From 9517800a9d7eaac9a145d517632295e2bf7e523b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 30 Nov 2023 21:32:50 +0000 Subject: [PATCH] feat(dbus): simple dbus rules cleaning. --- apparmor.d/groups/browsers/firefox | 41 +++++++++--------------- apparmor.d/groups/bus/ibus-x11 | 20 ------------ apparmor.d/groups/freedesktop/pulseaudio | 4 +-- apparmor.d/groups/freedesktop/upowerd | 10 +++--- apparmor.d/groups/gnome/gsd-housekeeping | 6 ++-- apparmor.d/groups/gnome/gsd-sharing | 6 ++-- apparmor.d/groups/systemd/loginctl | 10 +++--- apparmor.d/groups/systemd/systemd-logind | 5 +-- apparmor.d/profiles-a-f/engrampa | 2 +- 9 files changed, 37 insertions(+), 67 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 78d2ea76..54fcbf0b 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -50,17 +50,16 @@ profile firefox @{exec_path} flags=(attach_disconnected) { signal (send) set=(term, kill) peer=keepassxc-proxy, signal (send) set=(term, kill) peer=firefox-*, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus bind bus=session name=org.mozilla.firefox.*, + dbus bind bus=session name=org.mpris.MediaPlayer2.firefox.*, + dbus bind bus=session name=org.mozilla.firefox_beta.*, + deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*, - dbus send bus=session path=/ScreenSaver + dbus send bus=session path=/ScreenSaver interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} peer=(name=org.freedesktop.ScreenSaver), - dbus send bus=session path=/org/freedesktop/portal/desktop + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=Read peer=(name=:*), @@ -70,24 +69,24 @@ profile firefox @{exec_path} flags=(attach_disconnected) { member=SettingChanged peer=(name=:*), - dbus send bus=session path=/org/freedesktop/portal/desktop + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties member={GetAll,Read} peer=(name=:*), - dbus send bus=system path=/org/freedesktop/UPower + dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices peer=(name=org.freedesktop.UPower), - dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit + dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit interface=org.freedesktop.PowerManagement.Inhibit member=Inhibit peer=(name=org.freedesktop.PowerManagement), - dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]* + dbus send bus=system path=/org/freedesktop/RealtimeKit1 member={Get,MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID} - peer=(name=org.freedesktop.RealtimeKit[0-9]*), + peer=(name=org.freedesktop.RealtimeKit1*), dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties @@ -99,34 +98,24 @@ profile firefox @{exec_path} flags=(attach_disconnected) { member=GetPlaylists peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/login[0-9]* - interface=org.freedesktop.login[0-9]*.Manager + dbus receive bus=system path=/org/freedesktop/login1* + interface=org.freedesktop.login1*.Manager member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown} peer=(name=:*), - dbus send bus=session path=/org/gtk/vfs/metadata + dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=GetTreeFromDevice peer=(name=:*), - dbus send bus=session path=/org/mozilla/firefox/Remote + dbus send bus=session path=/org/mozilla/firefox/Remote interface=org.mozilla.firefox - member=OpenURL peer=(name=org.mozilla.firefox.*, label=@{profile_name}), dbus receive bus=session path=/org/mozilla/firefox/Remote interface=org.mozilla.firefox - member=OpenURL peer=(name=:*, label=@{profile_name}), - dbus bind bus=session - name=org.mpris.MediaPlayer2.firefox.*, - - dbus bind bus=session - name=org.mozilla.firefox.*, - - deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*, - @{exec_path} mrix, @{bin}/{,ba,da}sh rix, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index ae78e55b..23bf516b 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -28,26 +28,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), # all peer's labels - @{exec_path} mr, /var/lib/gdm{3,}/.config/ibus/bus/ r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index d755d1ef..a8e1191c 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -93,9 +93,9 @@ profile pulseaudio @{exec_path} { member={Hello,AddMatch,RemoveMatch} peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + dbus send bus=system path=/org/freedesktop/RealtimeKit1 member={Get,MakeThreadHighPriority,MakeThreadRealtime} - peer=(name=org.freedesktop.RealtimeKit[0-9]), + peer=(name=org.freedesktop.RealtimeKit1), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 233161b7..d8b59b54 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -23,12 +23,12 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*}, - dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] + dbus (send,receive) bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member={PropertiesChanged,GetAll}, - dbus send bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager member=Inhibit, dbus send bus=system path=/ @@ -41,8 +41,8 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { member=PropertiesChanged peer=(name=:*, label=bluetoothd), - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager member={UserNew,UserRemoved,SessionNew,SessionRemoved,PrepareForShutdown,PrepareForSleep} peer=(name=:*, label=systemd-logind), diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 443db04f..128f8fda 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -22,7 +22,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/gnome/SessionManager + dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member=RegisterClient peer=(name=:*, label=gnome-session-binary), @@ -47,7 +47,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { member={CancelEndSession,QueryEndSession,EndSession,Stop} peer=(name=:*, label=gnome-session-binary), - dbus receive bus=session path=/{,org} + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 2b230e88..b4041741 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -86,10 +86,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member={CancelEndSession,QueryEndSession,EndSession,Stop} peer=(name=:*, label=gnome-session-binary), - dbus send bus=session path=/org/freedesktop/systemd[0-9]* - interface=org.freedesktop.systemd[0-9]*.Manager + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager member=StopUnit - peer=(name=org.freedesktop.systemd[0-9]*), # all peer's labels + peer=(name=org.freedesktop.systemd1), # all peer's labels dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index 20461b81..2bce8c1a 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -15,15 +15,15 @@ profile loginctl @{exec_path} { capability net_admin, capability sys_resource, - dbus (send) bus=system path=/org/freedesktop/login[0-9]* - interface=org.freedesktop.login[0-9]*.Manager + dbus (send) bus=system path=/org/freedesktop/login1* + interface=org.freedesktop.login1*.Manager member={ListSessions,GetSession} - peer=(name=org.freedesktop.login[0-9]*, label=systemd-logind), + peer=(name=org.freedesktop.login1*, label=systemd-logind), - dbus (send) bus=system path=/org/freedesktop/login[0-9]*/session/** + dbus (send) bus=system path=/org/freedesktop/login1*/session/** interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=org.freedesktop.login[0-9]*, label=systemd-logind), + peer=(name=org.freedesktop.login1*, label=systemd-logind), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 925ad73b..44ea4c2c 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -39,10 +39,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, + member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority + interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization, dbus send bus=system path=/org/freedesktop/systemd1/unit/** diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 414ab709..18cfa7fa 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -33,7 +33,7 @@ profile engrampa @{exec_path} { interface=org.gtk.Private.RemoteVolumeMonitor member={IsSupported,List} peer=(name=:*), - + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member={ListMounts2,LookupMount}