From aa1491a3c02622f0091bfdffe0925c6d249095f4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 6 Dec 2023 19:10:23 +0000
Subject: [PATCH] feat(dbus): add new unified main dbus abstraction.

specify the aa profile in the peer label.
---
 apparmor.d/abstractions/bus/accessibility | 19 ++++++++++++++++
 apparmor.d/abstractions/bus/session       | 27 +++++++++++++++++++++++
 apparmor.d/abstractions/bus/system        | 17 ++++++++++++++
 3 files changed, 63 insertions(+)
 create mode 100644 apparmor.d/abstractions/bus/accessibility
 create mode 100644 apparmor.d/abstractions/bus/session
 create mode 100644 apparmor.d/abstractions/bus/system

diff --git a/apparmor.d/abstractions/bus/accessibility b/apparmor.d/abstractions/bus/accessibility
new file mode 100644
index 00000000..eeb6f27f
--- /dev/null
+++ b/apparmor.d/abstractions/bus/accessibility
@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  dbus send bus=accessibility path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+       peer=(name=org.freedesktop.DBus, label=at-spi-bus-launcher),
+
+  dbus send bus=accessibility path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName}
+       peer=(name=org.freedesktop.DBus, label=at-spi-bus-launcher),
+
+  owner @{run}/user/@{uid}/at-spi/ rw,
+  owner @{run}/user/@{uid}/at-spi/bus rw,
+  owner @{run}/user/@{uid}/at-spi/bus_@{int} rw,
+
+  include if exists <abstractions/bus/accessibility.d>
diff --git a/apparmor.d/abstractions/bus/session b/apparmor.d/abstractions/bus/session
new file mode 100644
index 00000000..646dd416
--- /dev/null
+++ b/apparmor.d/abstractions/bus/session
@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
+  unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
+  unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"),
+
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
+
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName}
+       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
+
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
+  owner /tmp/dbus-@{rand8} rw,
+  owner /tmp/dbus-@{rand10} rw,
+
+  owner @{run}/user/@{uid}/bus rw,
+
+  include if exists <abstractions/bus/session.d>
diff --git a/apparmor.d/abstractions/bus/system b/apparmor.d/abstractions/bus/system
new file mode 100644
index 00000000..c88a72a5
--- /dev/null
+++ b/apparmor.d/abstractions/bus/system
@@ -0,0 +1,17 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName}
+       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
+
+  @{run}/dbus/system_bus_socket rw,
+
+  include if exists <abstractions/bus/system.d>