diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 7e0c09b6..3301e999 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -29,6 +29,21 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.PackageKit), + + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.PackageKit + member=StateHasChanged + peer=(name=org.freedesktop.PackageKit), + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit + peer=(name=org.freedesktop.login[0-9]), + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 4a978427..8f851253 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -27,6 +27,18 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=StateChanged, + @{exec_path} mr, /{usr/,}bin/ r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 85024366..0e9f43b9 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -14,6 +14,22 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include include + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.{Introspectable,Properties} + member={Introspect,Get}, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=PrepareForShutdown, + @{exec_path} mr, /{usr/,}bin/ischroot rix, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index b2ac5d65..4e25042e 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -34,7 +34,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member=SessionNew, + member={SessionNew,PrepareForShutdown}, dbus bind bus=system name=org.freedesktop.UPower, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b0808666..3a5e8228 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -56,7 +56,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.{DBus.Properties,Accounts*} member={GetAll,FindUserByName,Changed,PropertiesChanged}, - dbus (send,receive) bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged}, @@ -72,8 +72,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus member=GetConnectionUnixUser, + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings, + dbus send bus=system path=/org/gnome/DisplayManager/Manager - interface=org.gnome.{DBus.Properties,DisplayManager.Manager} + interface=org.{freedesktop.DBus.Properties,gnome.DisplayManager.Manager} member={RegisterSession,Get,GetAll,OpenReauthenticationChannel} peer=(name=org.gnome.DisplayManager), diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 23ae3898..1af3f985 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -41,6 +41,10 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=Get, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=PowerOff, + dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member={SessionNew,SessionRemoved,PrepareForShutdown}, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 795061b9..6c5778a2 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -37,7 +37,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={UserNew,SessionNew}, + member={UserNew,SessionNew,PrepareForShutdown}, dbus bind bus=system name=org.freedesktop.ModemManager[0-9], diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 8aaa47e1..51c95970 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,6 +15,14 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + + dbus bind bus=system + name=org.freedesktop.oom[0-9], + @{exec_path} mr, /etc/systemd/oomd.conf r, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 13a5dc58..f2e385d6 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -28,6 +28,17 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/org/freedesktop/resolve[0-9] + interface=org.freedesktop.resolve[0-9].Manager, + + dbus bind bus=system + name=org.freedesktop.resolve[0-9], + @{exec_path} mr, /etc/systemd/resolved.conf r, diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index c0dc9ffc..56805647 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -46,7 +46,7 @@ profile packagekitd @{exec_path} { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member=SessionNew, + member={SessionNew,PrepareForShutdown}, dbus bind bus=system name=org.freedesktop.PackageKit,