diff --git a/apparmor.d/abstractions/dbus-gtk b/apparmor.d/abstractions/dbus-gtk index 485e0729..6ef96270 100644 --- a/apparmor.d/abstractions/dbus-gtk +++ b/apparmor.d/abstractions/dbus-gtk @@ -18,34 +18,9 @@ member=GetAll peer=(name=:*), - dbus (send) bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.a11y.Bus), - - dbus (send) bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), - dbus (send, receive) bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.Notifications peer=(name="{org.freedesktop.Notifications,org.freedesktop.DBus,:*}"), # all members - dbus (receive) bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=:*), - - dbus (send) bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry), - - dbus (send) bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry), - # Include additions to the abstraction include if exists diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete index 8410eba9..3b7f2edc 100644 --- a/apparmor.d/abstractions/dbus-session-strict.d/complete +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -7,7 +7,7 @@ unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-????????"), - dbus send bus=session path=/org/freedesktop/dbus + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index d2e5e0a1..ed550f71 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -20,11 +20,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=ibus-*), unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=gnome-shell), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/freedesktop/IBus interface=org.freedesktop.DBus.Peer peer=(name=org.freedesktop.portal.IBus), # all members, all peer's labels diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 9bf8b13f..ed616710 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -14,10 +14,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus bind bus=session name=org.freedesktop.portal.IBus, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -29,8 +26,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { member=Ping peer=(name=:*, label=ibus-daemon), - dbus bind bus=session name=org.freedesktop.portal.IBus, - @{exec_path} mr, @{lib}/gio/modules/{,*} r, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index e146a626..2338e95f 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -10,8 +10,9 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include - include - include + include + include + include include include @@ -21,18 +22,40 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { dbus bind bus=accessibility name=org.a11y.atspi.Registry, - dbus (send, receive) bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry, + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=dbus-daemon), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=:*), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member={GetRegisteredEvents,EventListenerDeregistered} + peer=(name=:*), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member={GetRegisteredEvents,EventListenerDeregistered} + peer=(name=org.freedesktop.DBus), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=:*), # all peer's labels dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + peer=(name=org.freedesktop.DBus, label=at-spi-bus-launcher), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager @@ -48,26 +71,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-session-binary), - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*), # all peer's labels - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=:*), # all peer's labels - - dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=:*), # all peer's labels - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 07b7d248..48c9519e 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -11,48 +11,41 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include - include include + include network netlink raw, dbus bind bus=system name=org.freedesktop.ColorManager, - dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.ColorManager*, + dbus receive bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=:*), + + dbus receive bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.ColorManager + peer=(name=:*, label=gnome-shell), + + dbus send bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=polkitd), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + peer=(name=:*, label=polkitd), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName,ReleaseName}, - - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member=CheckAuthorization - peer=(name=:*, label=polkitd), - - dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - peer=(name=:*, label=polkitd), # all members - - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label="{gsd-color,polkitd}"), - - dbus receive bus=system path=/org/freedesktop/ColorManager{,/devices/*} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label="{gsd-color,colord-sane,gnome-control-center}"), - - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=@{profile_name}), - - dbus receive bus=system path=/org/freedesktop/ColorManager/** - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label="{@{profile_name},gsd-color}"), + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index f664d583..d7d37180 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -15,10 +15,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term kill hup) peer=dbus-daemon, signal (receive) set=(term hup) peer=gdm*, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus bind bus=session name=ca.desrt.dconf, dbus send bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer @@ -34,9 +31,6 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=ca.desrt.dconf, - @{exec_path} mr, /var/lib/gdm{3,}/.config/dconf/ rw, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 39bc32b6..97b85bf6 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -24,19 +24,20 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.pulseaudio.Server, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] - interface=org.freedesktop.RealtimeKit[0-9] + dbus send bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 member=MakeThread* - peer=(name=org.freedesktop.RealtimeKit[0-9]), + peer=(name=org.freedesktop.RealtimeKit1), - dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.RealtimeKit[0-9]), + peer=(name=org.freedesktop.RealtimeKit1), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixProcessID + peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index fb5b210f..c83119ff 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -21,10 +21,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { ptrace (read), - dbus (send) bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (bind) bus=system name=org.freedesktop.PolicyKit1, dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/* interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit1.*}, # all members @@ -33,8 +30,10 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.PolicyKit1.AuthenticationAgent peer=(name=:*), # all members - dbus (bind) bus=system - name=org.freedesktop.PolicyKit1, + dbus (send) bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index d8b59b54..843bd1d0 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -15,11 +15,6 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*}, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 7c70c1f7..e7c7dd05 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -22,89 +21,47 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { ptrace (read), + dbus bind bus=session name=org.freedesktop.portal.Desktop, + + dbus bind bus=session name=org.freedesktop.background.Monitor, + + dbus receive bus=session path=/org/freedesktop/background/monitor + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=xdg-permission-store), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + peer=(name=:*, label=xdg-desktop-portal-gnome), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=Read + peer=(name=:*, label=nautilus), + + dbus send bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=xdg-document-portal), + dbus send bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.portal.Documents + peer=(name=:*, label=xdg-document-portal), + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={RequestName,ReleaseName,GetConnectionUnixProcessID} + member=GetConnectionUnixProcessID peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] - interface=org.freedesktop.DBus.Properties - member={GetAll,Get}, - - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member={StateChanged,CheckPermissions}, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label="{gnome-shell,xdg-desktop-portal-*,gnome-keyring-daemon}"), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Background - member=GetAppState - peer=(name=:*, label=xdg-desktop-portal-*), - - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Background - member=RunningApplicationsChanged - peer=(name=:*, label=xdg-desktop-portal-*), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings - member=SettingChanged - peer=(name=org.freedesktop.DBus), # all peer's labels - - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.{DBus.Properties,portal.Settings} - member={ReadAll,GetAll} - peer=(name=:*, label=snap.snapd-desktop-integration.snapd-desktop-integration), - - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=SettingChanged - peer=(name=:*, label=xdg-desktop-portal-*), - - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.portal.Documents - member=GetMountPoint - peer=(name=:*, label=xdg-document-portal), - - dbus (send, receive) bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=xdg-document-portal), - - dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=xdg-permission-store), - - dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.impl.portal.PermissionStore - member=Lookup - peer=(name=:*, label=xdg-permission-store), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.freedesktop.portal.Desktop, - @{exec_path} mr, @{bin}/{,ba,da}sh rix, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 00921e7a..bc7e22cb 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -26,10 +26,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome, dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.DBus.Properties @@ -43,17 +40,17 @@ profile xdg-desktop-portal-gnome @{exec_path} { interface=org.freedesktop.Accounts.User member=Changed, - dbus send bus=session path=/org/gnome/Shell/Screenshot + dbus send bus=session path=/org/gnome/Shell/Screenshot interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell/Introspect + dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell/Introspect + dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect member=GetRunningApplications peer=(name=:*, label=gnome-shell), @@ -63,7 +60,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { member={RunningApplicationsChanged,WindowsChanged} peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/freedesktop/portal/desktop + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Background member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), @@ -73,7 +70,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { member=GetAppState peer=(name=:*, label=xdg-desktop-portal), - dbus send bus=session path=/org/freedesktop/portal/desktop + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings member=SettingChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), @@ -83,27 +80,17 @@ profile xdg-desktop-portal-gnome @{exec_path} { member=GetAll peer=(name=:*, label=xdg-desktop-portal), - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.gnome.Mutter.DisplayConfig - member=GetCurrentState - peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=Read + peer=(name=:*, label=xdg-desktop-portal), dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member=GetCurrentState - peer=(name=:*, label=gsd-xsettings), + peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/Mutter/ScreenCast - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/Mutter/RemoteDesktop + dbus send bus=session path=/org/gnome/Mutter/* interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=gnome-shell), @@ -113,19 +100,11 @@ profile xdg-desktop-portal-gnome @{exec_path} { member=ListMountableInfo peer=(name=:*, label=gvfsd), - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=Read - peer=(name=:*, label=xdg-desktop-portal), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.freedesktop.impl.portal.desktop.gnome, - @{exec_path} mr, / r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 96c8d215..3d892469 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -29,15 +29,15 @@ profile xdg-desktop-portal-gtk @{exec_path} { unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), - dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* + dbus send bus=system path=/org/freedesktop/Accounts/User@{int} interface=org.freedesktop.DBus.Properties member=GetAll, - dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + dbus receive bus=system path=/org/freedesktop/Accounts/User@{int} interface=org.freedesktop.DBus.Properties member=PropertiesChanged, - dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + dbus receive bus=system path=/org/freedesktop/Accounts/User@{int} interface=org.freedesktop.Accounts.User member=Changed, @@ -49,12 +49,12 @@ profile xdg-desktop-portal-gtk @{exec_path} { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, - dbus send bus=session path=/org/gtk/Settings + dbus send bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=gsd-xsettings), - dbus send bus=session path=/org/gnome/SessionManager + dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member=RegisterClient peer=(name=:*, label=gnome-session-binary), @@ -64,12 +64,12 @@ profile xdg-desktop-portal-gtk @{exec_path} { member={ClientAdded,ClientRemoved,SessionRunning} peer=(name=:*, label=gnome-session-binary), - dbus send bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + dbus send bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=gnome-session-binary), - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse peer=(name=:*, label=gnome-session-binary), diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index e41b52b5..1d289052 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -23,12 +23,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=xdg-permission-store), diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index e00efeea..370a5e83 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -16,11 +16,6 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 3abee290..2fa9b76f 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -43,14 +43,15 @@ profile xorg @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*} - interface=org.freedesktop.{DBus.Properties,login[0-9].Session,login[0-9]*.Manager} + dbus send bus=system path=/org/freedesktop/login1{,/session/*} + interface=org.freedesktop.{DBus.Properties,login1.Session,login1.Manager} member={ReleaseControl,TakeControl,TakeDevice,ReleaseDevice,GetSessionByPID} - peer=(name=org.freedesktop.login[0-9], label=systemd-logind), + peer=(name=org.freedesktop.login1, label=systemd-logind), - dbus receive bus=system path=/org/freedesktop/login[0-9]/session/* + dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=PauseDevice, + peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mrix,