mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
feat(dbus): simple dbus rules cleaning.
This commit is contained in:
Alexandre Pujol
parent
dd06e3da65
commit
9517800a9d
9 changed files with 37 additions and 67 deletions
|
|
@ -50,17 +50,16 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
signal (send) set=(term, kill) peer=keepassxc-proxy,
|
||||
signal (send) set=(term, kill) peer=firefox-*,
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
dbus bind bus=session name=org.mozilla.firefox.*,
|
||||
dbus bind bus=session name=org.mpris.MediaPlayer2.firefox.*,
|
||||
dbus bind bus=session name=org.mozilla.firefox_beta.*,
|
||||
deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*,
|
||||
|
||||
dbus send bus=session path=/ScreenSaver
|
||||
dbus send bus=session path=/ScreenSaver
|
||||
interface=org.freedesktop.ScreenSaver
|
||||
member={Inhibit,UnInhibit}
|
||||
peer=(name=org.freedesktop.ScreenSaver),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Settings
|
||||
member=Read
|
||||
peer=(name=:*),
|
||||
|
|
@ -70,24 +69,24 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
member=SettingChanged
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,Read}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UPower
|
||||
dbus send bus=system path=/org/freedesktop/UPower
|
||||
interface=org.freedesktop.UPower
|
||||
member=EnumerateDevices
|
||||
peer=(name=org.freedesktop.UPower),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit
|
||||
dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit
|
||||
interface=org.freedesktop.PowerManagement.Inhibit
|
||||
member=Inhibit
|
||||
peer=(name=org.freedesktop.PowerManagement),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]*
|
||||
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
||||
member={Get,MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID}
|
||||
peer=(name=org.freedesktop.RealtimeKit[0-9]*),
|
||||
peer=(name=org.freedesktop.RealtimeKit1*),
|
||||
|
||||
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
|
@ -99,34 +98,24 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
member=GetPlaylists
|
||||
peer=(name=:*),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login[0-9]*
|
||||
interface=org.freedesktop.login[0-9]*.Manager
|
||||
dbus receive bus=system path=/org/freedesktop/login1*
|
||||
interface=org.freedesktop.login1*.Manager
|
||||
member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/metadata
|
||||
dbus send bus=session path=/org/gtk/vfs/metadata
|
||||
interface=org.gtk.vfs.Metadata
|
||||
member=GetTreeFromDevice
|
||||
peer=(name=:*),
|
||||
|
||||
dbus send bus=session path=/org/mozilla/firefox/Remote
|
||||
dbus send bus=session path=/org/mozilla/firefox/Remote
|
||||
interface=org.mozilla.firefox
|
||||
member=OpenURL
|
||||
peer=(name=org.mozilla.firefox.*, label=@{profile_name}),
|
||||
|
||||
dbus receive bus=session path=/org/mozilla/firefox/Remote
|
||||
interface=org.mozilla.firefox
|
||||
member=OpenURL
|
||||
peer=(name=:*, label=@{profile_name}),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.mpris.MediaPlayer2.firefox.*,
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.mozilla.firefox.*,
|
||||
|
||||
deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
|
|
|
|||
|
|
@ -28,26 +28,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
|
|||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=GetAddress
|
||||
peer=(name=org.a11y.Bus), # all peer's labels
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=GetRegisteredEvents
|
||||
peer=(name=org.a11y.atspi.Registry), # all peer's labels
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
||||
interface=org.a11y.atspi.DeviceEventController
|
||||
member={GetKeystrokeListeners,GetDeviceEventListeners}
|
||||
peer=(name=org.a11y.atspi.Registry), # all peer's labels
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry), # all peer's labels
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/ r,
|
||||
|
|
|
|||
|
|
@ -93,9 +93,9 @@ profile pulseaudio @{exec_path} {
|
|||
member={Hello,AddMatch,RemoveMatch}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
|
||||
dbus send bus=system path=/org/freedesktop/RealtimeKit1
|
||||
member={Get,MakeThreadHighPriority,MakeThreadRealtime}
|
||||
peer=(name=org.freedesktop.RealtimeKit[0-9]),
|
||||
peer=(name=org.freedesktop.RealtimeKit1),
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus.ObjectManager
|
||||
|
|
|
|||
|
|
@ -23,12 +23,12 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
|||
dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**}
|
||||
interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*},
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={PropertiesChanged,GetAll},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login[0-9]
|
||||
interface=org.freedesktop.login[0-9].Manager
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member=Inhibit,
|
||||
|
||||
dbus send bus=system path=/
|
||||
|
|
@ -41,8 +41,8 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
|||
member=PropertiesChanged
|
||||
peer=(name=:*, label=bluetoothd),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login[0-9]
|
||||
interface=org.freedesktop.login[0-9].Manager
|
||||
dbus receive bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member={UserNew,UserRemoved,SessionNew,SessionRemoved,PrepareForShutdown,PrepareForSleep}
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -22,7 +22,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
|
|||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager
|
||||
dbus send bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
member=RegisterClient
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
|
@ -47,7 +47,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
|
|||
member={CancelEndSession,QueryEndSession,EndSession,Stop}
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
||||
dbus receive bus=session path=/{,org}
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
|
|
|||
|
|
@ -86,10 +86,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
|
|||
member={CancelEndSession,QueryEndSession,EndSession,Stop}
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/systemd[0-9]*
|
||||
interface=org.freedesktop.systemd[0-9]*.Manager
|
||||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=StopUnit
|
||||
peer=(name=org.freedesktop.systemd[0-9]*), # all peer's labels
|
||||
peer=(name=org.freedesktop.systemd1), # all peer's labels
|
||||
|
||||
dbus receive bus=session
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
|
|||
|
|
@ -15,15 +15,15 @@ profile loginctl @{exec_path} {
|
|||
capability net_admin,
|
||||
capability sys_resource,
|
||||
|
||||
dbus (send) bus=system path=/org/freedesktop/login[0-9]*
|
||||
interface=org.freedesktop.login[0-9]*.Manager
|
||||
dbus (send) bus=system path=/org/freedesktop/login1*
|
||||
interface=org.freedesktop.login1*.Manager
|
||||
member={ListSessions,GetSession}
|
||||
peer=(name=org.freedesktop.login[0-9]*, label=systemd-logind),
|
||||
peer=(name=org.freedesktop.login1*, label=systemd-logind),
|
||||
|
||||
dbus (send) bus=system path=/org/freedesktop/login[0-9]*/session/**
|
||||
dbus (send) bus=system path=/org/freedesktop/login1*/session/**
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll}
|
||||
peer=(name=org.freedesktop.login[0-9]*, label=systemd-logind),
|
||||
peer=(name=org.freedesktop.login1*, label=systemd-logind),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -39,10 +39,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName},
|
||||
member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
||||
interface=org.freedesktop.PolicyKit1.Authority
|
||||
member=CheckAuthorization,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/systemd1/unit/**
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ profile engrampa @{exec_path} {
|
|||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
member={IsSupported,List}
|
||||
peer=(name=:*),
|
||||
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member={ListMounts2,LookupMount}
|
||||
|
|
|
|||
Loading…
Reference in a new issue