diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index c8a493b5..1f0a6dab 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -22,4 +22,9 @@ member=Completed peer=(name=:*, label=udisksd), + dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=udisksd), + include if exists diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem new file mode 100644 index 00000000..d06c7354 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -0,0 +1,6 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + + include if exists diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index 0bda0ee2..2eac4864 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,5 +2,19 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), include if exists diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 1f10b6b0..ae89649f 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -10,10 +10,10 @@ include @{exec_path} = @{bin}/dbus-daemon profile dbus-daemon @{exec_path} flags=(attach_disconnected) { include + include + include + include include - include - include - include include include @@ -37,11 +37,16 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { ptrace (read), + dbus bus=accessibility, + dbus bus=session, + dbus bus=system, + @{exec_path} mr, @{bin}/ r, @{bin}/* rPUx, + @{bin}/dbus-launch rix, @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, # See #74, #80 & #235 @{lib}/@{multiarch}/tumbler-1/tumblerd rPUx, @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index e26a2522..90afe0d0 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -29,13 +29,8 @@ profile gnome-extension-ding @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - dbus bind bus=session name=com.rastersoft.ding, - dbus receive bus=session path=/com/rastersoft/ding - interface={org.gtk.Actions,org.freedesktop.DBus.Properties} - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/com/rastersoft/ding{,**} - interface=org.gtk.Actions - peer=(label=gnome-shell), + # dbus: own bus=session name=com.rastersoft.ding + # dbus: talk bus=session name=com.rastersoft.dingextension label=gnome-shell dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index e9318b53..895ae3ca 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -80,20 +80,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { peer=(name="{:*,org.gnome.*,org.freedesktop.DBus}"), # dbus: own bus=session name=com.canonical.Unity path=/com/canonical/unity + # dbus: own bus=session name=com.rastersoft.dingextension # dbus: own bus=session name=org.gtk.MountOperationHandler # dbus: own bus=session name=org.gtk.Notifications # dbus: own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher - dbus bind bus=session name=com.rastersoft.dingextension, - dbus (send, receive) bus=session path=/com/rastersoft/ding - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=gnome-extension-ding), - dbus (send, receive) bus=session path=/com/rastersoft/ding{,extension/control} - interface=org.gtk.Actions - peer=(name=:*, label=gnome-extension-ding), - # Talk with gnome-shell + # dbus: talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + ## System bus dbus (send, receive) bus=system path=/org/gnome/** diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index e8433897..00ee36d6 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -36,6 +36,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { # dbus: own bus=session name=org.freedesktop.FileManager1 + # dbus: talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell + # dbus: talk bus=session name=org.gtk.vfs label=gvfsd + dbus receive bus=session path=/org/gnome/Nautilus/SearchProvider interface=org.gnome.Shell.SearchProvider2 peer=(name=:*, label=gnome-shell), @@ -50,16 +53,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member={GetAll,ListActivatableNames} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - # talk: org.gtk.vfs.* - dbus send bus=session path=/org/gtk/vfs/** - interface=org.gtk.vfs.* - peer=(name=:*, label=gvfsd), - - # talk: org.gtk.MountOperationHandler - dbus send bus=session path=/org/gtk/MountOperationHandler - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gtk/Notifications interface=org.gtk.Notifications member=AddNotification diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 50b1b77e..df0e96ff 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -15,6 +15,7 @@ profile update-notifier @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index cd562f2c..72279e41 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -17,6 +17,7 @@ profile qbittorrent @{exec_path} { include include include + include include include include @@ -47,17 +48,7 @@ profile qbittorrent @{exec_path} { network inet6 stream, network netlink dgram, network netlink raw, - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.kde.StatusNotifierWatcher), - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.kde.StatusNotifierWatcher - member=RegisterStatusNotifierItem - peer=(name=org.kde.StatusNotifierWatcher), - + dbus send bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member={NewToolTip,NewIcon} @@ -67,12 +58,7 @@ profile qbittorrent @{exec_path} { interface=org.kde.StatusNotifierItem member=Activate peer=(name=:*), - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.kde.StatusNotifierWatcher), - + dbus receive bus=session path=/{StatusNotifierItem,MenuBar} interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index dd41cba0..323faaf8 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,6 +16,7 @@ profile remmina @{exec_path} { include include include + include include include include @@ -31,19 +32,9 @@ profile remmina @{exec_path} { # dbus: own bus=session name=org.remmina.Remmina - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.kde.StatusNotifierWatcher), - dbus (send, receive) bus=session path=/org/ayatana/NotificationItem/remmina_icon{,/**} peer=(name="{:*,org.freedesktop.DBus}"), # all interfaces and members - dbus send bus=session path=/StatusNotifierWatcher - interface=org.kde.StatusNotifierWatcher - member=RegisterStatusNotifierItem - peer=(name=:*), - @{exec_path} r, /usr/share/remmina/{,**} r,