diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 5ed50fac..933cb46b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -7,6 +7,11 @@ member=GetAll peer=(name=:*, label=colord), + dbus send bus=system path=/org/freedesktop/ColorManager/devices/* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=colord), + dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index eb73a91f..dc870f4d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -27,4 +27,9 @@ member=AddAgent peer=(name=:*, label=geoclue), + dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=geoclue), + include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 04eb2c4c..af7c1828 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -14,7 +14,7 @@ dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session - member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness} + member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} peer=(name=:*, label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1/session/* @@ -24,7 +24,7 @@ dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session - member=PauseDevice + member={PauseDevice,Unlock} peer=(name=:*, label=systemd-logind), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor new file mode 100644 index 00000000..a7898671 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member=WatchFired + peer=(name=:*, label=gnome-shell), + + include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager index 47b0e455..7ced3354 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -7,6 +7,11 @@ member={RegisterClient,IsSessionRunning} peer=(name=:*, label=gnome-session-binary), + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=Setenv + peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect new file mode 100644 index 00000000..e6c1bf57 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.gnome.Shell.Introspect, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect + member=GetRunningApplications + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect + member={RunningApplicationsChanged,WindowsChanged} + peer=(name=:*, label=gnome-shell), + + include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 6b3c572f..c2148e68 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -14,6 +14,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include include + include include include include @@ -36,21 +37,6 @@ profile xdg-desktop-portal-gnome @{exec_path} { member=GetAll peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/Shell/Introspect - interface=org.gnome.Shell.Introspect - member=GetRunningApplications - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/gnome/Shell/Introspect - interface=org.gnome.Shell.Introspect - member={RunningApplicationsChanged,WindowsChanged} - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Background member=RunningApplicationsChanged diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 8d18c5a7..21c8eff9 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -18,6 +18,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include + include include include include @@ -40,16 +41,6 @@ profile xdg-desktop-portal-gtk @{exec_path} { interface=org.freedesktop.impl.portal.Settings peer=(name=:*), - dbus receive bus=session path=/org/gnome/Shell/Introspect - interface=org.gnome.Shell.Introspect - member={RunningApplicationsChanged,WindowsChanged} - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gtk/Notifications interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 5b0f23ed..b5be0388 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -15,6 +15,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -70,18 +71,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=:*, label=gnome-shell), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - - dbus (send, receive) bus=session path=/org/gnome/Shell/Introspect - interface=org.gnome.Shell.Introspect - peer=(name=:*, label=gnome-shell), - dbus (send, receive) bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, @{bin}/ r, @{bin}/[a-z0-9]* rPUx, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index f86ca28f..f173a94d 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -16,6 +16,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -35,30 +36,20 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=at-spi-bus-launcher, signal (send) set=(term) peer=gsd-*, - dbus bind bus=session name=org.gnome.SessionManager, + dbus bind bus=session name=org.gnome.SessionManager{,.*}, dbus receive bus=session path=/org/gnome/SessionManager{,/**} interface=org.freedesktop.DBus.Properties peer=(name=:*), dbus receive bus=session path=/org/gnome/SessionManager{,/**} - interface=org.gnome.SessionManager + interface=org.gnome.SessionManager{,.*} peer=(name=:*), dbus send bus=session path=/org/gnome/SessionManager{,/**} interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.DBus), dbus send bus=session path=/org/gnome/SessionManager{,/**} - interface=org.gnome.SessionManager - peer=(name=org.freedesktop.DBus,), - - dbus send bus=session path=/org/gnome/SessionManager/Presence - interface=org.gnome.SessionManager.Presence - member=StatusChanged + interface=org.gnome.SessionManager{,.*} peer=(name=org.freedesktop.DBus), - dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core - interface=org.gnome.Mutter.IdleMonitor - member=WatchFired - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} @@ -66,10 +57,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member={CanPowerOff,GetSession,PowerOff,Inhibit,Reboot} + member={CanPowerOff,PowerOff,Reboot} peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login1/session/* + dbus send bus=system path=/org/freedesktop/login1/session/c1 interface=org.freedesktop.login1.Session member=SetIdleHint peer=(name=org.freedesktop.login1, label=systemd-logind), @@ -78,21 +69,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.systemd1.Manager peer=(name=org.freedesktop.systemd1, label=@{systemd}), - dbus send bus=session path=/org/gnome/Mutter/IdleMonitor - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core - interface=org.gnome.Mutter.IdleMonitor - member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core - interface=org.gnome.Mutter.IdleMonitor - member=WatchFired - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, @{bin}/{,z,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 821409b8..f3926950 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -43,11 +43,6 @@ profile gnome-terminal-server @{exec_path} { member=StartTransientUnit peer=(name=org.freedesktop.systemd1, label="@{systemd}"), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, # The shell is not confined on purpose. diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 66b859f0..7e76e177 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -19,10 +19,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -32,19 +30,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, - /usr/share/mime/mime.cache r, - /usr/share/X11/xkb/** r, /etc/timezone r, @@ -57,8 +46,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/edid-*.icc rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, - owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index e0789d0a..72c68834 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -16,6 +16,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -46,17 +47,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell interface=org.gnome.Shell member={GrabAccelerators,UngrabAccelerators} peer=(name=:*, label=gnome-shell), - + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gnome/Shell interface=org.gnome.Shell member=AcceleratorActivated @@ -86,16 +84,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { member=PropertiesChanged peer=(name=:*, label=gsd-power), - dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core - interface=org.gnome.Mutter.IdleMonitor - member=WatchFired - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index b9253fe1..d97c62de 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -17,8 +17,10 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include + include include include include @@ -36,21 +38,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name="{org.freedesktop.DBus,:*}", label="{gsd-media-keys,gnome-shell}"), - dbus send bus=session path=/org/gnome/Mutter/** - interface=org.freedesktop.DBus.{Properties,ObjectManager} - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Mutter/** - interface=org.gnome.Mutter.DisplayConfig - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Mutter/** - interface=org.gnome.Mutter.IdleMonitor - peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.gnome.Mutter.DisplayConfig - member=MonitorsChanged - peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core - interface=org.gnome.Mutter.IdleMonitor + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member=Set peer=(name=:*, label=gnome-shell), dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight @@ -58,39 +48,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { member=GetBrightness peer=(name=:*, label=upowerd), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member=Get, - - dbus send bus=system path=/org/freedesktop/login1/session/auto - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1/session/auto - interface=org.freedesktop.login1.Session - member=SetBrightness - peer=(name=:*, label=systemd-logind), - - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=power-profiles-daemon), - - dbus send bus=system path=/org/freedesktop/login1/session/auto - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login1/session/auto - interface=org.freedesktop.login1.Session - member=SetBrightness - peer=(name=:*, label=systemd-logind), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 4c6c96b6..8857b509 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -23,7 +23,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.gnome.SettingsDaemon.Rfkill, dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill interface=org.freedesktop.DBus.Properties - peer=(name=:*), + peer=(name=:*), dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.DBus), diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 111fac2a..dca68faf 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -19,46 +19,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.gnome.SettingsDaemon.Sharing, - dbus send bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name=:*, label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* - interface=org.freedesktop.NetworkManager.Connection.Active - member=StateChanged - peer=(name=:*, label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* - interface=org.freedesktop.NetworkManager.Settings.Connection - member=GetSettings - peer=(name=:*, label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* - interface=org.freedesktop.NetworkManager.Settings.Connection - member=Updated - peer=(name=:*, label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=GetPermissions - peer=(name=:*, label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=CheckPermissions - peer=(name=:*, label=NetworkManager), - dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=StopUnit @@ -69,10 +29,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* - interface=org.freedesktop.NetworkManager.Connection.Active - member=StateChanged, - @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index d9c28023..70a6f5b3 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -24,8 +24,10 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), + peer=(name=:*), + dbus send bus=session path=/org/gnome/SettingsDaemon/Smartcard + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.DBus), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 4ee9d9e6..ff3a4e8d 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -26,8 +26,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.gnome.SettingsDaemon.Wacom, dbus receive bus=session path=/org/gnome/SettingsDaemon/Wacom interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), + peer=(name=:*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 401b3c04..d4dfda9a 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -16,6 +16,7 @@ profile gsd-xsettings @{exec_path} { include include include + include include include include @@ -43,11 +44,6 @@ profile gsd-xsettings @{exec_path} { dbus bind bus=session name=org.gnome.SettingsDaemon.XSettings, - dbus send bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.gnome.Shell.Introspect, label=gnome-shell), - dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources @@ -58,11 +54,6 @@ profile gsd-xsettings @{exec_path} { member=GetId peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, @{bin}/cat rix, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 82186b3e..45176e2c 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index 80383135..e10f0c8f 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -22,18 +22,12 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { network alg seqpacket, network netlink raw, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=system path=/org/bluez/hci0 + dbus bind bus=system name=org.bluez, + dbus send bus=system path=/org/bluez{,/**} interface=org.freedesktop.DBus.Properties - member=PropertiesChanged peer=(name=org.freedesktop.DBus), - - dbus receive bus=system path=/org/bluez{,**} - interface=org.bluez.Media1 - member=RegisterApplication + dbus receive bus=system path=/org/bluez{,/**} + interface=org.bluez{,.*} peer=(name=:*), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index af400833..eaa8b9d8 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -18,14 +18,12 @@ profile boltd @{exec_path} flags=(attach_disconnected) { network netlink raw, dbus bind bus=system name=org.freedesktop.bolt, - - dbus receive bus=system path=/org/freedesktop/bolt - interface=org.freedesktop.bolt1.Manager - member=ListDevices, - - dbus receive bus=system path=/org/freedesktop/bolt - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus (send, receive) bus=system path=/org/freedesktop/bolt + interface=org.freedesktop.bolt1{,.*} + peer=(name=:*), + dbus (send, receive) bus=system path=/org/freedesktop/bolt + interface=org.freedesktop.DBus.Properties + peer=(name=:*), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 537f964e..dd4efe52 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -34,15 +34,9 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { network netlink raw, dbus bind bus=system name=org.freedesktop.fwupd, - dbus receive bus=system path=/ - interface=org.freedesktop.fwupd - peer=(name=:*, label=fwupdmgr), - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=fwupdmgr), - dbus send bus=system path=/ - interface=org.freedesktop.DBus - peer=(name=:*, label=fwupdmgr), + dbus (send, receive) bus=session path=/ + interface={org.freedesktop.fwupd,org.freedesktop.DBus} + peer=(name="{:*,org.freedesktop.fwupd,org.freedesktop.DBus}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus