diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete new file mode 100644 index 00000000..8578e7d2 --- /dev/null +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + unix (bind, listen) type=stream addr="@/tmp/dbus-*", + + unix (connect, receive, send, accept) + type=stream + peer=(addr="@/tmp/dbus-*"), + + owner @{run}/user/@{uid}/at-spi/ rw, + owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index b6815bd2..85024366 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 4dae8071..13411ae8 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -68,7 +68,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { owner /tmp/dbus-[0-9a-zA-Z]* rw, - owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index b1166f43..893c7cf4 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -34,11 +34,7 @@ profile ibus-extension-gtk3 @{exec_path} { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 159806e3..791e78fa 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -31,7 +31,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 41fbc9ef..de6d51d8 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -34,7 +34,6 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{HOME}/.xsession-errors w, - owner @{run}/user/@{uid}/at-spi/{,bus} rw, owner @{run}/user/@{uid}/gdm/Xauthority r, /var/lib/lightdm/.Xauthority r, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 63fbbd70..8fa2940b 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -23,7 +23,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{HOME}/.xsession-errors w, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 27d663d1..fd660d09 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -24,10 +24,22 @@ profile xdg-desktop-portal-gtk @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.Accounts.User member=Changed, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -40,7 +52,6 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/@{XDG_DATA_HOME}/ r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 0a246ada..a1b4dca7 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -24,7 +24,5 @@ profile evolution-alarm-notify @{exec_path} { /usr/share/ubuntu/applications/ r, /usr/share/zoneinfo-icu/{,**} r, - owner @{run}/user/@{uid}/at-spi/bus rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 1eab85dc..71431b3a 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -53,8 +53,6 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/home r, owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 223e6243..0bc91045 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -48,7 +48,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/icc/ r, owner @{user_share_dirs}/icc/edid-*.icc rw, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 12ed0972..31280ae7 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -32,7 +32,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/ rw, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index e6c67b24..6f2b77f2 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -57,7 +57,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/pulse/client.conf r, /var/lib/gdm/.config/pulse/cookie rk, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index cd1a4826..bb4ec7d0 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -60,7 +60,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/pulse/client.conf r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 24dd5a3c..3bb701c7 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -29,7 +29,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index d3424c64..5096582a 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include - include + include include include @@ -19,7 +19,6 @@ profile ubuntu-advantage-notification @{exec_path} { /usr/share/icons/{,**} r, /usr/share/X11/xkb/{,**} r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 50344f35..6f9939d0 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -13,8 +13,6 @@ profile spice-vdagent @{exec_path} { include include - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), - @{exec_path} mr, /etc/machine-id r, @@ -22,7 +20,6 @@ profile spice-vdagent @{exec_path} { owner @{user_config_dirs}/user-dirs.dirs r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, @{run}/spice-vdagentd/spice-vdagent-sock rw,