diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd similarity index 81% rename from apparmor.d/groups/freedesktop/at-spi2-registryd rename to apparmor.d/groups/bus/at-spi2-registryd index 5451b881..1b047f1f 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -12,17 +12,9 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include include - include include - include - include - - signal (receive) set=(term hup kill) peer=@{systemd}, - signal (receive) set=(term hup kill) peer=dbus-daemon, - signal (receive) set=(term hup kill) peer=gdm*, # dbus: own bus=accessibility name=org.a11y.atspi.{R,r}egistry - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set @@ -31,12 +23,16 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { interface=org.a11y.atspi.Socket member=Embed peer=(name=:*), - dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} peer=(name=:*), + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=dbus-accessibility), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -44,7 +40,5 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility new file mode 100644 index 00000000..06791f53 --- /dev/null +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher +profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + signal (receive) set=(term hup kill) peer=dbus-session, + signal (receive) set=(term hup kill) peer=gdm, + + dbus bus=accessibility, + + # dbus: own bus=session name=org.a11y.{B,b}us + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + @{exec_path} mrix, + + @{bin}/dbus-broker rix, + @{bin}/dbus-broker-launch rix, + @{bin}/dbus-daemon rix, + @{lib}/at-spi2-registryd rPx, + @{lib}/at-spi2{,-core}/at-spi2-registryd rPx, + + /usr/share/dbus-1/accessibility-services/{,**} r, + /usr/share/dconf/profile/gdm r, + /usr/share/defaults/at-spi2/{,**} r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/machine-id r, + + /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, + + @{run}/systemd/userdb/ r, + @{run}/systemd/users/@{uid} r, + + @{sys}/kernel/security/apparmor/.access rw, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/oom_score_adj r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/bus/dbus-broker b/apparmor.d/groups/bus/dbus-broker deleted file mode 100644 index 3d57acf7..00000000 --- a/apparmor.d/groups/bus/dbus-broker +++ /dev/null @@ -1,45 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/dbus-broker -profile dbus-broker @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - - network netlink raw, - network bluetooth stream, - network bluetooth seqpacket, - - dbus bus=accessibility, - dbus bus=session, - dbus bus=system, - - @{exec_path} mr, - - @{bin}/* rPUx, - - # Extra rules for GDM - /var/lib/gdm{3,}/.local/share/icc/ r, - /var/lib/gdm{3,}/.local/share/icc/edid-*.icc r, - - @{user_share_dirs}/icc/ r, - @{user_share_dirs}/icc/edid-*.icc r, - - @{run}/systemd/sessions/*.ref rw, - @{run}/systemd/inhibit/*.ref rw, - - /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, - - @{PROC}/sys/kernel/cap_last_cap r, - - include if exists -} \ No newline at end of file diff --git a/apparmor.d/groups/bus/dbus-broker-launch b/apparmor.d/groups/bus/dbus-broker-launch deleted file mode 100644 index 035b50b8..00000000 --- a/apparmor.d/groups/bus/dbus-broker-launch +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/dbus-broker-launch -profile dbus-broker-launch @{exec_path} flags=(attach_disconnected) { - include - include - - capability net_admin, - capability setgid, - capability setuid, - - @{exec_path} mr, - - @{bin}/dbus-broker rPx, - - /usr/share/dbus-1/{,**} r, - /usr/share/defaults/**.conf r, - - # Extra rules for Flatpak - @{system_share_dirs}/dbus-1/{,**} r, - - /etc/machine-id r, - - @{run}/user/@{uid}/dbus-1/{,**} r, - - @{PROC}/sys/kernel/random/boot_id r, - - include if exists -} \ No newline at end of file diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon deleted file mode 100644 index 434f19b7..00000000 --- a/apparmor.d/groups/bus/dbus-daemon +++ /dev/null @@ -1,129 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2022 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/dbus-daemon -profile dbus-daemon @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - - capability audit_write, - capability setgid, - capability setuid, - capability sys_resource, - - network netlink raw, - network unix stream, - network bluetooth stream, - network bluetooth seqpacket, - - signal (receive) set=(term hup kill) peer=at-spi-bus-launcher, - signal (receive) set=(term hup kill) peer=dbus-run-session, - signal (receive) set=(term hup kill) peer=gdm*, - signal (send) set=(term hup kill) peer=at-spi-bus-launcher, - signal (send) set=(term hup kill) peer=at-spi2-registryd, - signal (send) set=(term hup kill) peer=dconf-service, - signal (send) set=(term hup kill) peer=xdg-permission-store, - - ptrace (read), - - dbus bus=accessibility, - dbus bus=session, - dbus bus=system, - - @{exec_path} mr, - - @{bin}/ r, - - @{bin}/* rPUx, - @{bin}/{false,true} rix, - @{bin}/dbus-launch rix, - @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, # See #74, #80 & #235 - @{lib}/{,kf6/}kauth/{,libexec/}* rPx, - @{lib}/@{multiarch}/libexec/ksmserver-logout-greeter rPx, - @{lib}/@{multiarch}/tumbler-1/tumblerd rPUx, - @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx, - @{lib}/* rPUx, - @{lib}/atril/atrild rPx, - @{lib}/dbus-1*/dbus-daemon-launch-helper rPx, - @{lib}/gnome-shell/gnome-shell-calendar-server rPx, - @{lib}/ibus/ibus-* rPx, - @{lib}/kf{5,6}/kiod{5,6} rPx, - @{lib}/telepathy/mission-control-5 rPx, - @{lib}/xfce[0-9]/xfconf/xfconfd rPx, - /usr/share/gnome-documents/org.gnome.Documents rPx, - /usr/share/gnome-maps/org.gnome.Maps rPUx, - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/service/daemon.js rPx, - /usr/share/org.gnome.Characters/org.gnome.Characters rPx, - /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, - - @{lib}/mate-notification-daemon/mate-notification-daemon rPUx, - - @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/service/daemon.js rPx, - - /etc/dbus-1/{,**} r, - - /usr/share/dbus-1/{,**} r, - /usr/share/dconf/profile/gdm r, - /usr/share/defaults/**.conf r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - # Extra rules for GDM - /var/lib/gdm{3,}/.config/dconf/user r, - /var/lib/gdm{3,}/.local/share/icc/ r, - /var/lib/gdm{3,}/.local/share/icc/edid-*.icc r, - /var/lib/gdm{3,}/greeter-dconf-defaults r, - - # Extra rules for Flatpak - @{system_share_dirs}/dbus-1/{,**} r, - @{system_share_dirs}/dbus-1/services/{,**} r, - - # Extra rules for Snap - /var/lib/snapd/dbus-1/services/{,**} r, - /var/lib/snapd/dbus-1/system-services/{,**} r, - - @{user_share_dirs}/icc/ r, - @{user_share_dirs}/icc/edid-*.icc r, - owner @{user_share_dirs}/dbus-1/{,**} r, - owner @{user_share_dirs}/Trash/files/** r, - - @{run}/systemd/inhibit/*.ref rw, - @{run}/systemd/notify w, - @{run}/systemd/sessions/*.ref rw, - @{run}/systemd/users/@{uid} r, - owner @{run}/user/@{uid}/dbus-1/ rw, - owner @{run}/user/@{uid}/dbus-1/services/ rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/systemd/notify w, - - @{sys}/kernel/security/apparmor/.access rw, - @{sys}/kernel/security/apparmor/features/dbus/mask r, - @{sys}/module/apparmor/parameters/enabled r, - - @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/oom_score_adj rw, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/fd/ r, - - /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, - /dev/tty@{int} rw, - - include if exists -} diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper deleted file mode 100644 index 28fdf541..00000000 --- a/apparmor.d/groups/bus/dbus-daemon-launch-helper +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/dbus-1*/dbus-daemon-launch-helper -profile dbus-daemon-launch-helper @{exec_path} { - include - include - include - - capability setgid, - capability setuid, - capability sys_resource, - - @{exec_path} mr, - - @{lib}/{,cups-pk-helper/}cups-pk-helper-mechanism rPx, - @{lib}/{,kf6/}kauth/{,libexec/}* rPx, - @{lib}/{,polkit-1/}polkitd rPx, - @{lib}/{,udisks2/}udisksd rPx, - @{lib}/@{multiarch}/cups-pk-helper-mechanism rPx, - @{lib}/language-selector/ls-dbus-backend rPx, - @{lib}/software-properties/software-properties-dbus rPx, - - /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, - /usr/share/usb-creator/usb-creator-helper rPx, - /usr/share/hplip/pkservice.py rPx, - - /usr/share/dbus-1*/{,**} r, - - /etc/dbus-1/{,**} r, - - owner @{PROC}/@{pid}/oom_score_adj rw, - - include if exists -} diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session deleted file mode 100644 index 93579021..00000000 --- a/apparmor.d/groups/bus/dbus-run-session +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/dbus-run-session -profile dbus-run-session @{exec_path} { - include - - signal (receive) set=(term, kill, hup) peer=gdm*, - signal (send) set=term peer=dbus-daemon, - - @{exec_path} mr, - - @{bin}/dbus-daemon rPx, - @{bin}/gnome-session rix, - @{bin}/gnome-shell rPx, - @{bin}/gsettings rPx, - @{bin}/startplasma-wayland rPx, - @{lib}/gnome-session-binary rPx, - - /var/lib/gdm{3,}/.config/dconf/user r, - /var/lib/gdm{3,}/.cache/dconf/ rw, - /var/lib/gdm{3,}/greeter-dconf-defaults r, - - owner @{PROC}/@{pid}/fd/ r, - - /dev/tty rw, - /dev/tty@{int} rw, - - include if exists -} diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session new file mode 100644 index 00000000..1c291cd2 --- /dev/null +++ b/apparmor.d/groups/bus/dbus-session @@ -0,0 +1,67 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Profile for session dbus, regardless of the dbus implementation used. +# It does not specify an attachment path as it would be the same than +# "dbus-system". It is intended to be used only via "Px ->" or via +# systemd drop-in AppArmorProfile= setting. + +abi , + +include + +@{exec_path} = @{bin}/dbus-run-session +@{exec_path} += @{bin}/dbus-broker @{bin}/dbus-broker-launch +@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1.0/dbus-daemon-launch-helper +profile dbus-session flags=(attach_disconnected) { + include + include + include + + unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none), + + signal (receive) set=(term hup) peer=gdm-session-worker, + signal (receive) set=(term hup) peer=gdm-session, + signal (receive) set=(term hup) peer=gdm, + signal (send) set=(term hup kill) peer=dbus-accessibility, + signal (send) set=(term hup kill) peer=xdg-permission-store, + signal (send) set=(hup) peer=dconf-service, + + dbus bus=session, + + @{exec_path} mrix, + + @{bin}/{true,false} rix, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx -> dbus-accessibility, + + @{bin}/** PUx, + @{lib}/** PUx, + /usr/share/** PUx, + + /etc/dbus-1/{,**} r, + /usr/share/dbus-1/{,**} r, + /var/lib/snapd/dbus-1/{,**} r, + @{system_share_dirs}/dbus-1/{,**} r, + + @{run}/systemd/userd/b/ r, + @{run}/systemd/users/@{uid} r, + owner @{run}/user/@{uid}/dbus-1/ rw, + owner @{run}/user/@{uid}/dbus-1/services/ rw, + owner @{run}/user/@{uid}/systemd/notify w, + + @{sys}/kernel/security/apparmor/.access rw, + @{sys}/kernel/security/apparmor/features/dbus/mask r, + @{sys}/module/apparmor/parameters/enabled r, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/attr/apparmor/current r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_score_adj r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty@{int} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system new file mode 100644 index 00000000..e17d7ff0 --- /dev/null +++ b/apparmor.d/groups/bus/dbus-system @@ -0,0 +1,65 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Profile for system dbus, regardless of the dbus implementation used. +# It does not specify an attachment path as it would be the same than +# "dbus-session". It is intended to be used only via "Px ->" or via +# systemd drop-in AppArmorProfile= setting. + +abi , + +include + +@{exec_path} = @{bin}/dbus-broker @{bin}/dbus-broker-launch +@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1.0/dbus-daemon-launch-helper +profile dbus-system flags=(attach_disconnected) { + include + include + include + + capability audit_write, + capability net_admin, + capability setgid, + capability setuid, + + network netlink raw, + network bluetooth stream, + network bluetooth seqpacket, + + dbus bus=system, + + @{exec_path} mrix, + + @{bin}/** PUx, + @{lib}/** PUx, + /usr/share/*/** PUx, + + /etc/machine-id r, + /etc/dbus-1/{,**} r, + /usr/share/dbus-1/{,**} r, + /var/lib/snapd/dbus-1/{,**} r, + @{system_share_dirs}/dbus-1/{,**} r, + + @{user_share_dirs}/icc/ r, + @{user_share_dirs}/icc/edid-@{md5}.icc r, + /var/lib/gdm{,3}/.local/share/icc/ r, + /var/lib/gdm{,3}/.local/share/icc/edid-@{md5}.icc r, + + @{run}/systemd/users/@{int} r, + @{run}/systemd/sessions/*.ref rw, + @{run}/systemd/inhibit/*.ref rw, + + @{sys}/kernel/security/apparmor/.access rw, + @{sys}/kernel/security/apparmor/features/dbus/mask r, + @{sys}/module/apparmor/parameters/enabled r, + + @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + /dev/dri/card@{int} rw, + /dev/input/event@{int} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/at-spi-bus b/apparmor.d/groups/freedesktop/at-spi-bus deleted file mode 100644 index f1ac1d8e..00000000 --- a/apparmor.d/groups/freedesktop/at-spi-bus +++ /dev/null @@ -1,65 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2022 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher -profile at-spi-bus @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - - network inet stream, # TODO: local only - network inet6 stream, - network inet dgram, - network inet6 dgram, - network netlink raw, - - signal (receive) set=(term hup kill) peer=dbus-daemon, - - dbus bus=accessibility, - dbus bus=session, - - @{exec_path} mr, - - @{bin}/dbus-broker-launch rix, - @{bin}/dbus-daemon rix, - @{bin}/dbus-broker rix, - @{lib}/{,at-spi2{,-core}/}at-spi2-registryd rix, - - /usr/share/dbus-1/accessibility-services/ r, - /usr/share/dbus-1/accessibility-services/org.a11y.atspi.Registry.service r, - /usr/share/dconf/profile/gdm r, - /usr/share/defaults/at-spi2/accessibility.conf r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - /var/lib/gdm{3,}/.config/dconf/user r, - /var/lib/gdm{3,}/greeter-dconf-defaults r, - /var/lib/lightdm/.Xauthority r, - /var/log/lightdm/seat@{int}-greeter.log w, - - @{run}/systemd/users/@{uid} r, - - @{sys}/kernel/security/apparmor/.access rw, - @{sys}/kernel/security/apparmor/features/dbus/mask r, - @{sys}/module/apparmor/parameters/enabled r, - - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/oom_score_adj rw, - @{PROC}/@{pids}/mounts r, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/attr/apparmor/current r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/fd/ r, - - owner /dev/tty@{int} rw, - - include if exists -}