From 6d1ff256afb08c78389a3b2b37a1942ba9aa9d78 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 1 Dec 2023 20:58:21 +0000 Subject: [PATCH] feat(dbus): rewrite some dbus rules (1). --- apparmor.d/groups/freedesktop/accounts-daemon | 28 ++-- apparmor.d/groups/freedesktop/colord | 8 - apparmor.d/groups/freedesktop/pipewire | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 6 - .../groups/freedesktop/xdg-desktop-portal | 12 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 6 + .../groups/gnome/evolution-source-registry | 30 ++-- apparmor.d/groups/gnome/gdm | 46 ++---- apparmor.d/groups/gnome/gdm-xsession | 20 +-- apparmor.d/groups/gnome/gjs-console | 57 ++++--- apparmor.d/groups/gnome/gnome-extension-ding | 149 +++++------------- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-shell | 4 +- apparmor.d/groups/gnome/goa-daemon | 9 +- apparmor.d/groups/gnome/gsd-printer | 5 + apparmor.d/groups/gnome/mutter-x11-frames | 6 + apparmor.d/groups/gnome/tracker-extract | 13 +- apparmor.d/groups/gnome/tracker-miner | 3 +- .../groups/gvfs/gvfs-udisks2-volume-monitor | 24 +-- apparmor.d/groups/gvfs/gvfsd-fuse | 5 + apparmor.d/groups/network/ModemManager | 40 ++--- apparmor.d/groups/network/NetworkManager | 9 +- apparmor.d/groups/systemd/systemd-oomd | 8 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/profiles-a-f/fwupd | 19 +-- apparmor.d/profiles-m-r/power-profiles-daemon | 35 ++-- apparmor.d/profiles-m-r/rtkit-daemon | 25 ++- apparmor.d/profiles-s-z/snapd | 9 +- apparmor.d/profiles-s-z/thunderbird | 7 +- apparmor.d/profiles-s-z/vlc | 26 ++- apparmor.d/profiles-s-z/wireplumber | 13 ++ apparmor.d/profiles-s-z/wpa-supplicant | 3 +- 32 files changed, 248 insertions(+), 383 deletions(-) diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 86f8ae99..36dea8a1 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -23,24 +23,24 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=unconfined, - dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} - interface=org.freedesktop.{DBus.{Properties,Introspectable},Accounts{,.User}}, - - dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member={CheckAuthorization,Changed}, - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + dbus bind bus=system name=org.freedesktop.Accounts, + dbus receive bus=system path=/org/freedesktop/Accounts{,/User@{uid}} + interface=org.freedesktop.Accounts* + peer=(name=:*), + dbus receive bus=system path=/org/freedesktop/Accounts{,/User@{uid}} interface=org.freedesktop.DBus.Properties - member=GetAll, + peer=(name=:*), + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} + interface=org.freedesktop.Accounts.User + peer=(name=org.freedesktop.DBus), + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.DBus), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={RequestName,ReleaseName,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus), - - dbus bind bus=system - name=org.freedesktop.Accounts, + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index ccd8a893..aaa5ed53 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -35,14 +35,6 @@ profile colord @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.ColorManager peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=polkitd), - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - peer=(name=:*, label=polkitd), - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 772301a4..8860ad28 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -36,7 +36,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=GetConnectionUnixProcessID + member={GetConnectionUnixUser,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus receive bus=session diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index bf846ed2..f7f0f03d 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -13,7 +13,6 @@ profile pulseaudio @{exec_path} { include include include - include include include include @@ -69,11 +68,6 @@ profile pulseaudio @{exec_path} { member=Free peer=(name=org.freedesktop.Avahi), - dbus receive bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,RequestName,ReleaseName} - peer=(name=:*), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index e7c7dd05..10b97937 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -24,10 +24,12 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.freedesktop.portal.Desktop, dbus bind bus=session name=org.freedesktop.background.Monitor, - dbus receive bus=session path=/org/freedesktop/background/monitor interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=gnome-shell), + peer=(name=:*), + dbus send bus=session path=/org/freedesktop/background/monitor + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.DBus), dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.DBus.Properties @@ -39,12 +41,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=:*, label=xdg-desktop-portal-gnome), - dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings - member=Read peer=(name=:*, label=nautilus), - + dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.DBus.Properties peer=(name=:*, label=xdg-document-portal), @@ -54,7 +54,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=GetConnectionUnixProcessID + member={GetConnectionUnixUser,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus receive bus=session diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index ee0c4a32..1fc58d9a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -30,6 +30,8 @@ profile xdg-desktop-portal-gtk @{exec_path} { unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), + dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk, + dbus send bus=system path=/org/freedesktop/Accounts/User@{int} interface=org.freedesktop.DBus.Properties member=GetAll, @@ -89,6 +91,10 @@ profile xdg-desktop-portal-gtk @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=gjs-console), + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=GetActive + peer=(name=:*, label=gjs-console), dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 6c8e769f..724bcde4 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,evolution-data-server/}evolution-source-registry profile evolution-source-registry @{exec_path} { include + include include include include @@ -21,31 +22,26 @@ profile evolution-source-registry @{exec_path} { network inet6 dgram, network netlink raw, + dbus bind bus=session name=org.gnome.evolution.dataserver.Sources@{int}, + + dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} + interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties} + peer=(name=:*), + + dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.DBus), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager - interface=org.freedesktop.DBus.ObjectManager - peer=(name=:*, label=evolution-*), - - dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/*} - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=evolution-*-factory), - dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects + member=GetManagedObjects peer=(name=:*, label=goa-daemon), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name=:*, label=gvfsd), - - dbus bind bus=session name=org.gnome.evolution.dataserver.Sources[0-9], - @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 3c618a6c..a69f7197 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -27,42 +27,28 @@ profile gdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term), - dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User@{uid} - interface=org.freedesktop.{DBus.Properties,Accounts.User} - member={Changed,GetAll,PropertiesChanged}, - - dbus send bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.{DBus.Properties,Accounts} - member={GetAll,ListCachedUsers,FindUserByName}, - - dbus receive bus=system path=/org/freedesktop/Accounts + dbus bind bus=system name=org.gnome.DisplayManager, + dbus receive bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.DisplayManager.Manager + peer=(name=:*, label="{gnome-shell,gdm-*-session}"), + dbus receive bus=system path=/org/gnome/DisplayManager/Manager interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=accounts-daemon), + peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.Accounts - member=UserAdded - peer=(name=:*, label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/login1/seat/seat@{int} + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login1.Manager - member={ListSeats,ActivateSessionOnSeat,UnlockSession}, + dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int} + interface=org.freedesktop.DBus.Properties + member={Get,PropertiesChanged} + peer=(name=:*, label=systemd-logind), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, - - dbus receive bus=system path=/org/freedesktop/login[0-9]/seat/seat[0-9] - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus receive bus=system path=/org/gnome/DisplayManager/Manager - interface={org.freedesktop.DBus.Properties,org.gnome.DisplayManager.Manager} - member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel,OpenSession}, - - dbus bind bus=system - name=org.gnome.DisplayManager, + member={GetConnectionUnixProcessID,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 339e9bdf..dd98613c 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -65,20 +65,16 @@ profile gdm-xsession @{exec_path} { profile dbus { include + include + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1), @{bin}/dbus-update-activation-environment mr, - - owner @{run}/user/@{uid}/bus rw, - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,UpdateActivationEnvironment} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=session path=/org/freedesktop/systemd[0-9]* - interface=org.freedesktop.systemd[0-9]*.Manager - member=SetEnvironment - peer=(name=org.freedesktop.systemd[0-9]*), + + owner @{HOME}/.xsession-errors w, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index e0642fb0..14c20bd5 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -14,6 +14,7 @@ include profile gjs-console @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -31,14 +32,36 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm*, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus bind bus=session name=org.gnome.Shell.Notifications, + dbus bind bus=session name=org.gnome.ScreenSaver, + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + peer=(name=:*), # all members + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.freedesktop.DBus.Properties + peer=(name=:*), # all members + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + peer=(name=:*), # all members + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.freedesktop.DBus.Properties + peer=(name=:*), # all members + + dbus bind bus=session name=org.freedesktop.Notifications, + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + peer=(name=:*), # all members dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties - member=GetAll + peer=(name=:*), # all members + + dbus bind bus=session name=org.gnome.Shell.Screencast, + dbus receive bus=session path=/org/gnome/Shell/Screencast + interface=org.freedesktop.DBus.Properties + peer=(name=:*), # all members + dbus send bus=session path=/org/gnome/Mutter/ScreenCast + interface=org.freedesktop.DBus.Properties peer=(name=:*, label=gnome-shell), dbus receive bus=session @@ -46,31 +69,13 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-extension-ding), - - dbus receive bus=session path=/org/gnome/Shell/Screencast - interface=org.freedesktop.DBus.Properties - member=GetAll + dbus (send, receive) bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect peer=(name=:*, label=gnome-shell), - - dbus (send,receive) bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver, - - dbus receive bus=session path=/org/gnome/Shell/Introspect + dbus (send, receive) bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties peer=(name=:*, label=gnome-shell), - dbus bind bus=session name=org.gnome.ScreenSaver, - - dbus bind bus=session name=org.freedesktop.Notifications, - - dbus bind bus=session name=org.gnome.Shell.Notifications, - - dbus bind bus=session name=org.gnome.Shell.Screencast, - @{exec_path} mr, @{bin}/ r, @{bin}/[a-z0-9]* rPUx, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 63104097..e3cf6d83 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -10,6 +10,7 @@ include profile gnome-extension-ding @{exec_path} { include include + include include include include @@ -21,126 +22,62 @@ profile gnome-extension-ding @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus bind bus=session name=com.rastersoft.ding, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={ListNames,ListActivatableNames}, + dbus receive bus=session path=/com/rastersoft/ding + interface={org.gtk.Actions,org.freedesktop.DBus.Properties} + peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName,ListNames,ListActivatableNames} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=system path=/net/hadess/SwitcherooControl - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gjs-console), - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gvfsd-metadata), - - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=ListMonitorImplementations - peer=(name=:*, label=gvfsd), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=ClientRemoved - peer=(name=:*, label=gnome-session-binary), + dbus send bus=session path=/com/rastersoft/ding{,**} + interface=org.gtk.Actions + peer=(label=gnome-shell), dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={IsSupported,List} peer=(name=:*, label=gvfs-*-monitor), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={ListMounts2,ListMountableInfo} - peer=(name=:*, label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=Mounted - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/Settings + dbus (send, receive) bus=session path=/org/freedesktop/FileManager1 interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gsd-xsettings), + peer=(name=:*, label=nautilus), - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=session path=/com/rastersoft/dingextension/control - interface=org.gtk.Actions - member=DescribeAll - peer=(name=com.rastersoft.dingextension, label=gnome-shell), - - dbus receive bus=session path=/com/rastersoft/ding - interface=org.gtk.Actions - member=DescribeAll - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/com/rastersoft/ding + dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gnome-shell), + peer=(name=:*, label=gjs-console), - dbus bind bus=session - name=com.rastersoft.ding, + dbus send bus=session path=/org/gnome/Nautilus/FileOperations* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=nautilus), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=ListMonitorImplementations + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gvfsd-metadata), + dbus receive bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=AttributeChanged + peer=(name=:*, label=gvfsd-metadata), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=nautilus), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + peer=(name=org.freedesktop.DBus, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 13797280..471a3e3a 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -38,7 +38,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={ReleaseName,UpdateActivationEnvironment,GetConnectionUnixUser,GetConnectionUnixProcessID} + member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} peer=(name=org.freedesktop.DBus label=dbus-daemon), dbus send bus=system path=/org/freedesktop/login1 diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8b0518da..4831b3d0 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -12,10 +12,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include + include include - include - include include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 83507c1e..be4bbcb7 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -42,11 +42,10 @@ profile goa-daemon @{exec_path} { interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=:*, label=goa-identity-service), - - dbus receive bus=session path=/org/gnome/OnlineAccounts - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label="{gvfs-goa-volume-monitor,goa-daemon,goa-identity-service,evolution-source-registry,unconfined}"), + dbus send bus=session path=/org/gnome/Identity/Manager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=goa-identity-service), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index def8a6eb..d0b8714e 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -39,6 +39,11 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { member={EndSession,QueryEndSession,CancelEndSession,Stop} peer=(name=:*, label=gnome-session-binary), + dbus receive bus=session path=/org/gnome/SessionManager/Presence + interface=org.gnome.SessionManager.Presence + member=StatusChanged + peer=(name=:*, label=gnome-session-binary), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 7c170612..6f92672d 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/mutter-x11-frames profile mutter-x11-frames @{exec_path} { include + include include include include @@ -22,6 +23,11 @@ profile mutter-x11-frames @{exec_path} { include include + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index dc8c30e5..80f77934 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -27,16 +27,17 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Extract, - dbus send bus=session path=/org/freedesktop/Tracker3/Miner/** - interface=org.freedesktop.Tracker3.Miner - peer=(name=org.freedesktop.DBus, label=tracker-miner), - dbus send bus=session path=/org/freedesktop/Tracker3/** - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.Tracker3.*), # all members dbus receive bus=session path=/org/freedesktop/Tracker3/** interface=org.freedesktop.Tracker3.* peer=(name=:*), # all members + dbus send bus=session path=/org/freedesktop/Tracker3/** + interface=org.freedesktop.DBus.{Peer,Properties} + peer=(label=tracker-miner), + dbus send bus=session path=/org/freedesktop/Tracker3/** + interface=org.freedesktop.Tracker3.* + peer=(label=tracker-miner), + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported,MountAdded} diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 7368c3a2..ac628b9c 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -28,10 +28,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { dbus (send, receive) bus=session path=/org/freedesktop/Tracker3/** interface=org.freedesktop.Tracker3.* peer=(name=:*), # all members - dbus receive bus=session path=/org/freedesktop/Tracker3/** interface=org.freedesktop.DBus.{Peer,Properties} - peer=(name=:*, label=tracker-extract), + peer=(name=:*), dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 5919f952..c26fead7 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -28,33 +28,25 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { ptrace (read), - dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} - interface=org.freedesktop.{DBus.*,UDisks2.*} - peer=(label=udisksd), + dbus bind bus=session name=org.gtk.vfs.UDisks2VolumeMonitor, + + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + peer=(name=:*), + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + peer=(name=org.freedesktop.DBus), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - member=MountAdded - peer=(name=org.freedesktop.DBus, label=tracker-*), - - dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - member={List,IsSupported} - peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gtk.vfs.UDisks2VolumeMonitor, - @{exec_path} mr, @{bin}/lsof rix, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 36e496b9..b7847420 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -22,6 +22,11 @@ profile gvfsd-fuse @{exec_path} { member=Mounted peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterFuse + peer=(name=:*, label=gvfsd), + dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 3613d1fe..14f45c0d 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -11,44 +11,22 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include include - include include include + include network qipcrtr dgram, network netlink raw, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Inhibit, - - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={UserNew,SessionNew,PrepareForShutdown,SeatNew,UserRemoved,SessionRemoved,PrepareForSleep} - peer=(name=:*, label=systemd-logind), - - dbus receive bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, - - dbus receive bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=Changed, - dbus bind bus=system name=org.freedesktop.ModemManager1, + dbus receive bus=system path=/org/freedesktop/ModemManager1 + interface=org.freedesktop.DBus.Properties + member=GetManagedObjects, + peer=(name=:*), + + dbus (send, receive) bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + peer=(name=:*, label=systemd-logind), @{exec_path} mr, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 10b50ac9..f68411c3 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -43,10 +43,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,NetworkManager*} peer=(name=:*), - dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member={Changed,CheckAuthorization,CancelCheckAuthorization}, - dbus (send,receive) bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown,UserRemoved,PrepareForSleep} @@ -54,7 +50,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID}, + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 93603c69..d778cbba 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,13 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=RequestName - peer=(name=org.freedesktop.DBus), - - dbus bind bus=system - name=org.freedesktop.oom[0-9], + dbus bind bus=system name=org.freedesktop.oom1, @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 30ef7816..9fac06e2 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -11,7 +11,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 9c534170..1337fba2 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -30,20 +30,20 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { network netlink raw, + dbus bind bus=system name=org.freedesktop.fwupd, + dbus receive bus=system path=/ + interface=org.freedesktop.fwupd + peer=(name=:*, label=fwupdmgr), + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixUser,RemoveMatch,RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus), + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.{Properties,ObjectManager} member={GetAll,GetManagedObjects}, - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Properties - member={Changed,GetAll} - peer=(label=polkitd), - dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* interface=org.freedesktop.DBus.Properties member=GetAll, @@ -66,11 +66,6 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { member={GetAll,SetHints,GetPlugins,GetRemotes} peer=(name=:*, label=fwupdmgr), - dbus (send, receive) bus=system - interface=org.freedesktop.fwupd, - - dbus bind bus=system name=org.freedesktop.fwupd, - @{exec_path} mr, @{lib}/fwupd/fwupd-detect-cet rix, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index f57932ff..f7097355 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -13,37 +13,30 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include - capability sys_nice, capability dac_read_search, + capability net_admin, + capability sys_nice, network netlink raw, - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=RequestName, - - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + dbus bind bus=system name=net.hadess.PowerProfiles, dbus receive bus=system path=/net/hadess/PowerProfiles interface=org.freedesktop.DBus.Properties - member={GetAll,Set}, + peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/login1 - interface={org.freedesktop.login1.Manager,org.freedesktop.DBus.Properties} + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.DBus.Properties + member=GetAll peer=(name=:*, label=systemd-logind), - dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member=Changed, - - dbus bind bus=system - name=net.hadess.PowerProfiles, + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + peer=(name=:*, label=systemd-logind), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index fe2b9bc0..e38f2d9b 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -1,13 +1,12 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2022 Mikhail Morfikov -# Copyright (C) 2021-2022 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include - @{exec_path} = @{lib}/{,rtkit/}rtkit-daemon profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { include @@ -21,24 +20,18 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability sys_ptrace, - dbus (send,receive) bus=system path=/org/freedesktop/RealtimeKit[0-9] - interface=org.freedesktop.RealtimeKit[0-9], - - dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9] + dbus bind bus=system name=org.freedesktop.RealtimeKit1, + dbus receive bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 + peer=(name=:*), + dbus receive bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties - member={Get,GetAll}, + peer=(name=:*), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus), - - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member=CheckAuthorization, - - dbus bind bus=system - name=org.freedesktop.RealtimeKit[0-9], + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index c084f0af..dc3f4ce9 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -47,7 +47,7 @@ profile snapd @{exec_path} { ptrace (read) peer=snap, ptrace (read) peer=@{systemd}, - dbus (send) bus=system path=/org/freedesktop/ + dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager member={SetWallMessage,ScheduleShutdown} peer=(name=org.freedesktop.login1, label=systemd-logind), @@ -55,12 +55,7 @@ profile snapd @{exec_path} { dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.timedate1), - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1), + peer=(name=org.freedesktop.timedate1, label="{systemd-timedated,@{systemd}}"), @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 1179c610..4859ec36 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -48,10 +48,7 @@ profile thunderbird @{exec_path} { ptrace peer=@{profile_name}, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=RequestName - peer=(name=org.freedesktop.DBus), + dbus bind bus=session name=org.mozilla.thunderbird.*, dbus send bus=system path=/org/freedesktop/RealtimeKit1 member={Get,MakeThreadHighPriority,MakeThreadRealtime} @@ -82,8 +79,6 @@ profile thunderbird @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session name=org.mozilla.thunderbird.*, - @{exec_path} mrix, @{bin}/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 51060943..5ddcf28f 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -13,7 +13,6 @@ profile vlc @{exec_path} { include include include - include include include include @@ -36,10 +35,15 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus), + dbus bind bus=session name=org.kde.StatusNotifierItem-*, + + dbus bind bus=session name=org.mpris.MediaPlayer2.vlc*, + dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + peer=(name="{org.freedesktop.DBus,:*}"), # all members + dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.* + peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Introspectable @@ -85,18 +89,6 @@ profile vlc @{exec_path} { interface=com.canonical.dbusmenu peer=(name=:*), - dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - peer=(name="{org.freedesktop.DBus,:*}"), # all members - - dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 - interface=org.mpris.MediaPlayer2.* - peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members - - dbus bind bus=session name=org.kde.StatusNotifierItem-*, - - dbus bind bus=session name=org.mpris.MediaPlayer2.vlc*, - @{exec_path} mrix, @{bin}/xdg-screensaver rPx, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index fb124696..06a4c908 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -23,6 +23,19 @@ profile wireplumber @{exec_path} { dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0, + dbus send bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 + peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), + + dbus send bus=system path=/org/freedesktop/UPower/devices/DisplayDevice + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.UPower, label=upowerd), + + dbus send bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 02d26f95..0c83be71 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -10,7 +10,8 @@ include @{exec_path} = @{bin}/wpa_supplicant profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include - include + include + include include capability chown,