diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 5cd1397b..f44fb48c 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -56,7 +56,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.mozilla.firefox.*, dbus bind bus=session name=org.mpris.MediaPlayer2.firefox.*, dbus bind bus=session name=org.mozilla.firefox_beta.*, - deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*, + deny dbus send bus=system path=/org/freedesktop/hostname1, dbus send bus=session path=/ScreenSaver interface=org.freedesktop.ScreenSaver diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 0e58ecff..a47ffa4e 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -13,6 +13,7 @@ include @{exec_path} += @{lib}/xorg/Xorg{,.wrap} profile xorg @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index b17f60fe..e18baa23 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -11,8 +11,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include include + include include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 085e8672..f0d966c1 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -30,14 +30,6 @@ profile goa-daemon @{exec_path} { interface=org.freedesktop.DBus.ObjectManager peer=(name=:*), - dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member={PropertiesChanged,GetAll}, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member={CheckPermissions,StateChanged}, - dbus send bus=session path=/org/gnome/Identity interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 1b48a953..e31d0032 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,44 +9,19 @@ include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include + include include include signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), + dbus bind bus=session name=org.gnome.SettingsDaemon.Datetime, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gnome.SettingsDaemon.Datetime, - @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 4c377ec6..20f21e32 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -10,22 +10,12 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dnssd profile gvfsd-dnssd @{exec_path} { include + include include include include - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={Ping,GetAPIVersion,GetState,ServiceBrowserNew}, - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi), - - dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9] - interface=org.freedesktop.Avahi.ServiceBrowser - member={CacheExhausted,AllForNow}, + dbus bind bus=session name=org.gtk.vfs.mountpoint_dnssd, dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon @@ -42,8 +32,6 @@ profile gvfsd-dnssd @{exec_path} { member=Spawned peer=(name=:*, label=gvfsd), - dbus bind bus=session name=org.gtk.vfs.mountpoint_dnssd, - @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index fb4bbd20..fcac8ed0 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/hostnamectl profile hostnamectl @{exec_path} { include + include include include diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index 2bce8c1a..520897b1 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -9,22 +9,14 @@ include @{exec_path} = @{bin}/loginctl profile loginctl @{exec_path} { include + include + include include include capability net_admin, capability sys_resource, - dbus (send) bus=system path=/org/freedesktop/login1* - interface=org.freedesktop.login1*.Manager - member={ListSessions,GetSession} - peer=(name=org.freedesktop.login1*, label=systemd-logind), - - dbus (send) bus=system path=/org/freedesktop/login1*/session/** - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=org.freedesktop.login1*, label=systemd-logind), - @{exec_path} mr, @{bin}/less rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 25546e77..641bb871 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -24,6 +24,14 @@ profile systemd-machined @{exec_path} { capability sys_chroot, capability sys_ptrace, + dbus bind bus=system name=org.freedesktop.machine1, + dbus receive bus=system path=/org/freedesktop/machine1{,/**} + interface=org.freedesktop.machine1.Manager + peer=(name=:*), + dbus receive bus=system path=/org/freedesktop/machine1{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=:*), + dbus send bus=system path=/org/freedesktop/systemd1/{,{unit,job}/*} interface=org.freedesktop.DBus.Properties member=Get @@ -44,19 +52,6 @@ profile systemd-machined @{exec_path} { member={JobRemoved,UnitRemoved,Reloading} peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/machine1 - interface=org.freedesktop.machine1.Manager - member={TerminateMachine,GetMachineByPID,CreateMachineWithNetwork} - peer=(name=:*, label=libvirtd), - - dbus receive bus=system path=/org/freedesktop/machine1/machine/* - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=:*, label=libvirtd), - - dbus bind bus=system - name=org.freedesktop.machine1, - @{exec_path} mr, /var/lib/machines/{,**} rw, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index d6501465..f8b7ed77 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/systemd/systemd-networkd profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { include + include include include @@ -28,12 +29,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { dbus bind bus=system name=org.freedesktop.network1, - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.hostname1 - member=SetHostname - peer=(name=org.freedesktop.hostname1), - - dbus receive bus=system path=/org/freedesktop/network[0-9] + dbus receive bus=system path=/org/freedesktop/network1 interface=org.freedesktop.DBus.Properties member=Get, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index f9f92b2d..ba288879 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/systemd/systemd-resolved profile systemd-resolved @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -30,19 +31,14 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { network netlink raw, dbus bind bus=system name=org.freedesktop.resolve1, - dbus receive bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.{resolve1.Manager,DBus.Peer,DBus.Properties}, + interface=org.freedesktop.resolve1.Manager + peer=(name=:*), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={RequestName,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus), - - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={PrepareForSleep,PrepareForShutdown} - peer=(name=:*, label=systemd-logind), + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon index 68319cce..e7b2298c 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon @@ -14,22 +14,17 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected) capability sys_nice, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=RequestName - peer=(name=org.freedesktop.DBus), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus bind bus=system name=com.canonical.UbuntuAdvantage, dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, + member=GetManagedObjects + peer=(name=:*, label=software-properties-gtk), - dbus bind bus=system - name=com.canonical.UbuntuAdvantage, + dbus receive bus=system + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=software-properties-gtk), @{exec_path} mr,