mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-02-06 10:15:08 +01:00
feat(dbus): simple dbus rules cleaning.
This commit is contained in:
Alexandre Pujol
parent
dd06e3da65
commit
9517800a9d
9 changed files with 37 additions and 67 deletions
|
|
@ -50,14 +50,13 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||||
signal (send) set=(term, kill) peer=keepassxc-proxy,
|
signal (send) set=(term, kill) peer=keepassxc-proxy,
|
||||||
signal (send) set=(term, kill) peer=firefox-*,
|
signal (send) set=(term, kill) peer=firefox-*,
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/DBus
|
dbus bind bus=session name=org.mozilla.firefox.*,
|
||||||
interface=org.freedesktop.DBus
|
dbus bind bus=session name=org.mpris.MediaPlayer2.firefox.*,
|
||||||
member={RequestName,ReleaseName}
|
dbus bind bus=session name=org.mozilla.firefox_beta.*,
|
||||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*,
|
||||||
|
|
||||||
dbus send bus=session path=/ScreenSaver
|
dbus send bus=session path=/ScreenSaver
|
||||||
interface=org.freedesktop.ScreenSaver
|
interface=org.freedesktop.ScreenSaver
|
||||||
member={Inhibit,UnInhibit}
|
|
||||||
peer=(name=org.freedesktop.ScreenSaver),
|
peer=(name=org.freedesktop.ScreenSaver),
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||||
|
|
@ -85,9 +84,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||||
member=Inhibit
|
member=Inhibit
|
||||||
peer=(name=org.freedesktop.PowerManagement),
|
peer=(name=org.freedesktop.PowerManagement),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]*
|
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
||||||
member={Get,MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID}
|
member={Get,MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID}
|
||||||
peer=(name=org.freedesktop.RealtimeKit[0-9]*),
|
peer=(name=org.freedesktop.RealtimeKit1*),
|
||||||
|
|
||||||
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
|
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
|
|
@ -99,8 +98,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||||
member=GetPlaylists
|
member=GetPlaylists
|
||||||
peer=(name=:*),
|
peer=(name=:*),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/login[0-9]*
|
dbus receive bus=system path=/org/freedesktop/login1*
|
||||||
interface=org.freedesktop.login[0-9]*.Manager
|
interface=org.freedesktop.login1*.Manager
|
||||||
member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown}
|
member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown}
|
||||||
peer=(name=:*),
|
peer=(name=:*),
|
||||||
|
|
||||||
|
|
@ -111,22 +110,12 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
dbus send bus=session path=/org/mozilla/firefox/Remote
|
dbus send bus=session path=/org/mozilla/firefox/Remote
|
||||||
interface=org.mozilla.firefox
|
interface=org.mozilla.firefox
|
||||||
member=OpenURL
|
|
||||||
peer=(name=org.mozilla.firefox.*, label=@{profile_name}),
|
peer=(name=org.mozilla.firefox.*, label=@{profile_name}),
|
||||||
|
|
||||||
dbus receive bus=session path=/org/mozilla/firefox/Remote
|
dbus receive bus=session path=/org/mozilla/firefox/Remote
|
||||||
interface=org.mozilla.firefox
|
interface=org.mozilla.firefox
|
||||||
member=OpenURL
|
|
||||||
peer=(name=:*, label=@{profile_name}),
|
peer=(name=:*, label=@{profile_name}),
|
||||||
|
|
||||||
dbus bind bus=session
|
|
||||||
name=org.mpris.MediaPlayer2.firefox.*,
|
|
||||||
|
|
||||||
dbus bind bus=session
|
|
||||||
name=org.mozilla.firefox.*,
|
|
||||||
|
|
||||||
deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*,
|
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
@{bin}/{,ba,da}sh rix,
|
@{bin}/{,ba,da}sh rix,
|
||||||
|
|
|
||||||
|
|
@ -28,26 +28,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
dbus send bus=session path=/org/a11y/bus
|
|
||||||
interface=org.a11y.Bus
|
|
||||||
member=GetAddress
|
|
||||||
peer=(name=org.a11y.Bus), # all peer's labels
|
|
||||||
|
|
||||||
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
|
||||||
interface=org.a11y.atspi.Registry
|
|
||||||
member=GetRegisteredEvents
|
|
||||||
peer=(name=org.a11y.atspi.Registry), # all peer's labels
|
|
||||||
|
|
||||||
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
|
||||||
interface=org.a11y.atspi.DeviceEventController
|
|
||||||
member={GetKeystrokeListeners,GetDeviceEventListeners}
|
|
||||||
peer=(name=org.a11y.atspi.Registry), # all peer's labels
|
|
||||||
|
|
||||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
|
||||||
interface=org.a11y.atspi.Socket
|
|
||||||
member=Embed
|
|
||||||
peer=(name=org.a11y.atspi.Registry), # all peer's labels
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/var/lib/gdm{3,}/.config/ibus/bus/ r,
|
/var/lib/gdm{3,}/.config/ibus/bus/ r,
|
||||||
|
|
|
||||||
|
|
@ -93,9 +93,9 @@ profile pulseaudio @{exec_path} {
|
||||||
member={Hello,AddMatch,RemoveMatch}
|
member={Hello,AddMatch,RemoveMatch}
|
||||||
peer=(name=org.freedesktop.DBus),
|
peer=(name=org.freedesktop.DBus),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
|
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
||||||
member={Get,MakeThreadHighPriority,MakeThreadRealtime}
|
member={Get,MakeThreadHighPriority,MakeThreadRealtime}
|
||||||
peer=(name=org.freedesktop.RealtimeKit[0-9]),
|
peer=(name=org.freedesktop.RealtimeKit1),
|
||||||
|
|
||||||
dbus send bus=system path=/
|
dbus send bus=system path=/
|
||||||
interface=org.freedesktop.DBus.ObjectManager
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
|
|
|
||||||
|
|
@ -23,12 +23,12 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
||||||
dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**}
|
dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**}
|
||||||
interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*},
|
interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*},
|
||||||
|
|
||||||
dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]
|
dbus (send,receive) bus=system path=/org/freedesktop/login1
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member={PropertiesChanged,GetAll},
|
member={PropertiesChanged,GetAll},
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/login[0-9]
|
dbus send bus=system path=/org/freedesktop/login1
|
||||||
interface=org.freedesktop.login[0-9].Manager
|
interface=org.freedesktop.login1.Manager
|
||||||
member=Inhibit,
|
member=Inhibit,
|
||||||
|
|
||||||
dbus send bus=system path=/
|
dbus send bus=system path=/
|
||||||
|
|
@ -41,8 +41,8 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
||||||
member=PropertiesChanged
|
member=PropertiesChanged
|
||||||
peer=(name=:*, label=bluetoothd),
|
peer=(name=:*, label=bluetoothd),
|
||||||
|
|
||||||
dbus receive bus=system path=/org/freedesktop/login[0-9]
|
dbus receive bus=system path=/org/freedesktop/login1
|
||||||
interface=org.freedesktop.login[0-9].Manager
|
interface=org.freedesktop.login1.Manager
|
||||||
member={UserNew,UserRemoved,SessionNew,SessionRemoved,PrepareForShutdown,PrepareForSleep}
|
member={UserNew,UserRemoved,SessionNew,SessionRemoved,PrepareForShutdown,PrepareForSleep}
|
||||||
peer=(name=:*, label=systemd-logind),
|
peer=(name=:*, label=systemd-logind),
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
@ -47,7 +47,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
|
||||||
member={CancelEndSession,QueryEndSession,EndSession,Stop}
|
member={CancelEndSession,QueryEndSession,EndSession,Stop}
|
||||||
peer=(name=:*, label=gnome-session-binary),
|
peer=(name=:*, label=gnome-session-binary),
|
||||||
|
|
||||||
dbus receive bus=session path=/{,org}
|
dbus receive bus=session
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
member=Introspect
|
member=Introspect
|
||||||
peer=(name=:*, label=gnome-shell),
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
|
||||||
|
|
@ -86,10 +86,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
|
||||||
member={CancelEndSession,QueryEndSession,EndSession,Stop}
|
member={CancelEndSession,QueryEndSession,EndSession,Stop}
|
||||||
peer=(name=:*, label=gnome-session-binary),
|
peer=(name=:*, label=gnome-session-binary),
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/systemd[0-9]*
|
dbus send bus=session path=/org/freedesktop/systemd1
|
||||||
interface=org.freedesktop.systemd[0-9]*.Manager
|
interface=org.freedesktop.systemd1.Manager
|
||||||
member=StopUnit
|
member=StopUnit
|
||||||
peer=(name=org.freedesktop.systemd[0-9]*), # all peer's labels
|
peer=(name=org.freedesktop.systemd1), # all peer's labels
|
||||||
|
|
||||||
dbus receive bus=session
|
dbus receive bus=session
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
|
|
|
||||||
|
|
@ -15,15 +15,15 @@ profile loginctl @{exec_path} {
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
capability sys_resource,
|
capability sys_resource,
|
||||||
|
|
||||||
dbus (send) bus=system path=/org/freedesktop/login[0-9]*
|
dbus (send) bus=system path=/org/freedesktop/login1*
|
||||||
interface=org.freedesktop.login[0-9]*.Manager
|
interface=org.freedesktop.login1*.Manager
|
||||||
member={ListSessions,GetSession}
|
member={ListSessions,GetSession}
|
||||||
peer=(name=org.freedesktop.login[0-9]*, label=systemd-logind),
|
peer=(name=org.freedesktop.login1*, label=systemd-logind),
|
||||||
|
|
||||||
dbus (send) bus=system path=/org/freedesktop/login[0-9]*/session/**
|
dbus (send) bus=system path=/org/freedesktop/login1*/session/**
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member={Get,GetAll}
|
member={Get,GetAll}
|
||||||
peer=(name=org.freedesktop.login[0-9]*, label=systemd-logind),
|
peer=(name=org.freedesktop.login1*, label=systemd-logind),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -39,10 +39,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/DBus
|
dbus send bus=system path=/org/freedesktop/DBus
|
||||||
interface=org.freedesktop.DBus
|
interface=org.freedesktop.DBus
|
||||||
member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName},
|
member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser}
|
||||||
|
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
interface=org.freedesktop.PolicyKit1.Authority
|
||||||
member=CheckAuthorization,
|
member=CheckAuthorization,
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/systemd1/unit/**
|
dbus send bus=system path=/org/freedesktop/systemd1/unit/**
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue