b07fe0e9..be6fc046 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -21,6 +21,10 @@ profile gdm-wayland-session @{exec_path} { signal (send) set=(term) peer=dbus-daemon, signal (send) set=(term) peer=gnome-session-binary, + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.DisplayManager.Manager + member=RegisterDisplay, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 030e1214..a3ddf738 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -16,6 +16,22 @@ profile gnome-extension-ding @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={ListNames,ListActivatableNames}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Introspectable + member=Introspec, + + dbus send bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /{usr/,}bin/env rix, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 91743684..f9d5260e 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -27,6 +27,22 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gsd-*, signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CanPowerOff,GetSession}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.login[0-9].Session + member=SetIdleHint, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 07657a3b..2b77f2dc 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -43,6 +43,55 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.login[0-9].Session + member={ReleaseDevice,TakeControl,TakeDevice,PauseDevice}, + + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={CheckAuthorization,RegisterAuthenticationAgent,Changed}, + + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.DisplayManager.Manager + member=RegisterSession + peer=(name=org.gnome.DisplayManager), + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CanSuspend,CanRebootToBootLoaderMenu,GetSession,Inhibit}, + + dbus send bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/net/reactivated/Fprint/Manager + interface=net.reactivated.Fprint.Manager + member=GetDefaultDevice, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=PropertiesChanged, + @{exec_path} mr, /{usr/,}bin/Xwayland rPx, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 9a30738f..d181eff2 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -25,6 +25,10 @@ profile goa-daemon @{exec_path} { network inet6 dgram, network netlink raw, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 3e3de47c..f5fdbcee 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -18,6 +18,18 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=system path=/org/freedesktop/ColorManager/devices/xrandr_* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={FindDeviceByProperty,GetDevices,CreateDevice}, + + dbus receive bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={DeviceAdded,ProfileAdded}, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index f1c5d57b..b2638249 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -12,6 +12,14 @@ profile gsd-disk-utility-notify @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/UDisks2 + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/UDisks2/** + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 96288a87..654541e0 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -21,6 +21,22 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 41f28908..29bcd906 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -21,6 +21,33 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.{DBus.Properties,UPower*}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/auto + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/auto + interface=org.freedesktop.login[0-9].Session + member=SetBrightness, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index aa62b6f5..98563afd 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -19,6 +19,18 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (send) set=(hup) peer=gsd-printer, + dbus (send,receive) bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow,CacheExhausted,AllForNow,Free}, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping, + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew}, + @{exec_path} mr, @{libexec}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 15590b73..6f8d0db3 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -15,6 +15,16 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ReleaseName, + + dbus bind bus=system + name=com.redhat.NewPrinterNotification, + + dbus bind bus=system + name=com.redhat.PrinterDriversInstaller, + @{exec_path} mr, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 3bb20459..52d98363 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -16,6 +16,26 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=Get, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /sys/devices/virtual/misc/rfkill/uevent r, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 5b20cc4f..dc5c2d99 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -15,6 +15,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term, hup) peer=gdm*, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index d3f6ec90..0b9f3fa8 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -26,6 +26,14 @@ profile gsd-xsettings @{exec_path} { network inet6 dgram, network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member={SetInputSources,Changed,GetAll}, + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=FindUserByName, + @{exec_path} mr, /{usr/,}bin/cat rix, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 6c48c596..045b12e5 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -17,6 +17,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 7846a464..57435eb6 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -18,6 +18,10 @@ profile tracker-miner @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 59db2bb3..dc3aff19 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -27,6 +27,10 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { ptrace (read), + dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.{DBus.*,UDisks2.*} + peer=(label=udisksd), + @{exec_path} mr, /{usr/,}bin/lsof rix, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index e68a51fa..6dd5d195 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -35,6 +35,49 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { network netlink raw, network packet dgram, + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{,/**} + interface=org.freedesktop.{DBus.Properties,NetworkManager*}, + + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={Changed,CheckAuthorization}, + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded, + + dbus send bus=system path=/org/freedesktop/nm_dispatcher + interface=org.freedesktop.nm_dispatcher + member=Action + peer=(name=org.freedesktop.nm_dispatcher), + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/resolve[0-9] + interface=org.freedesktop.resolve[0-9].Manager + member=SetLink*, + + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionRemoved,UserNew,SessionNew,Inhibit}, + + dbus bind bus=system + name=org.freedesktop.NetworkManager, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 4a830450..8cc0dc4f 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -23,6 +23,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member={Get,GetAll}, + dbus bind bus=system + name=org.freedesktop.hostname[0-9], + @{exec_path} mr, @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index efb53cf1..2ebf2685 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -25,6 +25,9 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus bind bus=system + name=org.freedesktop.locale[0-9], + @{exec_path} mr, /usr/share/systemd/language-fallback-map r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 8cedc840..3224e803 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -44,7 +44,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { member=CheckAuthorization, dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/** - interface=org.freedesktop.systemd[0-9]/.Scope + interface=org.freedesktop.systemd[0-9].Scope member=Abandon, dbus receive bus=system path=/org/freedesktop/systemd[0-9] diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 4f28e457..6e898528 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -23,6 +23,9 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=Get, + dbus bind bus=system + name=org.freedesktop.timedate[0-9], + @{exec_path} mr, /dev/rtc[0-9] r, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index a4d0a7a0..c5c263a1 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -22,6 +22,11 @@ profile systemd-user-runtime-dir @{exec_path} { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.login[0-9]), + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index c8e0be36..dfe1983b 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -17,6 +17,36 @@ profile packagekitd @{exec_path} { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.{DBus.*,PackageKit}, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus bind bus=system + name=org.freedesktop.PackageKit, + @{exec_path} mr, /{usr/,}bin/dpkg rPx, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index ee85a3b0..1cbe45a1 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -17,6 +17,25 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus receive bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus bind bus=system + name=net.hadess.PowerProfiles, + @{exec_path} mr, /var/lib/power-profiles-daemon/{,**} rw, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index ef92160f..f6ab963e 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -21,6 +21,25 @@ profile rtkit-daemon @{exec_path} { capability sys_nice, capability sys_ptrace, + dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member={Get,GetAll}, + + dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit[0-9] + member=MakeThreadRealtimeWithPID, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixUser, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus bind bus=system + name=org.freedesktop.RealtimeKit[0-9], + @{exec_path} mr, # When applying policies to processes diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index ee7dac59..899c68c7 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -13,6 +13,12 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { capability sys_nice, + dbus receive + bus=system + path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.login[0-9].Session + member=Unlock, + @{exec_path} mr, owner @{run}/spice-vdagentd/spice-vdagent-sock r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 2f142a08..8bd1539a 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -15,6 +15,17 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus receive bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus bind bus=system + name=net.hadess.SwitcherooControl, + @{exec_path} mr, @{run}/udev/data/+drm:* r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index b46cd19b..d2019666 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -26,6 +26,32 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.{DBus*,UDisks2*}, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={ReleaseName,GetConnectionUnixUser}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus bind bus=system + name=org.freedesktop.UDisks2, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index ab75f5d5..eb79c593 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -25,6 +25,13 @@ profile wpa-supplicant @{exec_path} { network packet raw, network packet dgram, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus bind bus=system + name=fi.w1.wpa_supplicant[0-9], + @{exec_path} mr, @{HOME}/.cat_installer/*.pem r,