Fixes and profile updates

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
2024-11-15 16:03:51 +01:00 · 2024-02-22 14:42:18 +01:00 · 2024-02-22 14:42:18 +01:00 · b0655e9993
commit b0655e9993
parent b532dd6827
9 changed files with 35 additions and 2 deletions
--- a/apparmor.d/abstractions/bus/org.bluez
+++ b/apparmor.d/abstractions/bus/org.bluez
@ -12,6 +12,16 @@
       member=PropertiesChanged
       peer=(name=:*, label=bluetoothd),

+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name=:*, label=bluetoothd),
+
+  dbus send bus=system path=/org/bluez
+       interface=org.bluez.AgentManager@{int}
+       member=UnregisterAgent
+       peer=(name=org.bluez, label=bluetoothd),
+
  dbus send bus=system path=/org/bluez
       interface=org.bluez.ProfileManager@{int}
       member=RegisterProfile
--- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
@ -42,6 +42,11 @@
       member=Introspect
       peer=(name=:*, label=NetworkManager),

+  dbus receive bus=system path=/org/freedesktop
+       interface=org.freedesktop.DBus.ObjectManager
+       member=InterfacesAdded
+       peer=(name=:*, label=NetworkManager),
+
  dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
       interface=org.freedesktop.DBus.Properties
       member=PropertiesChanged
@ -59,7 +64,7 @@

  dbus receive bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.NetworkManager
-       member={DeviceAdded,DeviceRemoved,StateChanged}
+       member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged}
       peer=(name=:*, label=NetworkManager),

  include if exists <abstractions/bus/org.freedesktop.NetworkManager.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.login1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.login1
@ -14,7 +14,7 @@

  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
-       member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend}
+       member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession}
       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),

  dbus receive bus=system path=/org/freedesktop/login1
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -27,6 +27,11 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
  unix (bind) type=stream addr=@@{hex}/bus/networkctl/system,

  # dbus: talk bus=system name=org.freedesktop.network1 label=systemd-networkd
+  # No label available
+  dbus send bus=system path=/org/freedesktop/network@{int}
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.freedesktop.network@{int}),

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -53,6 +53,7 @@ profile systemd-journald @{exec_path} {
  @{run}/udev/data/+platform:*   r,
  @{run}/udev/data/+scsi:*      r,
  @{run}/udev/data/+sdio:*      r,
+  @{run}/udev/data/+thunderbolt:* r,
  @{run}/udev/data/+usb-serial:* r,
  @{run}/udev/data/+usb:*       r,
  @{run}/udev/data/+virtio:*    r,
--- a/apparmor.d/groups/ubuntu/do-release-upgrade
+++ b/apparmor.d/groups/ubuntu/do-release-upgrade
@ -10,6 +10,7 @@ include <tunables/global>
 profile do-release-upgrade @{exec_path} {
  include <abstractions/base>
  include <abstractions/apt-common>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
--- a/apparmor.d/profiles-a-f/cups-browsed
+++ b/apparmor.d/profiles-a-f/cups-browsed
@ -30,6 +30,11 @@ profile cups-browsed @{exec_path} {
       member=StateChanged
       peer=(name=:*, label=avahi-daemon),

+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=CheckPermissions
+       peer=(name=:*, label=NetworkManager),
+
  @{exec_path} mr,

  /usr/share/cups/locale/{,**} r,
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -11,6 +11,7 @@ include <tunables/global>
 profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.bluez>
  include <abstractions/bus/org.freedesktop.ModemManager1>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/bus/org.freedesktop.UDisks2>
--- a/apparmor.d/profiles-m-r/obexd
+++ b/apparmor.d/profiles-m-r/obexd
@ -19,6 +19,11 @@ profile obexd @{exec_path} {

  # dbus: own bus=session name=org.bluez.obex

+  dbus receive bus=system path=/org/bluez/obex/@{uuid}
+       interface=org.bluez.Profile1
+       member=Release
+       peer=(name=:*, label=bluetoothd),
+
  @{exec_path} mr,

  owner @{user_cache_dirs}/ rw,