diff --git a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry new file mode 100644 index 00000000..6171cf59 --- /dev/null +++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Access required for connecting to/communicating with the Unity Launcher + + dbus send bus=session path=/com/canonical/unity/launcherentry/@{int} + interface=com.canonical.Unity.LauncherEntry + member=Update + peer=(name=org.freedesktop.DBus, label=gnome-shell), + + include if exists diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu new file mode 100644 index 00000000..4e158126 --- /dev/null +++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu @@ -0,0 +1,6 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + + include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications index 74875991..4e656c9b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications @@ -7,4 +7,9 @@ member=GetAll peer=(name=:*, label=gjs-console), + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gjs-console), + include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver index dec9d6bd..b672ba52 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -2,5 +2,9 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 index 5c8e0517..3c725105 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -5,6 +5,6 @@ dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=systemd-localed), + peer=(name="{:*,org.freedesktop.locale1}", label=systemd-localed), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index e6f095af..71a749d2 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -5,6 +5,6 @@ dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member={SetLink*,ResolveHostname} - peer=(name=org.freedesktop.resolve1, label=systemd-resolved), + peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved), include if exists diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher new file mode 100644 index 00000000..0bda0ee2 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -0,0 +1,6 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + + include if exists diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index aaea3e53..4c0cd957 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -19,6 +19,8 @@ profile colord-sane @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + # dbus: talk bus=system name=org.freedesktop.ColorManager label=colord + @{exec_path} mr, /usr/share/snmp/mibs/{,*} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 9804a798..6b446339 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -25,27 +25,13 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { ptrace (read), - dbus bind bus=session name=org.freedesktop.portal.Desktop, - dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings, - dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.* - peer=(name=:*), + # dbus: own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}} dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* peer=(name=:*), - dbus bind bus=session name=org.freedesktop.background.Monitor, - dbus receive bus=session path=/org/freedesktop/background/monitor - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus send bus=session path=/org/freedesktop/background/monitor - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.DBus), + # dbus: own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 6e7d9d43..719c002a 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -16,13 +16,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, - dbus bind bus=session name=org.freedesktop.impl.portal.PermissionStore, - dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.impl.portal.PermissionStore - peer=(name=:*), + # dbus: own bus=session name=org.freedesktop.impl.portal.PermissionStore dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index e20e65bb..01d94fd2 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -31,6 +31,15 @@ profile gdm @{exec_path} flags=(attach_disconnected) { # dbus: talk bus=system name=org.freedesktop.login1 label=systemd-logind + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=ListCachedUsers + peer=(name=:*, label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser} diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7a0a6dc6..dc2e78ab 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -126,6 +126,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.ColorManager member=DeleteDevice peer=(name=:*, label=colord), + dbus receive bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=ProfileAdded + peer=(name=:*, label=colord), dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int} interface=org.freedesktop.DBus.Properties @@ -183,6 +187,21 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { member=JobRemoved peer=(name=:*, label="@{systemd}"), + dbus send bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={AboutToShow,GetLayout,GetGroupProperties} + peer=(name=:*), + + dbus send bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=:*), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=:*), + dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 1b00928f..0e537ed9 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -28,16 +28,9 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, - dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Extract, + # dbus: own bus=session name=org.freedesktop.Tracker3.Miner.Extract - # Talk to tracker-miner - dbus send bus=session path=/org/freedesktop/Tracker3/{Files,Endpoint,Miner/Extract} - interface={org.freedesktop.Tracker3.{Miner,Endpoint,Files},org.freedesktop.DBus.{Peer,Properties}} - peer=(name="{:*,org.freedesktop.Tracker3.Miner.Files,org.freedesktop.DBus}", label=tracker-miner), - dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Tracker3.Miner.Files), + # dbus: talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface=org.freedesktop.DBus.{Properties,Peer} dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 4573cdac..5c4110a7 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -28,15 +28,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, kill) peer=gdm, signal (receive) set=(hup) peer=gdm-session-worker, - dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Files{,.*}, - dbus (send, receive) bus=session path=/org/freedesktop/Tracker3/Endpoint - interface={org.freedesktop.Tracker3.Endpoint,org.freedesktop.DBus.Peer} - peer=(name=:*), - - # Talk from tracker-extract - dbus receive bus=session path=/org/freedesktop/Tracker3/{Files,Endpoint,Miner/Extract} - interface={org.freedesktop.Tracker3.{Miner,Endpoint,Files},org.freedesktop.DBus.{Peer,Properties}} - peer=(name="{:*,org.freedesktop.DBus}", label=tracker-extract), + # dbus: own bus=session name=org.freedesktop.Tracker3 interface=org.freedesktop.DBus.{Properties,Peer} @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index eb443ad3..29490ed2 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -12,10 +12,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { include include - dbus bind bus=session name=org.gtk.vfs.AfcVolumeMonitor, - dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - peer=(name="{:*,org.freedesktop.DBus}"), + # dbus: own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index d46ca2f5..2600cf4c 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -19,10 +19,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { network qipcrtr dgram, network netlink raw, - dbus bind bus=system name=org.freedesktop.ModemManager1, - dbus receive bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.{ObjectManager,Properties} - peer=(name=:*), + # dbus: own bus=system name=org.freedesktop.ModemManager1 @{exec_path} mr, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 622ec8a5..41c70f05 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -16,6 +16,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 95f1f3a7..efb2a438 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -20,10 +20,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=unconfined, - dbus bind bus=system name=org.freedesktop.nm_dispatcher, - dbus receive bus=system path=/org/freedesktop/nm_dispatcher - interface=org.freedesktop.nm_dispatcher - peer=(name=:*), + # dbus: own bus=system name=org.freedesktop.nm_dispatcher @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index f8801cd1..ccbe6ffe 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -10,25 +10,11 @@ include profile hostnamectl @{exec_path} { include include - include include capability net_admin, - dbus send bus=system path=/org/freedesktop/ - interface=org.freedesktop.hostname1 - member=Set*Hostname - peer=(name=org.freedesktop.hostname1), - - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.hostname1 - member=Set*Hostname - peer=(name=org.freedesktop.hostname1), - - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.systemd1), + # dbus: talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 5e60996d..d1e2d3f6 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -11,7 +11,6 @@ include profile networkctl @{exec_path} flags=(attach_disconnected) { include include - include capability net_admin, capability sys_module, @@ -25,10 +24,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - dbus send bus=system path=/org/freedesktop/network[0-9] - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.network1), + # dbus: talk bus=system name=org.freedesktop.network1 label=systemd-networkd @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 5b77813f..332272a9 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -22,17 +22,7 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=ListUnits, - - dbus send bus=system path=/org/freedesktop/systemd1/unit/* - interface=org.freedesktop.DBus.Properties - member=GetAll, + # dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index 2690d633..f86bafe5 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -36,7 +36,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { mount options=(rw, rslave) -> @{run}/, mount /dev/dm-[0-9]* -> @{run}/systemd/user-home-mount/, - dbus bind bus=system name=org.freedesktop.home1, + # dbus: own bus=system name=org.freedesktop.home1 @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index a4300d4a..b295858a 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -16,10 +16,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { capability sys_admin, # To set a hostname - dbus bind bus=system name=org.freedesktop.hostname1, - dbus receive bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - peer=(name=:*), + # dbus: own bus=system name=org.freedesktop.hostname1 @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index a3c69fcb..e2308b24 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -17,11 +17,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { # Needed? audit capability net_admin, - dbus bind bus=system name=org.freedesktop.locale1, - dbus receive bus=system path=/org/freedesktop/locale1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), + # dbus: own bus=system name=org.freedesktop.locale1 @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 5bfa3f98..1501f56e 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, - dbus bind bus=system name=org.freedesktop.oom1, + # dbus: own bus=system name=org.freedesktop.oom1 @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 6871a354..9a4f983f 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -21,7 +21,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - dbus bind bus=system name=org.freedesktop.timesync1, + # dbus: own bus=system name=org.freedesktop.timesync1 @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 89e98ba0..ddbc7170 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -15,10 +15,7 @@ profile software-properties-dbus @{exec_path} { include include - dbus bind bus=system name=com.ubuntu.SoftwareProperties, - dbus receive bus=system path=/ - interface=com.ubuntu.SoftwareProperties - peer=(name=:*, label=software-properties-gtk), + # dbus: own bus=system name=com.ubuntu.SoftwareProperties dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/profiles-a-f/atrild b/apparmor.d/profiles-a-f/atrild index 3a29906c..790c4452 100644 --- a/apparmor.d/profiles-a-f/atrild +++ b/apparmor.d/profiles-a-f/atrild @@ -11,10 +11,7 @@ profile atrild @{exec_path} { include include - dbus bind bus=session name=org.mate.atril.Daemon, - - dbus (send, receive) bus=session path=/org/mate/atril/** - peer=(name="{:*,org.freedesktop.DBus}", label=atril), # all interfaces and members + # dbus: own bus=session name=org.mate.atril.Daemon @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index 041e2ffb..f81c4305 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -22,13 +22,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { network alg seqpacket, network netlink raw, - dbus bind bus=system name=org.bluez, - dbus send bus=system path=/org/bluez{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.DBus), - dbus receive bus=system path=/org/bluez{,/**} - interface=org.bluez{,.*} - peer=(name=:*), + # dbus: own bus=system name=org.bluez @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed index edf4f57d..094b174f 100644 --- a/apparmor.d/profiles-a-f/cups-browsed +++ b/apparmor.d/profiles-a-f/cups-browsed @@ -25,6 +25,11 @@ profile cups-browsed @{exec_path} { network inet6 stream, network netlink raw, + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=:*, label=avahi-daemon), + @{exec_path} mr, /usr/share/cups/locale/{,**} r, diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism index 634f699d..2e9859af 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -20,10 +20,7 @@ profile cups-pk-helper-mechanism @{exec_path} { network inet stream, network inet6 stream, - dbus bind bus=system name=org.opensuse.CupsPkHelper.Mechanism, - dbus receive bus=system path=/ - interface=org.opensuse.CupsPkHelper.Mechanism - peer=(name=:*), + # dbus: own bus=system name=org.opensuse.CupsPkHelper.Mechanism path=/ @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 70db0a2f..69126750 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -21,9 +21,8 @@ profile file-roller @{exec_path} { include include - dbus bind bus=session name=org.gnome.ArchiveManager1, - - dbus bind bus=session name=org.gnome.FileRoller, + # dbus: own bus=session name=org.gnome.ArchiveManager1 + # dbus: own bus=session name=org.gnome.FileRoller @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index fa2d02dc..b8062906 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -20,13 +20,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus bind bus=system name=net.hadess.PowerProfiles, - dbus receive bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.DBus), + # dbus: own bus=system name=net.hadess.PowerProfiles @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index be17ced7..33c857e3 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -21,13 +21,7 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability sys_ptrace, - dbus bind bus=system name=org.freedesktop.RealtimeKit1, - dbus receive bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.DBus.Properties - peer=(name=:*), + # dbus: own bus=system name=org.freedesktop.RealtimeKit1 dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index cc4f2da1..d63f4f60 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -17,7 +17,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { capability sys_boot, - # dbus: own bus=sessisystemon name=org.freedesktop.thermald + # dbus: own bus=system name=org.freedesktop.thermald @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index ae87163a..95175fd1 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -29,11 +29,7 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - dbus bind bus=system name=fi.w1.wpa_supplicant1, - dbus receive bus=system path=/fi/w1/wpa_supplicant1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), + # dbus: own bus=system name=fi.w1.wpa_supplicant1 @{exec_path} mr,