feat(profile): add some dbus rules.

2025-01-18 00:48:10 +01:00 · 2023-12-19 23:24:44 +00:00 · 2023-12-19 23:24:44 +00:00 · 9f49052529
commit 9f49052529
parent 53f3a27e16
36 changed files with 98 additions and 140 deletions
--- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
+++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
@ -0,0 +1,12 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Access required for connecting to/communicating with the Unity Launcher
+
+  dbus send bus=session path=/com/canonical/unity/launcherentry/@{int}
+       interface=com.canonical.Unity.LauncherEntry
+       member=Update
+       peer=(name=org.freedesktop.DBus, label=gnome-shell),
+
+  include if exists <abstractions/bus/com.canonical.Unity.LauncherEntry.d>
--- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu
+++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu
@ -0,0 +1,6 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+
+  include if exists <abstractions/bus/com.canonical.dbusmenu.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications
@ -7,4 +7,9 @@
       member=GetAll
       peer=(name=:*, label=gjs-console),

+  dbus receive bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*, label=gjs-console),
+
  include if exists <abstractions/bus/org.freedesktop.Notifications.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver
@ -2,5 +2,9 @@
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  dbus send bus=session path=/ScreenSaver
+       interface=org.freedesktop.ScreenSaver
+       member={Inhibit,UnInhibit}
+       peer=(name=org.freedesktop.ScreenSaver),

  include if exists <abstractions/bus/org.freedesktop.ScreenSaver.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.locale1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1
@ -5,6 +5,6 @@
  dbus send bus=system path=/org/freedesktop/locale1
       interface=org.freedesktop.DBus.Properties
       member=GetAll
-       peer=(name=:*, label=systemd-localed),
+       peer=(name="{:*,org.freedesktop.locale1}", label=systemd-localed),

  include if exists <abstractions/bus/org.freedesktop.locale1.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1
@ -5,6 +5,6 @@
  dbus send bus=system path=/org/freedesktop/resolve1
       interface=org.freedesktop.resolve1.Manager
       member={SetLink*,ResolveHostname}
-       peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
+       peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved),

  include if exists <abstractions/bus/org.freedesktop.resolve1.d>
--- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
+++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
@ -0,0 +1,6 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+
+  include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>
--- a/apparmor.d/groups/freedesktop/colord-sane
+++ b/apparmor.d/groups/freedesktop/colord-sane
@ -19,6 +19,8 @@ profile colord-sane @{exec_path} flags=(attach_disconnected) {
  network inet6 dgram,
  network netlink raw,

+  # dbus: talk bus=system name=org.freedesktop.ColorManager label=colord
+
  @{exec_path} mr,

  /usr/share/snmp/mibs/{,*} r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -25,27 +25,13 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {

  ptrace (read),

-  dbus bind bus=session name=org.freedesktop.portal.Desktop,
-  dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.portal.Settings,
-  dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*),
-  dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.impl.portal.*
-       peer=(name=:*),
+  # dbus: own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}}
  dbus receive bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.portal.Realtime
       member=MakeThread*
       peer=(name=:*),

-  dbus bind bus=session name=org.freedesktop.background.Monitor,
-  dbus receive bus=session path=/org/freedesktop/background/monitor
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*),
-  dbus send bus=session path=/org/freedesktop/background/monitor
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=org.freedesktop.DBus),
+  # dbus: own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor

  dbus send bus=session path=/org/freedesktop/portal/documents
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@ -16,13 +16,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  signal (receive) set=(term hup kill) peer=dbus-daemon,
  signal (receive) set=(term hup kill) peer=gdm*,

-  dbus bind bus=session name=org.freedesktop.impl.portal.PermissionStore,
-  dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*),
-  dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore
-       interface=org.freedesktop.impl.portal.PermissionStore
-       peer=(name=:*),
+  # dbus: own bus=session name=org.freedesktop.impl.portal.PermissionStore

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -31,6 +31,15 @@ profile gdm @{exec_path} flags=(attach_disconnected) {

  # dbus: talk bus=system name=org.freedesktop.login1 label=systemd-logind

+  dbus send bus=system path=/org/freedesktop/Accounts
+       interface=org.freedesktop.Accounts
+       member=ListCachedUsers
+       peer=(name=:*, label=accounts-daemon),
+  dbus send bus=system path=/org/freedesktop/Accounts
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*, label=accounts-daemon),
+
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetConnectionUnixUser}
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -126,6 +126,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.ColorManager
       member=DeleteDevice
       peer=(name=:*, label=colord),
+  dbus receive bus=system path=/org/freedesktop/ColorManager
+       interface=org.freedesktop.ColorManager
+       member=ProfileAdded
+       peer=(name=:*, label=colord),

  dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int}
       interface=org.freedesktop.DBus.Properties
@ -183,6 +187,21 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
       member=JobRemoved
       peer=(name=:*, label="@{systemd}"),

+  dbus send bus=session path=/MenuBar
+       interface=com.canonical.dbusmenu
+       member={AboutToShow,GetLayout,GetGroupProperties}
+       peer=(name=:*),
+
+  dbus send bus=session path=/StatusNotifierItem
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll}
+       peer=(name=:*),
+
+  dbus send bus=session path=/org/mpris/MediaPlayer2
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll}
+       peer=(name=:*),
+
  dbus send bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -28,16 +28,9 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {

  signal (receive) set=(term) peer=gdm,

-  dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Extract,
+  # dbus: own bus=session name=org.freedesktop.Tracker3.Miner.Extract

-  # Talk to tracker-miner
-  dbus send bus=session path=/org/freedesktop/Tracker3/{Files,Endpoint,Miner/Extract}
-       interface={org.freedesktop.Tracker3.{Miner,Endpoint,Files},org.freedesktop.DBus.{Peer,Properties}}
-       peer=(name="{:*,org.freedesktop.Tracker3.Miner.Files,org.freedesktop.DBus}", label=tracker-miner),
-  dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
-       interface=org.freedesktop.DBus.Peer
-       member=Ping
-       peer=(name=org.freedesktop.Tracker3.Miner.Files),
+  # dbus: talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface=org.freedesktop.DBus.{Properties,Peer}

  dbus send bus=session path=/org/gtk/vfs/metadata
       interface=org.gtk.vfs.Metadata
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -28,15 +28,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
  signal (receive) set=(term, kill) peer=gdm,
  signal (receive) set=(hup)        peer=gdm-session-worker,

-  dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Files{,.*},
-  dbus (send, receive) bus=session path=/org/freedesktop/Tracker3/Endpoint
-       interface={org.freedesktop.Tracker3.Endpoint,org.freedesktop.DBus.Peer}
-       peer=(name=:*),
-
-  # Talk from tracker-extract
-  dbus receive bus=session path=/org/freedesktop/Tracker3/{Files,Endpoint,Miner/Extract}
-       interface={org.freedesktop.Tracker3.{Miner,Endpoint,Files},org.freedesktop.DBus.{Peer,Properties}}
-       peer=(name="{:*,org.freedesktop.DBus}", label=tracker-extract),
+  # dbus: own bus=session name=org.freedesktop.Tracker3 interface=org.freedesktop.DBus.{Properties,Peer}

  @{exec_path} mr,

--- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
@ -12,10 +12,7 @@ profile gvfs-afc-volume-monitor @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>

-  dbus bind bus=session name=org.gtk.vfs.AfcVolumeMonitor,
-  dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
-       interface=org.gtk.Private.RemoteVolumeMonitor
-       peer=(name="{:*,org.freedesktop.DBus}"),
+  # dbus: own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@ -19,10 +19,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
  network qipcrtr dgram,
  network netlink raw,

-  dbus bind bus=system name=org.freedesktop.ModemManager1,
-  dbus receive bus=system path=/org/freedesktop/ModemManager1
-       interface=org.freedesktop.DBus.{ObjectManager,Properties}
-       peer=(name=:*),
+  # dbus: own bus=system name=org.freedesktop.ModemManager1

  @{exec_path} mr,

--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -16,6 +16,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.ModemManager1>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
+  include <abstractions/bus/org.freedesktop.resolve1>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@ -20,10 +20,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {

  ptrace (read) peer=unconfined,

-  dbus bind bus=system name=org.freedesktop.nm_dispatcher,
-  dbus receive bus=system path=/org/freedesktop/nm_dispatcher
-       interface=org.freedesktop.nm_dispatcher
-       peer=(name=:*),
+  # dbus: own bus=system name=org.freedesktop.nm_dispatcher

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/hostnamectl
+++ b/apparmor.d/groups/systemd/hostnamectl
@ -10,25 +10,11 @@ include <tunables/global>
 profile hostnamectl @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.hostname1>
  include <abstractions/consoles>

  capability net_admin,

-  dbus send bus=system path=/org/freedesktop/
-       interface=org.freedesktop.hostname1
-       member=Set*Hostname
-       peer=(name=org.freedesktop.hostname1),
-
-  dbus send bus=system path=/org/freedesktop/hostname1
-       interface=org.freedesktop.hostname1
-       member=Set*Hostname
-       peer=(name=org.freedesktop.hostname1),
-
-  dbus send bus=system path=/org/freedesktop/systemd1
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll 
-       peer=(name=org.freedesktop.systemd1),
+  # dbus: talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -11,7 +11,6 @@ include <tunables/global>
 profile networkctl @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.network1>

  capability net_admin,
  capability sys_module,
@ -25,10 +24,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
  network inet6 dgram,
  network netlink raw,

-  dbus send bus=system path=/org/freedesktop/network[0-9]
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.freedesktop.network1),
+  # dbus: talk bus=system name=org.freedesktop.network1 label=systemd-networkd

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@ -22,17 +22,7 @@ profile systemd-analyze @{exec_path} {

  signal (send) peer=child-pager,

-  dbus send bus=system path=/org/freedesktop/systemd1
-      interface=org.freedesktop.DBus.Properties
-      member=GetAll,
-
-  dbus send bus=system path=/org/freedesktop/systemd1
-      interface=org.freedesktop.systemd1.Manager
-      member=ListUnits,
-
-  dbus send bus=system path=/org/freedesktop/systemd1/unit/*
-      interface=org.freedesktop.DBus.Properties
-      member=GetAll,
+  # dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-homed
+++ b/apparmor.d/groups/systemd/systemd-homed
@ -36,7 +36,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
  mount options=(rw, rslave) -> @{run}/,
  mount /dev/dm-[0-9]* -> @{run}/systemd/user-home-mount/,

-  dbus bind bus=system name=org.freedesktop.home1,
+  # dbus: own bus=system name=org.freedesktop.home1

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -16,10 +16,7 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {

  capability sys_admin,  # To set a hostname

-  dbus bind bus=system name=org.freedesktop.hostname1,
-  dbus receive bus=system path=/org/freedesktop/hostname1
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*),
+  # dbus: own bus=system name=org.freedesktop.hostname1

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -17,11 +17,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  # Needed?
  audit capability net_admin,

-  dbus bind bus=system name=org.freedesktop.locale1,
-  dbus receive bus=system path=/org/freedesktop/locale1
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*),
+  # dbus: own bus=system name=org.freedesktop.locale1

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  capability dac_override,
  capability kill,

-  dbus bind bus=system name=org.freedesktop.oom1,
+  # dbus: own bus=system name=org.freedesktop.oom1

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -21,7 +21,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  network inet stream,
  network inet6 stream,

-  dbus bind bus=system name=org.freedesktop.timesync1,
+  # dbus: own bus=system name=org.freedesktop.timesync1

  @{exec_path} mr,

--- a/apparmor.d/groups/ubuntu/software-properties-dbus
+++ b/apparmor.d/groups/ubuntu/software-properties-dbus
@ -15,10 +15,7 @@ profile software-properties-dbus @{exec_path} {
  include <abstractions/openssl>
  include <abstractions/python>

-  dbus bind bus=system name=com.ubuntu.SoftwareProperties,
-  dbus receive bus=system path=/
-       interface=com.ubuntu.SoftwareProperties
-       peer=(name=:*, label=software-properties-gtk),
+  # dbus: own bus=system name=com.ubuntu.SoftwareProperties

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/profiles-a-f/atrild
+++ b/apparmor.d/profiles-a-f/atrild
@ -11,10 +11,7 @@ profile atrild @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>

-  dbus bind bus=session name=org.mate.atril.Daemon,
-
-  dbus (send, receive) bus=session path=/org/mate/atril/**
-       peer=(name="{:*,org.freedesktop.DBus}", label=atril),  # all interfaces and members
+  # dbus: own bus=session name=org.mate.atril.Daemon

  @{exec_path} mr,

--- a/apparmor.d/profiles-a-f/bluetoothd
+++ b/apparmor.d/profiles-a-f/bluetoothd
@ -22,13 +22,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
  network alg seqpacket,
  network netlink raw,

-  dbus bind bus=system name=org.bluez,
-  dbus send bus=system path=/org/bluez{,/**}
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=org.freedesktop.DBus),
-  dbus receive bus=system path=/org/bluez{,/**}
-       interface=org.bluez{,.*}
-       peer=(name=:*),
+  # dbus: own bus=system name=org.bluez

  @{exec_path} mr,

--- a/apparmor.d/profiles-a-f/cups-browsed
+++ b/apparmor.d/profiles-a-f/cups-browsed
@ -25,6 +25,11 @@ profile cups-browsed @{exec_path} {
  network inet6 stream,
  network netlink raw,

+  dbus receive bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=StateChanged
+       peer=(name=:*, label=avahi-daemon),
+
  @{exec_path} mr,

  /usr/share/cups/locale/{,**} r,
--- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism
+++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism
@ -20,10 +20,7 @@ profile cups-pk-helper-mechanism @{exec_path} {
  network inet stream,
  network inet6 stream,

-  dbus bind bus=system name=org.opensuse.CupsPkHelper.Mechanism,
-  dbus receive bus=system path=/
-       interface=org.opensuse.CupsPkHelper.Mechanism
-       peer=(name=:*),
+  # dbus: own bus=system name=org.opensuse.CupsPkHelper.Mechanism path=/

  @{exec_path} mr,

--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@ -21,9 +21,8 @@ profile file-roller @{exec_path} {
  include <abstractions/wayland>
  include <abstractions/X-strict>

-  dbus bind bus=session name=org.gnome.ArchiveManager1,
-
-  dbus bind bus=session name=org.gnome.FileRoller,
+  # dbus: own bus=session name=org.gnome.ArchiveManager1
+  # dbus: own bus=session name=org.gnome.FileRoller

  @{exec_path} mr,

--- a/apparmor.d/profiles-m-r/power-profiles-daemon
+++ b/apparmor.d/profiles-m-r/power-profiles-daemon
@ -20,13 +20,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {

  network netlink raw,

-  dbus bind bus=system name=net.hadess.PowerProfiles,
-  dbus receive bus=system path=/net/hadess/PowerProfiles
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*),
-  dbus send bus=system path=/net/hadess/PowerProfiles
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=org.freedesktop.DBus),
+  # dbus: own bus=system name=net.hadess.PowerProfiles

  @{exec_path} mr,

--- a/apparmor.d/profiles-m-r/rtkit-daemon
+++ b/apparmor.d/profiles-m-r/rtkit-daemon
@ -21,13 +21,7 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) {
  capability sys_nice,
  capability sys_ptrace,

-  dbus bind bus=system name=org.freedesktop.RealtimeKit1,
-  dbus receive bus=system path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.RealtimeKit1
-       peer=(name=:*),
-  dbus receive bus=system path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*),
+  # dbus: own bus=system name=org.freedesktop.RealtimeKit1

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
--- a/apparmor.d/profiles-s-z/thermald
+++ b/apparmor.d/profiles-s-z/thermald
@ -17,7 +17,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {

  capability sys_boot,
  
-  # dbus: own bus=sessisystemon name=org.freedesktop.thermald
+  # dbus: own bus=system name=org.freedesktop.thermald

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/wpa-supplicant
+++ b/apparmor.d/profiles-s-z/wpa-supplicant
@ -29,11 +29,7 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
  network packet dgram,
  network packet raw,

-  dbus bind bus=system name=fi.w1.wpa_supplicant1,
-  dbus receive bus=system path=/fi/w1/wpa_supplicant1
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*),
+  # dbus: own bus=system name=fi.w1.wpa_supplicant1

  @{exec_path} mr,