diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete index 27edb92c..28648eb5 100644 --- a/apparmor.d/abstractions/dbus-session-strict.d/complete +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -12,3 +12,4 @@ owner @{run}/user/@{uid}/at-spi/bus_@{int} rw, owner /tmp/dbus-@{rand8} rw, + owner /tmp/dbus-@{rand10} rw, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 7a22a6b0..a1168880 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -20,3 +20,5 @@ unix (connect, send, receive, accept, bind, listen) type=stream addr="@/home/*/.cache/ibus/dbus-????????", + + owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index b6ef950d..f9afae61 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -11,9 +11,9 @@ include profile dbus-daemon @{exec_path} flags=(attach_disconnected) { include include - include - include include + include + include include capability audit_write, @@ -78,29 +78,29 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/dbus-1/services/{,**} r, /var/lib/snapd/dbus-1/system-services/{,**} r, - owner @{user_share_dirs}/dbus-1/{,**} r, @{user_share_dirs}/icc/{,edid-*} r, + owner @{user_share_dirs}/dbus-1/{,**} r, - owner /tmp/dbus-@{rand10} rw, - - owner @{run}/user/@{uid}/dbus-1/ rw, - owner @{run}/user/@{uid}/dbus-1/services/ rw, @{run}/systemd/inhibit/[0-9]*.ref rw, + @{run}/systemd/notify w, @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, + owner @{run}/user/@{uid}/dbus-1/ rw, + owner @{run}/user/@{uid}/dbus-1/services/ rw, + owner @{run}/user/@{uid}/systemd/notify w, @{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/oom_score_adj rw, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/oom_score_adj rw, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/fd/ r, /dev/dri/card@{int} rw, /dev/input/event@{int} rw, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index ae8852ef..b0ea9309 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -19,5 +19,7 @@ profile ibus-memconf @{exec_path} { /var/lib/gdm{3,}/.config/ibus/bus/ r, /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, + owner /var/lib/gdm{3,}/.cache/ibus/dbus-@{rand8} rw, + include if exists } diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 6a42ef8b..6405bb50 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -24,6 +24,11 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=:*, label=ibus-daemon), + dbus bind bus=session name=org.freedesktop.portal.IBus, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 7655dc22..a4b4fad6 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -22,9 +22,10 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus bind bus=session name=org.pulseaudio.Server, + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=GetConnectionUnixProcessID peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 6c0c2a67..233161b7 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -31,6 +31,16 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=bluetoothd), + + dbus receive bus=system path=/org/bluez/hci0 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=bluetoothd), + dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member={UserNew,UserRemoved,SessionNew,SessionRemoved,PrepareForShutdown,PrepareForSleep} @@ -41,8 +51,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { member=PropertiesChanged peer=(name=:*), - dbus bind bus=system - name=org.freedesktop.UPower, + dbus bind bus=system name=org.freedesktop.UPower, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 3d592218..967efdd5 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -36,9 +36,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents member=GetMountPoint - peer=(name=:*, label="{snap,xdg-desktop-portal}"), + peer=(name=:*), - dbus receive bus=session path=/{,org} + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 00b0778d..e00efeea 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -29,9 +29,9 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.impl.portal.PermissionStore member=Lookup - peer=(name=:*, label="{gnome-shell,xdg-desktop-portal}"), + peer=(name=:*, label="{gnome-shell,xdg-desktop-portal,wireplumber}"), - dbus receive bus=session path=/{,org} + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 3361a249..e4150fbb 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -23,6 +23,8 @@ profile evolution-addressbook-factory @{exec_path} { network inet6 dgram, network netlink raw, + dbus bind bus=session name=org.gnome.evolution.dataserver.AddressBook@{int}, + dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll, @@ -36,6 +38,11 @@ profile evolution-addressbook-factory @{exec_path} { member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved} peer=(name=:*, label=NetworkManager), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 3fff1e26..b9a9e66d 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -32,8 +32,13 @@ profile evolution-calendar-factory @{exec_path} { member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved} peer=(name=:*, label=NetworkManager), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + dbus (send,receive) bus=session path=/org/gnome/evolution/dataserver{,/**} - interface={org.freedesktop.DBus.{Introspectable,ObjectManager,Properties},org.gnome.evolution.dataserver.*}, + interface={org.freedesktop.DBus.{ObjectManager,Properties},org.gnome.evolution.dataserver.*}, dbus bind bus=session name=org.gnome.evolution.dataserver.Calendar[0-9]*, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index d08d6a7e..944099ec 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -36,35 +36,37 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/freedesktop/Notifications + dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/freedesktop + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=gnome-extension-ding), - dbus send bus=session path=/org/gnome/ScreenSaver + dbus receive bus=session path=/org/gnome/Shell/Screencast interface=org.freedesktop.DBus.Properties - member=GetAll + member=GetAll peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/ScreenSaver + dbus (send,receive) bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + + dbus receive bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=xdg-desktop-portal-*), - - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=ActiveChanged - peer=(name=org.freedesktop.DBus, label="{gnome-session-binary,gsd-power,xdg-desktop-portal-gtk}"), - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member={ActiveChanged,WakeUpScreen,GetActive} - peer=(name=:*, label="{gnome-shell,gnome-session-binary,xdg-desktop-portal-*}"), + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/{,org} interface=org.freedesktop.DBus.Introspectable @@ -77,6 +79,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.gnome.Shell.Notifications, + dbus bind bus=session name=org.gnome.Shell.Screencast, + @{exec_path} mr, @{bin}/ r, @{bin}/[a-z0-9]* rPUx, diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 0d1aba7f..7af6ab22 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -9,11 +9,14 @@ include @{exec_path} = @{bin}/gnome-disks profile gnome-disks @{exec_path} { include + include include include include include + dbus bind bus=session name=org.gnome.DiskUtility, + @{exec_path} mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index b7d16b53..7e15a5ed 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -44,9 +44,10 @@ profile gnome-extension-ding @{exec_path} { member=GetAll peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=system path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable - member=Introspect, + member=Introspect + peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus send bus=system path=/net/hadess/SwitcherooControl interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 9cb2048d..c74b1d0c 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -39,6 +39,10 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { member=GetSession peer=(name=org.freedesktop.login[0-9]), + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + dbus (send, receive) bus=session path=/org/gnome/keyring/daemon interface=org.gnome.keyring.Daemon peer=(name="{org.gnome.keyring,:*}", label=@{profile_name}), # all members @@ -93,7 +97,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=xdg-desktop-portal), - dbus receive bus=session path=/ + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index d0729a85..e8762ddb 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -125,9 +125,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { member=GetAddress peer=(name=org.a11y.Bus), # all peer's labels - dbus receive bus=session path=/{,org} + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), dbus bind bus=session diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 38089261..95ba661f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -81,10 +81,14 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.{DBus.Properties,Accounts*} member={GetAll,FindUserByName,Changed,PropertiesChanged,FindUserById,ListCachedUsers,UserAdded}, - dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,**} interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged}, + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,**} + interface=org.freedesktop.UPower + peer=(name=:*, label=upowerd), + dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager} interface=org.freedesktop.{DBus.Properties,GeoClue2.Manager} member={PropertiesChanged,AddAgent,GetAll}, @@ -256,25 +260,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gsd-media-keys), - dbus send bus=session path=/org/gnome/Shell + dbus (send,receive) bus=session path=/org/gnome/Shell{,/**} interface=org.gnome.Shell - member=AcceleratorActivated - peer=(name=:*, label=gsd-media-keys), - - dbus receive bus=session path=/org/gnome/Shell - interface=org.gnome.Shell - member={GrabAccelerators,UngrabAccelerators} - peer=(name=:*, label=gsd-media-keys), - - dbus send bus=session path=/org/gnome/Shell/Introspect - interface=org.gnome.Shell.Introspect - member={RunningApplicationsChanged,WindowsChanged} - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal-*), - - dbus receive bus=session path=/org/gnome/Shell/Introspect - interface=org.gnome.Shell.Introspect - member=GetRunningApplications - peer=(name=:*, label=xdg-desktop-portal-*), + peer=(name=:*), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties @@ -331,7 +319,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { member=GetAppId peer=(name=:*, label=gnome-session-binary), - dbus send bus=session + dbus (send, receive) bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*), # all paths and peer's labels @@ -386,6 +374,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { member=DescribeAll peer=(name=:*, label=gnome-extension-ding), + dbus receive bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.ColorManager + peer=(name=:*, label=colord), + dbus send bus=session path=/com/rastersoft/ding interface=org.gtk.Actions member=DescribeAll diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index c87e4cdb..146b2452 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -13,8 +13,26 @@ profile gnome-shell-calendar-server @{exec_path} { include include - dbus bind bus=session - name=org.gnome.Shell.CalendarServer, + dbus bind bus=session name=org.gnome.Shell.CalendarServer, + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/{,**} + interface=org.gnome.evolution.dataserver.CalendarView + peer=(name=:*, label=evolution-calendar-factory), + + dbus receive bus=session path=/org/gnome/Shell/CalendarServer + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Shell/CalendarServer + interface=org.gnome.Shell.CalendarServer + member=SetTimeRange + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 80f50fd1..83507c1e 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -46,9 +46,9 @@ profile goa-daemon @{exec_path} { dbus receive bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label="{gvfs-goa-volume-monitor,goa-daemon,goa-identity-service,unconfined}"), + peer=(name=:*, label="{gvfs-goa-volume-monitor,goa-daemon,goa-identity-service,evolution-source-registry,unconfined}"), - dbus receive bus=session path=/{,org} + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index be073f23..01626ec4 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -27,7 +27,7 @@ profile goa-identity-service @{exec_path} { member=GetManagedObjects peer=(name=:*, label=goa-daemon), - dbus receive bus=session path=/{,org} + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index b745fe76..d6f7cc4e 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -49,7 +49,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=ListMountableInfo + member=ListMountable* peer=(name=:*, label=gvfsd), dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index d4c7f5f5..53c7474e 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -44,28 +44,26 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=:*, label=tracker-extract), + peer=(name=:*), dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.Tracker3.Endpoint - peer=(name=org.freedesktop.DBus, label=tracker-extract), # all members + peer=(name=org.freedesktop.DBus), # all members dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.Tracker3.Endpoint - peer=(name=:*, label=tracker-extract), # all members + peer=(name=:*), # all members dbus receive bus=session path=/org/freedesktop/Tracker3/Miner/** interface=org.freedesktop.Tracker3.Miner - peer=(name=:*, label=tracker-extract), # all members + peer=(name=:*), # all members - dbus receive bus=session path=/{,org} + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.freedesktop.Tracker3.Miner.*, + dbus bind bus=session name=org.freedesktop.Tracker3.Miner.*, @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 3b8321fa..6522514b 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -20,11 +20,11 @@ profile gvfs-afc-volume-monitor @{exec_path} { dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported} - peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,nautilus,tracker-*,unconfined}"), - dbus receive bus=session path=/{,org/gtk/Private/RemoteVolumeMonitor} + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), dbus bind bus=session diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index c74fb7df..a10e539c 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -22,9 +22,9 @@ profile gvfs-goa-volume-monitor @{exec_path} { member={List,IsSupported} peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), - dbus receive bus=session path=/{,org/gtk/Private/RemoteVolumeMonitor} + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 5808b04d..02cb3c60 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -24,11 +24,11 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported} - peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,nautilus,tracker-*,unconfined}"), - dbus receive bus=session path=/{,org/,org/gtk/Private/RemoteVolumeMonitor} + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), dbus bind bus=session diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 70b8d1c8..d057aa66 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -23,9 +23,9 @@ profile gvfs-mtp-volume-monitor @{exec_path} { dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported} - peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,nautilus,tracker-*,unconfined}"), - dbus receive bus=session path=/{,org/,org/gtk/Private/RemoteVolumeMonitor} + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 9fdeaf42..c09858c5 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -18,7 +18,7 @@ profile gvfsd @{exec_path} { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/gtk/vfs/mounttracker + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=Mounted peer=(name=org.freedesktop.DBus, label="{gvfsd-*,gnome-*,tracker-miner}"), @@ -42,7 +42,7 @@ profile gvfsd @{exec_path} { member=Spawned peer=(name=:*, label=gvfsd-*), - dbus receive bus=session path=/{,org} + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 1ecd8b87..99e983fb 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -21,6 +21,17 @@ profile ssh-agent-launch @{exec_path} { profile dbus { include + include + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1), @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 573ac094..490ab3ca 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -26,8 +26,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { peer=(name=org.freedesktop.PolicyKit1), dbus receive bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.{DBus.Properties,hostname1} - member={Get,GetAll,SetHostname} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} peer=(name=:*), dbus receive bus=system path=/org/freedesktop/hostname1 diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index 9bc0a973..c70b5aa9 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/bluetooth/bluetoothd profile bluetoothd @{exec_path} flags=(attach_disconnected) { include + include # Needed for configuring HCI interfaces capability net_admin, @@ -21,6 +22,20 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { network alg seqpacket, network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/bluez/hci0 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/org/bluez{,**} + interface=org.bluez.Media1 + member=RegisterApplication + peer=(name=:*), + @{exec_path} mr, @{lib}/@{multiarch}/bluetooth/plugins/*.so mr, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index d2e83eb1..671333b6 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -17,6 +17,10 @@ profile file-roller @{exec_path} { include include + dbus bind bus=session name=org.gnome.ArchiveManager1, + + dbus bind bus=session name=org.gnome.FileRoller, + @{exec_path} mr, # Archivers diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 31633993..d7163782 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -33,6 +33,10 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member={GetAll,Set}, + dbus receive bus=system path=/org/freedesktop/login1 + interface={org.freedesktop.login1.Manager,org.freedesktop.DBus.Properties} + peer=(name=:*, label=systemd-logind), + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority member=Changed, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index cc0a8651..76ae1ea6 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -15,6 +15,8 @@ profile thermald @{exec_path} flags=(attach_disconnected) { capability sys_boot, + dbus (bind) bus=system name=org.freedesktop.thermald, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} @@ -25,7 +27,15 @@ profile thermald @{exec_path} flags=(attach_disconnected) { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus (bind) bus=system name=org.freedesktop.thermald, + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=power-profiles-daemon), + + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=upowerd), @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index b65a73fd..28c6cab3 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -11,6 +11,7 @@ include profile vlc @{exec_path} { include include + include include include include @@ -32,34 +33,32 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, - signal (receive) set=(term, kill) peer=anyremote//*, - - dbus send bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus), - dbus send bus=session path=/org/a11y/bus + dbus send bus=session path=/org/a11y/bus interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.a11y.Bus), - dbus send bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=org.kde.StatusNotifierWatcher), - dbus send bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member={Get,RegisterStatusNotifierItem} peer=(name=org.kde.StatusNotifierWatcher), - dbus send bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem peer=(name=org.kde.StatusNotifierWatcher), - dbus send bus=session path=/StatusNotifierItem + dbus send bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member={NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon} peer=(name=org.freedesktop.DBus), @@ -74,24 +73,18 @@ profile vlc @{exec_path} { member={Get,GetAll} peer=(name=:*), - dbus send bus=session path=/ScreenSaver + dbus send bus=session path=/ScreenSaver interface=org.freedesktop.ScreenSaver member={Inhibit,UnInhibit} peer=(name=org.freedesktop.ScreenSaver), - dbus receive bus=session path=/MenuBar - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), - - dbus send bus=session path=/MenuBar + dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu member={LayoutUpdated,ItemsPropertiesUpdated} peer=(name=org.freedesktop.DBus), - dbus receive bus=session path=/MenuBar + dbus (send receive) bus=session path=/MenuBar interface=com.canonical.dbusmenu - member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} peer=(name=:*), dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 @@ -102,19 +95,8 @@ profile vlc @{exec_path} { interface=org.mpris.MediaPlayer2.* peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members -# dbus send bus=system path=/ -# interface=org.freedesktop.DBus.Peer -# member=Ping, -# peer=(name="org.freedesktop.Avahi"), - - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch} - peer=(name=org.freedesktop.DBus), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + dbus send bus=accessibility interface=org.a11y.atspi.Socket - member=Embed peer=(name=org.a11y.atspi.Registry), dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root @@ -122,21 +104,11 @@ profile vlc @{exec_path} { member=Set peer=(name=:*), - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry), - dbus receive bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=EventListenerDeregistered peer=(name=:*), - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry), - dbus bind bus=session name=org.kde.StatusNotifierItem-*, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index ae9b846c..6fa6328d 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -10,6 +10,8 @@ include profile wireplumber @{exec_path} { include include + include + include include include include @@ -19,6 +21,13 @@ profile wireplumber @{exec_path} { network bluetooth stream, network netlink raw, + dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0, + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index d141223c..a28d61e0 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -29,12 +29,11 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus member=RequestName, - dbus receive bus=system path=/fi/w[0-9]/wpa_supplicant[0-9] + dbus receive bus=system path=/fi/w[0-9]/wpa_supplicant1 interface=org.freedesktop.DBus.Properties member=GetAll, - dbus bind bus=system - name=fi.w1.wpa_supplicant[0-9], + dbus bind bus=system name=fi.w1.wpa_supplicant1, @{exec_path} mr,