feat(profiles): initial dbus integration (no dbus rule yet).

2025-01-18 08:58:15 +01:00 · 2022-06-03 20:38:23 +01:00 · 2022-06-03 20:38:23 +01:00 · a6a72cd5c3
commit a6a72cd5c3
parent aa606bbdc4
46 changed files with 64 additions and 11 deletions
--- a/apparmor.d/groups/freedesktop/accounts-daemon
+++ b/apparmor.d/groups/freedesktop/accounts-daemon
@ -9,8 +9,9 @@ include <tunables/global>
@{exec_path} =  /{usr/,}lib/accountsservice/accounts-daemon
@{exec_path} += @{libexec}/accounts-daemon
-profile accounts-daemon @{exec_path} {
+profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/at-spi-bus-launcher
 profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session>
  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2018-2022 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -11,11 +11,18 @@ include <tunables/global>
@{exec_path} += @{libexec}/colord
 profile colord @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/devices-usb>
  network netlink raw,
  dbus send
       bus=system
       path=/org/freedesktop/ColorManager/devices/xrandr_*
       interface=org.freedesktop.DBus.Properties
       member=GetAll,
  @{exec_path} mr,
  /{usr/,}lib/colord/colord-sane  rPx,
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -11,6 +11,7 @@ include <tunables/global>
 profile pipewire @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  ptrace (read),
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@ -11,6 +11,7 @@ include <tunables/global>
 profile pipewire-media-session @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dbus-strict>
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/polkitd
 profile polkitd @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  capability setuid,
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/upowerd
 profile upowerd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/devices-usb>
  network netlink raw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal
 profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gnome
 profile xdg-desktop-portal-gnome @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gtk
 profile xdg-desktop-portal-gtk @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
--- a/apparmor.d/groups/gnome/evolution-addressbook-factory
+++ b/apparmor.d/groups/gnome/evolution-addressbook-factory
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/evolution-addressbook-factory
 profile evolution-addressbook-factory @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
--- a/apparmor.d/groups/gnome/evolution-calendar-factory
+++ b/apparmor.d/groups/gnome/evolution-calendar-factory
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/evolution-calendar-factory
 profile evolution-calendar-factory @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -9,8 +9,10 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/gdm{3,}
 profile gdm @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/wutmp>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>
  capability chown,
  capability fsetid,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -10,6 +10,8 @@ include <tunables/global>
 profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  capability audit_write,
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js
 profile gnome-extension-ding @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-keyring-daemon
 profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/openssl>
  capability ipc_lock,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-session-binary
 profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -11,6 +11,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
  include <abstractions/audio>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
@ -68,9 +70,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /.flatpak-info r,
  /etc/fstab r,
  /etc/machine-id r,
  /etc/xdg/menus/gnome-applications.menu r,
  /var/lib/dbus/machine-id r,
  /var/lib/gdm{3,}/.cache/ w,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
--- a/apparmor.d/groups/gnome/goa-daemon
+++ b/apparmor.d/groups/gnome/goa-daemon
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/goa-daemon
 profile goa-daemon @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-color
 profile gsd-color @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
--- a/apparmor.d/groups/gnome/gsd-disk-utility-notify
+++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-disk-utility-notify
 profile gsd-disk-utility-notify @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gsd-keyboard
+++ b/apparmor.d/groups/gnome/gsd-keyboard
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-keyboard
 profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -10,6 +10,7 @@ include <tunables/global>
 profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fonts>
  include <abstractions/gtk>
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@ -10,6 +10,7 @@ include <tunables/global>
 profile gsd-power @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fonts>
  include <abstractions/gtk>
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-print-notifications
 profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  network inet stream,
--- a/apparmor.d/groups/gnome/gsd-printer
+++ b/apparmor.d/groups/gnome/gsd-printer
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-printer
 profile gsd-printer @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  signal (receive) set=(term, hup) peer=gdm*,
  signal (receive) set=(hup) peer=gsd-print-notifications,
--- a/apparmor.d/groups/gnome/gsd-rfkill
+++ b/apparmor.d/groups/gnome/gsd-rfkill
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-rfkill
 profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  signal (receive) set=(term, hup) peer=gdm*,
--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-sharing
 profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  signal (receive) set=(term, hup) peer=gdm*,
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-xsettings
 profile gsd-xsettings @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3
 profile tracker-miner @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dbus-session-strict>  # TODO: FIXME: See if we keep them like this.
+  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/disks-read>
  include <abstractions/freedesktop.org>
--- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfs-udisks2-volume-monitor
 profile gvfs-udisks2-volume-monitor @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/devices-usb>
  include <abstractions/disks-read>
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}{,s}bin/NetworkManager
 profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-network-manager-strict>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
--- a/apparmor.d/groups/systemd/child-systemctl
+++ b/apparmor.d/groups/systemd/child-systemctl
@ -16,6 +16,7 @@ include <tunables/global>
 profile child-systemctl flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dbus-strict>
  include <abstractions/wutmp>
  capability net_admin,
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/networkctl
 profile networkctl @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  capability net_admin,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed
 profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/systemd-common>
  # To set a hostname
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -10,8 +10,9 @@ include <tunables/global>
 profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/disks-write>
  include <abstractions/devices-usb>
  include <abstractions/disks-write>
  include <abstractions/nameservice-strict>
  include <abstractions/systemd-common>
  capability chown,
--- a/apparmor.d/groups/systemd/systemd-user-runtime-dir
+++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-user-runtime-dir
 profile systemd-user-runtime-dir @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/systemd-common>
--- a/apparmor.d/groups/ubuntu/packagekitd
+++ b/apparmor.d/groups/ubuntu/packagekitd
@ -10,6 +10,7 @@ include <tunables/global>
 profile packagekitd @{exec_path} {
  include <abstractions/base>
  include <abstractions/apt-common>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  capability sys_nice,
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/update-notifier/ubuntu-advantage-notification
 profile ubuntu-advantage-notification @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session>
  include <abstractions/dconf>
  @{exec_path} mr,
--- a/apparmor.d/profiles-g-l/kerneloops
+++ b/apparmor.d/profiles-g-l/kerneloops
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/kerneloops
 profile kerneloops @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  capability syslog,
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@ -10,9 +10,10 @@ include <tunables/global>
 profile pkexec @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/wutmp>
  include <abstractions/nameservice-strict>
  include <abstractions/consoles>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>
  signal (send) set=(term, kill) peer=polkit-agent-helper,
--- a/apparmor.d/profiles-m-r/pkttyagent
+++ b/apparmor.d/profiles-m-r/pkttyagent
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pkttyagent
 profile pkttyagent @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  capability sys_nice,
--- a/apparmor.d/profiles-m-r/power-profiles-daemon
+++ b/apparmor.d/profiles-m-r/power-profiles-daemon
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/power-profiles-daemon
 profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  capability sys_nice,
--- a/apparmor.d/profiles-m-r/rtkit-daemon
+++ b/apparmor.d/profiles-m-r/rtkit-daemon
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/rtkit-daemon
 profile rtkit-daemon @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  capability dac_read_search,
--- a/apparmor.d/profiles-s-z/switcheroo-control
+++ b/apparmor.d/profiles-s-z/switcheroo-control
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/switcheroo-control
 profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  capability sys_nice,
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/udisks2/udisksd
 profile udisksd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/disks-write>
  include <abstractions/nameservice-strict>