mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
feat(dbus): rewrite some dbus rules (1).
This commit is contained in:
Alexandre Pujol
parent
d6888a65c4
commit
6d1ff256af
32 changed files with 248 additions and 383 deletions
|
|
@ -23,24 +23,24 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
ptrace (read) peer=unconfined,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*}
|
||||
interface=org.freedesktop.{DBus.{Properties,Introspectable},Accounts{,.User}},
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
member={CheckAuthorization,Changed},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
dbus bind bus=system name=org.freedesktop.Accounts,
|
||||
dbus receive bus=system path=/org/freedesktop/Accounts{,/User@{uid}}
|
||||
interface=org.freedesktop.Accounts*
|
||||
peer=(name=:*),
|
||||
dbus receive bus=system path=/org/freedesktop/Accounts{,/User@{uid}}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
peer=(name=:*),
|
||||
dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
|
||||
interface=org.freedesktop.Accounts.User
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName,GetConnectionUnixUser}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.Accounts,
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -35,14 +35,6 @@ profile colord @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.ColorManager
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label=polkitd),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
peer=(name=:*, label=polkitd),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=GetConnectionUnixProcessID
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus receive bus=session
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ profile pulseaudio @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-gtk>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
@ -69,11 +68,6 @@ profile pulseaudio @{exec_path} {
|
|||
member=Free
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,RequestName,ReleaseName}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
|
|
|
|||
|
|
@ -24,10 +24,12 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
dbus bind bus=session name=org.freedesktop.portal.Desktop,
|
||||
|
||||
dbus bind bus=session name=org.freedesktop.background.Monitor,
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/background/monitor
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
peer=(name=:*),
|
||||
dbus send bus=session path=/org/freedesktop/background/monitor
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
|
@ -39,12 +41,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.impl.portal.Settings
|
||||
peer=(name=:*, label=xdg-desktop-portal-gnome),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Settings
|
||||
member=Read
|
||||
peer=(name=:*, label=nautilus),
|
||||
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/documents
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label=xdg-document-portal),
|
||||
|
|
@ -54,7 +54,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=GetConnectionUnixProcessID
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus receive bus=session
|
||||
|
|
|
|||
|
|
@ -30,6 +30,8 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
|
||||
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
|
||||
|
||||
dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/Accounts/User@{int}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
|
@ -89,6 +91,10 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gjs-console),
|
||||
dbus send bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
member=GetActive
|
||||
peer=(name=:*, label=gjs-console),
|
||||
|
||||
dbus send bus=session path=/org/gnome/Shell/Introspect
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/{,evolution-data-server/}evolution-source-registry
|
||||
profile evolution-source-registry @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/vfs>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
@ -21,31 +22,26 @@ profile evolution-source-registry @{exec_path} {
|
|||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
dbus bind bus=session name=org.gnome.evolution.dataserver.Sources@{int},
|
||||
|
||||
dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
|
||||
interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
peer=(name=:*, label=evolution-*),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/*}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label=evolution-*-factory),
|
||||
|
||||
dbus send bus=session path=/org/gnome/OnlineAccounts
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
member=GetManagedObjects
|
||||
peer=(name=:*, label=goa-daemon),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=ListMountableInfo
|
||||
peer=(name=:*, label=gvfsd),
|
||||
|
||||
dbus bind bus=session name=org.gnome.evolution.dataserver.Sources[0-9],
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
|
|
|||
|
|
@ -27,42 +27,28 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
signal (send) set=(term),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User@{uid}
|
||||
interface=org.freedesktop.{DBus.Properties,Accounts.User}
|
||||
member={Changed,GetAll,PropertiesChanged},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/Accounts
|
||||
interface=org.freedesktop.{DBus.Properties,Accounts}
|
||||
member={GetAll,ListCachedUsers,FindUserByName},
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/Accounts
|
||||
dbus bind bus=system name=org.gnome.DisplayManager,
|
||||
dbus receive bus=system path=/org/gnome/DisplayManager/Manager
|
||||
interface=org.gnome.DisplayManager.Manager
|
||||
peer=(name=:*, label="{gnome-shell,gdm-*-session}"),
|
||||
dbus receive bus=system path=/org/gnome/DisplayManager/Manager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=:*, label=accounts-daemon),
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/Accounts
|
||||
interface=org.freedesktop.Accounts
|
||||
member=UserAdded
|
||||
peer=(name=:*, label=accounts-daemon),
|
||||
dbus send bus=system path=/org/freedesktop/login1/seat/seat@{int}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login[0-9]
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member={ListSeats,ActivateSessionOnSeat,UnlockSession},
|
||||
dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,PropertiesChanged}
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName},
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login[0-9]/seat/seat[0-9]
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
|
||||
dbus receive bus=system path=/org/gnome/DisplayManager/Manager
|
||||
interface={org.freedesktop.DBus.Properties,org.gnome.DisplayManager.Manager}
|
||||
member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel,OpenSession},
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.gnome.DisplayManager,
|
||||
member={GetConnectionUnixProcessID,GetConnectionUnixUser}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -65,20 +65,16 @@ profile gdm-xsession @{exec_path} {
|
|||
|
||||
profile dbus {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=SetEnvironment
|
||||
peer=(name=org.freedesktop.systemd1),
|
||||
|
||||
@{bin}/dbus-update-activation-environment mr,
|
||||
|
||||
owner @{run}/user/@{uid}/bus rw,
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,UpdateActivationEnvironment}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd[0-9]*
|
||||
interface=org.freedesktop.systemd[0-9]*.Manager
|
||||
member=SetEnvironment
|
||||
peer=(name=org.freedesktop.systemd[0-9]*),
|
||||
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
/dev/tty rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ include <tunables/global>
|
|||
profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
|
|
@ -31,14 +32,36 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
signal (receive) set=(term hup) peer=gdm*,
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
dbus bind bus=session name=org.gnome.Shell.Notifications,
|
||||
|
||||
dbus bind bus=session name=org.gnome.ScreenSaver,
|
||||
dbus receive bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
peer=(name=:*), # all members
|
||||
dbus receive bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*), # all members
|
||||
dbus send bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
peer=(name=:*), # all members
|
||||
dbus send bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*), # all members
|
||||
|
||||
dbus bind bus=session name=org.freedesktop.Notifications,
|
||||
dbus receive bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*), # all members
|
||||
dbus send bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*), # all members
|
||||
|
||||
dbus bind bus=session name=org.gnome.Shell.Screencast,
|
||||
dbus receive bus=session path=/org/gnome/Shell/Screencast
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*), # all members
|
||||
dbus send bus=session path=/org/gnome/Mutter/ScreenCast
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session
|
||||
|
|
@ -46,31 +69,13 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-extension-ding),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Shell/Screencast
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
dbus (send, receive) bus=session path=/org/gnome/Shell/Introspect
|
||||
interface=org.gnome.Shell.Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus (send,receive) bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.gnome.ScreenSaver,
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Shell/Introspect
|
||||
dbus (send, receive) bus=session path=/org/gnome/Shell/Introspect
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session name=org.gnome.ScreenSaver,
|
||||
|
||||
dbus bind bus=session name=org.freedesktop.Notifications,
|
||||
|
||||
dbus bind bus=session name=org.gnome.Shell.Notifications,
|
||||
|
||||
dbus bind bus=session name=org.gnome.Shell.Screencast,
|
||||
|
||||
@{exec_path} mr,
|
||||
@{bin}/ r,
|
||||
@{bin}/[a-z0-9]* rPUx,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile gnome-extension-ding @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/atspi>
|
||||
include <abstractions/bus/vfs>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
|
@ -21,126 +22,62 @@ profile gnome-extension-ding @{exec_path} {
|
|||
|
||||
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
dbus bind bus=session name=com.rastersoft.ding,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={ListNames,ListActivatableNames},
|
||||
dbus receive bus=session path=/com/rastersoft/ding
|
||||
interface={org.gtk.Actions,org.freedesktop.DBus.Properties}
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName,ListNames,ListActivatableNames}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/net/hadess/SwitcherooControl
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gjs-console),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/metadata
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gvfsd-metadata),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/Daemon
|
||||
interface=org.gtk.vfs.Daemon
|
||||
member=ListMonitorImplementations
|
||||
peer=(name=:*, label=gvfsd),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
member=ClientRemoved
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
dbus send bus=session path=/com/rastersoft/ding{,**}
|
||||
interface=org.gtk.Actions
|
||||
peer=(label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
member={IsSupported,List}
|
||||
peer=(name=:*, label=gvfs-*-monitor),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member={ListMounts2,ListMountableInfo}
|
||||
peer=(name=:*, label=gvfsd),
|
||||
|
||||
dbus receive bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=Mounted
|
||||
peer=(name=:*, label=gvfsd),
|
||||
|
||||
dbus send bus=session path=/org/gtk/Settings
|
||||
dbus (send, receive) bus=session path=/org/freedesktop/FileManager1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gsd-xsettings),
|
||||
peer=(name=:*, label=nautilus),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=GetRegisteredEvents
|
||||
peer=(name=org.a11y.atspi.Registry), # all peer's labels
|
||||
|
||||
dbus receive bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=EventListenerDeregistered
|
||||
peer=(name=:*, label=at-spi2-registryd),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
||||
interface=org.a11y.atspi.DeviceEventController
|
||||
member={GetKeystrokeListeners,GetDeviceEventListeners}
|
||||
peer=(name=org.a11y.atspi.Registry), # all peer's labels
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry), # all peer's labels
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=GetAddress
|
||||
peer=(name=org.a11y.Bus, label=at-spi-bus-launcher),
|
||||
|
||||
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Set
|
||||
peer=(name=:*, label=at-spi2-registryd),
|
||||
|
||||
dbus send bus=session path=/com/rastersoft/dingextension/control
|
||||
interface=org.gtk.Actions
|
||||
member=DescribeAll
|
||||
peer=(name=com.rastersoft.dingextension, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/com/rastersoft/ding
|
||||
interface=org.gtk.Actions
|
||||
member=DescribeAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/com/rastersoft/ding
|
||||
dbus send bus=session path=/org/freedesktop/Notifications
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
peer=(name=:*, label=gjs-console),
|
||||
|
||||
dbus bind bus=session
|
||||
name=com.rastersoft.ding,
|
||||
dbus send bus=session path=/org/gnome/Nautilus/FileOperations*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=nautilus),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/Daemon
|
||||
interface=org.gtk.vfs.Daemon
|
||||
member=ListMonitorImplementations
|
||||
peer=(name=:*, label=gvfsd),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/metadata
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gvfsd-metadata),
|
||||
dbus receive bus=session path=/org/gtk/vfs/metadata
|
||||
interface=org.gtk.vfs.Metadata
|
||||
member=AttributeChanged
|
||||
peer=(name=:*, label=gvfsd-metadata),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=nautilus),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={ReleaseName,UpdateActivationEnvironment,GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment}
|
||||
peer=(name=org.freedesktop.DBus label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
|
|
|
|||
|
|
@ -12,10 +12,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/app-launcher-user>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/bus/atspi>
|
||||
include <abstractions/bus/network-manager>
|
||||
include <abstractions/bus/polkit>
|
||||
include <abstractions/bus/vfs>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-gtk>
|
||||
include <abstractions/dbus-network-manager-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
|
|||
|
|
@ -42,11 +42,10 @@ profile goa-daemon @{exec_path} {
|
|||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
peer=(name=:*, label=goa-identity-service),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/OnlineAccounts
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects
|
||||
peer=(name=:*, label="{gvfs-goa-volume-monitor,goa-daemon,goa-identity-service,evolution-source-registry,unconfined}"),
|
||||
dbus send bus=session path=/org/gnome/Identity/Manager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=goa-identity-service),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
|
|||
|
|
@ -39,6 +39,11 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
|
|||
member={EndSession,QueryEndSession,CancelEndSession,Stop}
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/SessionManager/Presence
|
||||
interface=org.gnome.SessionManager.Presence
|
||||
member=StatusChanged
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{lib}/mutter-x11-frames
|
||||
profile mutter-x11-frames @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
|
|
@ -22,6 +23,11 @@ profile mutter-x11-frames @{exec_path} {
|
|||
include <abstractions/wayland>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
dbus receive bus=session path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
|
|
|
|||
|
|
@ -27,16 +27,17 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
|
|||
signal (receive) set=(term) peer=gdm,
|
||||
|
||||
dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Extract,
|
||||
dbus send bus=session path=/org/freedesktop/Tracker3/Miner/**
|
||||
interface=org.freedesktop.Tracker3.Miner
|
||||
peer=(name=org.freedesktop.DBus, label=tracker-miner),
|
||||
dbus send bus=session path=/org/freedesktop/Tracker3/**
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.Tracker3.*), # all members
|
||||
dbus receive bus=session path=/org/freedesktop/Tracker3/**
|
||||
interface=org.freedesktop.Tracker3.*
|
||||
peer=(name=:*), # all members
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/Tracker3/**
|
||||
interface=org.freedesktop.DBus.{Peer,Properties}
|
||||
peer=(label=tracker-miner),
|
||||
dbus send bus=session path=/org/freedesktop/Tracker3/**
|
||||
interface=org.freedesktop.Tracker3.*
|
||||
peer=(label=tracker-miner),
|
||||
|
||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
member={List,IsSupported,MountAdded}
|
||||
|
|
|
|||
|
|
@ -28,10 +28,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
|
|||
dbus (send, receive) bus=session path=/org/freedesktop/Tracker3/**
|
||||
interface=org.freedesktop.Tracker3.*
|
||||
peer=(name=:*), # all members
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/Tracker3/**
|
||||
interface=org.freedesktop.DBus.{Peer,Properties}
|
||||
peer=(name=:*, label=tracker-extract),
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
|
|
|||
|
|
@ -28,33 +28,25 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
ptrace (read),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**}
|
||||
interface=org.freedesktop.{DBus.*,UDisks2.*}
|
||||
peer=(label=udisksd),
|
||||
dbus bind bus=session name=org.gtk.vfs.UDisks2VolumeMonitor,
|
||||
|
||||
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
peer=(name=:*),
|
||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=ListMountableInfo
|
||||
peer=(name=:*, label=gvfsd),
|
||||
|
||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
member=MountAdded
|
||||
peer=(name=org.freedesktop.DBus, label=tracker-*),
|
||||
|
||||
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
member={List,IsSupported}
|
||||
peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.gtk.vfs.UDisks2VolumeMonitor,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/lsof rix,
|
||||
|
|
|
|||
|
|
@ -22,6 +22,11 @@ profile gvfsd-fuse @{exec_path} {
|
|||
member=Mounted
|
||||
peer=(name=:*, label=gvfsd),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=RegisterFuse
|
||||
peer=(name=:*, label=gvfsd),
|
||||
|
||||
dbus receive bus=session path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
|
|
|
|||
|
|
@ -11,44 +11,22 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bus/polkit>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/dri-enumerate>
|
||||
|
||||
network qipcrtr dgram,
|
||||
network netlink raw,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member=Inhibit,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member={UserNew,SessionNew,PrepareForShutdown,SeatNew,UserRemoved,SessionRemoved,PrepareForSleep}
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/ModemManager1
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
member=GetManagedObjects,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/ModemManager1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
member=Changed,
|
||||
|
||||
dbus bind bus=system name=org.freedesktop.ModemManager1,
|
||||
dbus receive bus=system path=/org/freedesktop/ModemManager1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetManagedObjects,
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (send, receive) bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/NetworkManager
|
||||
profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-network-manager-strict>
|
||||
include <abstractions/bus/network-manager>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
|
@ -43,10 +43,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,NetworkManager*}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
member={Changed,CheckAuthorization,CancelCheckAuthorization},
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown,UserRemoved,PrepareForSleep}
|
||||
|
|
@ -54,7 +50,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID},
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
|
|
|
|||
|
|
@ -15,13 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
|
|||
capability dac_override,
|
||||
capability kill,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=RequestName
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.oom[0-9],
|
||||
dbus bind bus=system name=org.freedesktop.oom1,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/apt-common>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-network-manager-strict>
|
||||
include <abstractions/bus/network-manager>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
|
|||
|
|
@ -30,20 +30,20 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
dbus bind bus=system name=org.freedesktop.fwupd,
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.fwupd
|
||||
peer=(name=:*, label=fwupdmgr),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,RemoveMatch,RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/ModemManager1
|
||||
interface=org.freedesktop.DBus.{Properties,ObjectManager}
|
||||
member={GetAll,GetManagedObjects},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Changed,GetAll}
|
||||
peer=(label=polkitd),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
|
@ -66,11 +66,6 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
|||
member={GetAll,SetHints,GetPlugins,GetRemotes}
|
||||
peer=(name=:*, label=fwupdmgr),
|
||||
|
||||
dbus (send, receive) bus=system
|
||||
interface=org.freedesktop.fwupd,
|
||||
|
||||
dbus bind bus=system name=org.freedesktop.fwupd,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/fwupd/fwupd-detect-cet rix,
|
||||
|
|
|
|||
|
|
@ -13,37 +13,30 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability sys_nice,
|
||||
capability dac_read_search,
|
||||
capability net_admin,
|
||||
capability sys_nice,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=RequestName,
|
||||
|
||||
dbus send bus=system path=/net/hadess/PowerProfiles
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
dbus bind bus=system name=net.hadess.PowerProfiles,
|
||||
|
||||
dbus receive bus=system path=/net/hadess/PowerProfiles
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,Set},
|
||||
peer=(name=:*),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login1
|
||||
interface={org.freedesktop.login1.Manager,org.freedesktop.DBus.Properties}
|
||||
dbus send bus=system path=/net/hadess/PowerProfiles
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
||||
member=Changed,
|
||||
|
||||
dbus bind bus=system
|
||||
name=net.hadess.PowerProfiles,
|
||||
dbus receive bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,13 +1,12 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
|
||||
@{exec_path} = @{lib}/{,rtkit/}rtkit-daemon
|
||||
profile rtkit-daemon @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
|
@ -21,24 +20,18 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
capability sys_nice,
|
||||
capability sys_ptrace,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/RealtimeKit[0-9]
|
||||
interface=org.freedesktop.RealtimeKit[0-9],
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9]
|
||||
dbus bind bus=system name=org.freedesktop.RealtimeKit1,
|
||||
dbus receive bus=system path=/org/freedesktop/RealtimeKit1
|
||||
interface=org.freedesktop.RealtimeKit1
|
||||
peer=(name=:*),
|
||||
dbus receive bus=system path=/org/freedesktop/RealtimeKit1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll},
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
||||
member=CheckAuthorization,
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.RealtimeKit[0-9],
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ profile snapd @{exec_path} {
|
|||
ptrace (read) peer=snap,
|
||||
ptrace (read) peer=@{systemd},
|
||||
|
||||
dbus (send) bus=system path=/org/freedesktop/
|
||||
dbus send bus=system path=/org/freedesktop/
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member={SetWallMessage,ScheduleShutdown}
|
||||
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
||||
|
|
@ -55,12 +55,7 @@ profile snapd @{exec_path} {
|
|||
dbus send bus=system path=/org/freedesktop/timedate1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.freedesktop.timedate1),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
member=CheckAuthorization
|
||||
peer=(name=org.freedesktop.PolicyKit1),
|
||||
peer=(name=org.freedesktop.timedate1, label="{systemd-timedated,@{systemd}}"),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
|
|||
|
|
@ -48,10 +48,7 @@ profile thunderbird @{exec_path} {
|
|||
|
||||
ptrace peer=@{profile_name},
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=RequestName
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
dbus bind bus=session name=org.mozilla.thunderbird.*,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
||||
member={Get,MakeThreadHighPriority,MakeThreadRealtime}
|
||||
|
|
@ -82,8 +79,6 @@ profile thunderbird @{exec_path} {
|
|||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session name=org.mozilla.thunderbird.*,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ profile vlc @{exec_path} {
|
|||
include <abstractions/audio>
|
||||
include <abstractions/bus/atspi>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-gtk>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/devices-usb>
|
||||
|
|
@ -36,10 +35,15 @@ profile vlc @{exec_path} {
|
|||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
dbus bind bus=session name=org.kde.StatusNotifierItem-*,
|
||||
|
||||
dbus bind bus=session name=org.mpris.MediaPlayer2.vlc*,
|
||||
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name="{org.freedesktop.DBus,:*}"), # all members
|
||||
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
|
||||
interface=org.mpris.MediaPlayer2.*
|
||||
peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members
|
||||
|
||||
dbus send bus=session path=/StatusNotifierWatcher
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
@ -85,18 +89,6 @@ profile vlc @{exec_path} {
|
|||
interface=com.canonical.dbusmenu
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name="{org.freedesktop.DBus,:*}"), # all members
|
||||
|
||||
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
|
||||
interface=org.mpris.MediaPlayer2.*
|
||||
peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members
|
||||
|
||||
dbus bind bus=session name=org.kde.StatusNotifierItem-*,
|
||||
|
||||
dbus bind bus=session name=org.mpris.MediaPlayer2.vlc*,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/xdg-screensaver rPx,
|
||||
|
|
|
|||
|
|
@ -23,6 +23,19 @@ profile wireplumber @{exec_path} {
|
|||
|
||||
dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
||||
interface=org.freedesktop.RealtimeKit1
|
||||
peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UPower/devices/DisplayDevice
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
peer=(name=org.freedesktop.UPower, label=upowerd),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
|
|
|
|||
|
|
@ -10,7 +10,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/wpa_supplicant
|
||||
profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability chown,
|
||||
|
|
|
|||
Loading…
Reference in a new issue