feat(profile): update some dbus rules.

2025-01-18 00:48:10 +01:00 · 2024-01-21 11:49:25 +00:00 · 2024-01-21 11:49:25 +00:00 · 81e98bf71d
commit 81e98bf71d
parent 6556856fed
10 changed files with 46 additions and 55 deletions
--- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2
@ -22,4 +22,9 @@
       member=Completed
       peer=(name=:*, label=udisksd),

+  dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/*
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name=:*, label=udisksd),
+
  include if exists <abstractions/bus/org.freedesktop.UDisks2.d>
--- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
+++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
@ -0,0 +1,6 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+
+  include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
--- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
+++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
@ -2,5 +2,19 @@
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
+
+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.kde.StatusNotifierWatcher
+       member=RegisterStatusNotifierItem
+       peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), 
+
+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),

  include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -10,10 +10,10 @@ include <tunables/global>
@{exec_path} = @{bin}/dbus-daemon
 profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
  include <abstractions/consoles>
-  include <abstractions/dbus-accessibility>
-  include <abstractions/dbus-session>
-  include <abstractions/dbus>
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>

@ -37,11 +37,16 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {

  ptrace (read),

+  dbus bus=accessibility,
+  dbus bus=session,
+  dbus bus=system,
+
  @{exec_path} mr,

  @{bin}/ r,

  @{bin}/*                                                               rPUx,
+  @{bin}/dbus-launch                                                      rix,
  @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher                           rix, # See #74, #80 & #235
  @{lib}/@{multiarch}/tumbler-1/tumblerd                                 rPUx,
  @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd                            rPx,
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -29,13 +29,8 @@ profile gnome-extension-ding @{exec_path} {

  unix (send,receive) type=stream addr=none peer=(label=gnome-shell),

-  dbus bind bus=session name=com.rastersoft.ding,
-  dbus receive bus=session path=/com/rastersoft/ding
-       interface={org.gtk.Actions,org.freedesktop.DBus.Properties}
-       peer=(name=:*, label=gnome-shell),
-  dbus send bus=session path=/com/rastersoft/ding{,**}
-       interface=org.gtk.Actions
-       peer=(label=gnome-shell),
+  # dbus: own bus=session name=com.rastersoft.ding
+  # dbus: talk bus=session name=com.rastersoft.dingextension label=gnome-shell

  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -80,20 +80,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
       peer=(name="{:*,org.gnome.*,org.freedesktop.DBus}"),

  # dbus: own bus=session name=com.canonical.Unity path=/com/canonical/unity
+  # dbus: own bus=session name=com.rastersoft.dingextension
  # dbus: own bus=session name=org.gtk.MountOperationHandler
  # dbus: own bus=session name=org.gtk.Notifications
  # dbus: own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher

-  dbus bind bus=session name=com.rastersoft.dingextension,
-  dbus (send, receive) bus=session path=/com/rastersoft/ding
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*, label=gnome-extension-ding),
-  dbus (send, receive) bus=session path=/com/rastersoft/ding{,extension/control}
-       interface=org.gtk.Actions
-       peer=(name=:*, label=gnome-extension-ding),
-
  # Talk with gnome-shell

+  # dbus: talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
+
  ## System bus

  dbus (send, receive) bus=system path=/org/gnome/**
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -36,6 +36,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {

  # dbus: own bus=session name=org.freedesktop.FileManager1

+  # dbus: talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
+  # dbus: talk bus=session name=org.gtk.vfs label=gvfsd
+
  dbus receive bus=session path=/org/gnome/Nautilus/SearchProvider
       interface=org.gnome.Shell.SearchProvider2
       peer=(name=:*, label=gnome-shell),
@ -50,16 +53,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
       member={GetAll,ListActivatableNames}
       peer=(name=org.freedesktop.DBus, label=dbus-daemon),

-  # talk: org.gtk.vfs.*
-  dbus send bus=session path=/org/gtk/vfs/**
-       interface=org.gtk.vfs.*
-       peer=(name=:*, label=gvfsd),
-
-  # talk: org.gtk.MountOperationHandler
-  dbus send bus=session path=/org/gtk/MountOperationHandler
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*, label=gnome-shell),
-
  dbus send bus=session path=/org/gtk/Notifications
       interface=org.gtk.Notifications
       member=AddNotification
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -15,6 +15,7 @@ profile update-notifier @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@ -17,6 +17,7 @@ profile qbittorrent @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
@ -48,16 +49,6 @@ profile qbittorrent @{exec_path} {
  network netlink dgram,
  network netlink raw,

-  dbus send bus=session path=/StatusNotifierWatcher
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=org.kde.StatusNotifierWatcher),
-   
-  dbus send bus=session path=/StatusNotifierWatcher
-       interface=org.kde.StatusNotifierWatcher
-       member=RegisterStatusNotifierItem
-       peer=(name=org.kde.StatusNotifierWatcher),
-   
  dbus send bus=session path=/StatusNotifierItem
       interface=org.kde.StatusNotifierItem
       member={NewToolTip,NewIcon}
@ -68,11 +59,6 @@ profile qbittorrent @{exec_path} {
       member=Activate
       peer=(name=:*),

-  dbus send bus=session path=/StatusNotifierWatcher
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.kde.StatusNotifierWatcher),
-   
  dbus receive bus=session path=/{StatusNotifierItem,MenuBar}
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/profiles-m-r/remmina
+++ b/apparmor.d/profiles-m-r/remmina
@ -16,6 +16,7 @@ profile remmina @{exec_path} {
  include <abstractions/bus/org.freedesktop.hostname1>
  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
@ -31,19 +32,9 @@ profile remmina @{exec_path} {

  # dbus: own bus=session name=org.remmina.Remmina

-  dbus send bus=session path=/StatusNotifierWatcher
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=org.kde.StatusNotifierWatcher),
-
  dbus (send, receive) bus=session path=/org/ayatana/NotificationItem/remmina_icon{,/**}
       peer=(name="{:*,org.freedesktop.DBus}"),  # all interfaces and members

-  dbus send bus=session path=/StatusNotifierWatcher
-       interface=org.kde.StatusNotifierWatcher
-       member=RegisterStatusNotifierItem
-       peer=(name=:*),
-
  @{exec_path} r,

  /usr/share/remmina/{,**} r,