feat(profiles): add some missing dbus rules.

2025-02-20 08:55:34 +01:00 · 2022-06-13 21:41:48 +01:00 · 2022-06-13 21:41:48 +01:00 · 7b0ef88358
commit 7b0ef88358
parent 6898bac12f
10 changed files with 79 additions and 5 deletions
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -29,6 +29,21 @@ profile apt @{exec_path} flags=(attach_disconnected) {

  signal (send) peer=apt-methods-*,

+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=org.freedesktop.PackageKit),
+
+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.PackageKit
+       member=StateHasChanged
+       peer=(name=org.freedesktop.PackageKit),
+
+  dbus send bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.login[0-9].Manager
+       member=Inhibit
+       peer=(name=org.freedesktop.login[0-9]),
+
  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh rix,
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -27,6 +27,18 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

  network netlink raw,

+  dbus send bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.login[0-9].Manager
+       member=Inhibit,
+
+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged,
+
+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=StateChanged,
+
  @{exec_path} mr,

  /{usr/,}bin/ r,
--- a/apparmor.d/groups/apt/unattended-upgrade-shutdown
+++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown
@ -14,6 +14,22 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
  include <abstractions/nameservice-strict>
  include <abstractions/python>

+  dbus send bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.login[0-9].Manager
+       member=Inhibit,
+
+  dbus send bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.DBus.{Introspectable,Properties}
+       member={Introspect,Get},
+
+  dbus send bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus receive bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.login[0-9].Manager
+       member=PrepareForShutdown,
+
  @{exec_path} mr,

  /{usr/,}bin/ischroot  rix,
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@ -34,7 +34,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {

  dbus receive bus=system path=/org/freedesktop/login[0-9]
       interface=org.freedesktop.login[0-9].Manager
-       member=SessionNew,
+       member={SessionNew,PrepareForShutdown},

  dbus bind bus=system 
       name=org.freedesktop.UPower,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -56,7 +56,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.{DBus.Properties,Accounts*}
       member={GetAll,FindUserByName,Changed,PropertiesChanged},

-  dbus (send,receive) bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice}
+  dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice}
       interface=org.freedesktop.DBus.Properties
       member={GetAll,PropertiesChanged},

@ -72,8 +72,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.DBus
       member=GetConnectionUnixUser,

+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+       interface=org.freedesktop.NetworkManager.Settings.Connection
+       member=GetSettings,
+
  dbus send bus=system path=/org/gnome/DisplayManager/Manager
-       interface=org.gnome.{DBus.Properties,DisplayManager.Manager}
+       interface=org.{freedesktop.DBus.Properties,gnome.DisplayManager.Manager}
       member={RegisterSession,Get,GetAll,OpenReauthenticationChannel}
       peer=(name=org.gnome.DisplayManager),

--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -41,6 +41,10 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.DBus.Properties
       member=Get,

+  dbus send bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.login[0-9].Manager
+       member=PowerOff,
+
  dbus receive bus=system path=/org/freedesktop/login[0-9]
       interface=org.freedesktop.login[0-9].Manager
       member={SessionNew,SessionRemoved,PrepareForShutdown},
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@ -37,7 +37,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {

  dbus receive bus=system path=/org/freedesktop/login[0-9]
       interface=org.freedesktop.login[0-9].Manager
-       member={UserNew,SessionNew},
+       member={UserNew,SessionNew,PrepareForShutdown},

  dbus bind bus=system
       name=org.freedesktop.ModemManager[0-9],
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -15,6 +15,14 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  capability dac_override,
  capability kill,

+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=RequestName
+       peer=(name=org.freedesktop.DBus),
+
+  dbus bind bus=system 
+       name=org.freedesktop.oom[0-9],
+
  @{exec_path} mr,

  /etc/systemd/oomd.conf r,
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -28,6 +28,17 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
  network inet6 stream,
  network netlink raw,

+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,GetConnectionUnixUser}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus receive bus=system path=/org/freedesktop/resolve[0-9]
+       interface=org.freedesktop.resolve[0-9].Manager,
+
+  dbus bind bus=system 
+       name=org.freedesktop.resolve[0-9],
+
  @{exec_path} mr,

  /etc/systemd/resolved.conf r,
--- a/apparmor.d/groups/ubuntu/packagekitd
+++ b/apparmor.d/groups/ubuntu/packagekitd
@ -46,7 +46,7 @@ profile packagekitd @{exec_path} {

  dbus receive bus=system path=/org/freedesktop/login[0-9]
       interface=org.freedesktop.login[0-9].Manager
-       member=SessionNew,
+       member={SessionNew,PrepareForShutdown},

  dbus bind bus=system 
       name=org.freedesktop.PackageKit,