From b1212c6e6227b1548e1cecb760afe62df67d019d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Dec 2023 22:26:35 +0000 Subject: [PATCH] feat(dbus): replace some rule by the new directives. --- apparmor.d/groups/freedesktop/accounts-daemon | 14 +----- .../groups/freedesktop/at-spi2-registryd | 29 ++----------- apparmor.d/groups/freedesktop/colord | 11 +---- apparmor.d/groups/freedesktop/geoclue | 11 +---- apparmor.d/groups/freedesktop/pipewire | 2 +- apparmor.d/groups/freedesktop/polkitd | 9 +--- apparmor.d/groups/freedesktop/upowerd | 8 +--- .../groups/freedesktop/xdg-document-portal | 13 +----- .../groups/gnome/evolution-alarm-notify | 2 +- apparmor.d/groups/gnome/gdm | 21 +-------- apparmor.d/groups/gnome/gjs-console | 43 +++++-------------- apparmor.d/groups/gnome/gnome-disks | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 20 +-------- apparmor.d/groups/gnome/gnome-session-binary | 19 +------- apparmor.d/groups/gnome/gnome-shell | 5 +-- apparmor.d/groups/gnome/nautilus | 5 +-- apparmor.d/groups/network/NetworkManager | 14 +----- apparmor.d/groups/systemd/systemd-logind | 27 +----------- apparmor.d/groups/systemd/systemd-machined | 28 +----------- apparmor.d/groups/systemd/systemd-networkd | 5 +-- apparmor.d/groups/systemd/systemd-resolved | 5 +-- apparmor.d/groups/systemd/systemd-timedated | 8 +--- apparmor.d/profiles-a-f/boltd | 8 +--- apparmor.d/profiles-a-f/fwupd | 5 +-- apparmor.d/profiles-s-z/switcheroo-control | 6 +-- apparmor.d/profiles-s-z/udisksd | 14 +----- 26 files changed, 42 insertions(+), 292 deletions(-) diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index b3a6b1ce..17886de3 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -23,19 +23,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=unconfined, - dbus bind bus=system name=org.freedesktop.Accounts, - dbus receive bus=system path=/org/freedesktop/Accounts{,/User@{uid}} - interface=org.freedesktop.Accounts* - peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/Accounts{,/User@{uid}} - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} - interface=org.freedesktop.Accounts.User - peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.DBus), + # dbus: own bus=system name=org.freedesktop.Accounts dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 99d6bc64..9bf72197 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -21,42 +21,21 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, - dbus bind bus=accessibility name=org.a11y.atspi.Registry, - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus, label=dbus-daemon), + # dbus: own bus=accessibility name=org.a11y.atspi.{R,r}egistry dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set - peer=(name=:*), # all peer's labels - + peer=(name=:*), dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed - peer=(name=:*), # all peer's labels - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member={GetRegisteredEvents,EventListenerDeregistered} - peer=(name=:*), # all peer's labels - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member={GetRegisteredEvents,EventListenerDeregistered} - peer=(name=org.freedesktop.DBus), # all peer's labels + peer=(name=:*), dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=:*), # all peer's labels - - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=at-spi-bus-launcher), + peer=(name=:*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index f791c4b9..3e7fca1c 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -17,16 +17,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus bind bus=system name=org.freedesktop.ColorManager, - dbus receive bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.ColorManager - peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus send bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.ColorManager - peer=(name=org.freedesktop.DBus), + # dbus: own bus=system name=org.freedesktop.ColorManager dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 6204d1fe..a078ce3c 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -24,16 +24,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - dbus bind bus=system name=org.freedesktop.GeoClue2, - dbus send bus=system path=/org/freedesktop/GeoClue2/* - interface=org.freedesktop.DBus.Properties - peer=(name="{:*,org.freedesktop.DBus}"), - dbus receive bus=system path=/org/freedesktop/GeoClue2/* - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/GeoClue2/* - interface=org.freedesktop.GeoClue2.Manager - peer=(name=:*), + # dbus: own bus=system name=org.freedesktop.GeoClue2 dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 1d085409..7fdfcbe6 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -23,7 +23,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus bind bus=session name=org.pulseaudio.Server, + # dbus: own bus=session name=org.pulseaudio.Server dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 9be59a4d..9a6c0e19 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -21,14 +21,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { ptrace (read), - dbus (bind) bus=system name=org.freedesktop.PolicyKit1, - - dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/* - interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit1.*}, # all members - - dbus send bus=system path=/org/gnome/PolicyKit1/* - interface=org.freedesktop.PolicyKit1.AuthenticationAgent - peer=(name=:*), # all members + # dbus: own bus=system name=org.freedesktop.PolicyKit1 dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 25883216..7a4092fa 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -17,13 +17,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus bind bus=system name=org.freedesktop.UPower, - dbus receive bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.UPower{,.*} - peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=:*), + # dbus: own bus=system name=org.freedesktop.UPower @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index d7954092..d19ff4f5 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -24,24 +24,13 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), - dbus receive bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.portal.Documents - member=GetMountPoint - peer=(name=:*), + # dbus: own bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=xdg-desktop-portal), - - dbus bind bus=session - name=org.freedesktop.portal.Documents, - @{exec_path} mr, @{bin}/flatpak rPUx, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 21b914a8..fc129a77 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -21,7 +21,7 @@ profile evolution-alarm-notify @{exec_path} { network netlink raw, - dbus bind bus=session name=org.gnome.Evolution-alarm-notify, + # dbus: own bus=session name=org.gnome.Evolution-alarm-notify dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.Calendar* diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index f64afe2a..4f0d58b5 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -27,26 +27,9 @@ profile gdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term), - dbus bind bus=system name=org.gnome.DisplayManager, - dbus receive bus=system path=/org/gnome/DisplayManager/Manager - interface=org.gnome.DisplayManager.Manager - peer=(name=:*, label="{gnome-shell,gdm-*-session}"), - dbus receive bus=system path=/org/gnome/DisplayManager/Manager - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=gnome-shell), + # dbus: own bus=system name=org.gnome.DisplayManager.Manager - dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int} - interface=org.freedesktop.DBus.Properties - member={Get,PropertiesChanged} - peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login1/seat/seat@{int} - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={UnlockSession,ActivateSessionOnSeat} - peer=(name=org.freedesktop.login1, label=systemd-logind), + # dbus: talk bus=system name=org.freedesktop.login1 label=systemd-logind dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 272fae37..0a2e3a48 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -32,44 +32,21 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm*, - dbus bind bus=session name=org.gnome.Shell.Notifications, + # dbus: own bus=session name=org.freedesktop.Notifications + # dbus: own bus=session name=org.gnome.ScreenSaver + # dbus: own bus=session name=org.gnome.Shell.Extensions + # dbus: own bus=session name=org.gnome.Shell.Notifications + # dbus: own bus=session name=org.gnome.Shell.Screencast - dbus bind bus=session name=org.gnome.ScreenSaver, - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - peer=(name=:*), # all members - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.freedesktop.DBus.Properties - peer=(name=:*), # all members - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - peer=(name=:*), # all members - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - peer=(name=org.freedesktop.DBus), - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - peer=(name=org.gnome.Shell.ScreenShield), - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.freedesktop.DBus.Properties - peer=(name=:*), # all members - - dbus bind bus=session name=org.freedesktop.Notifications, - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - peer=(name=:*), # all members - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - peer=(name=:*), # all members - - dbus bind bus=session name=org.gnome.Shell.Screencast, - dbus receive bus=session path=/org/gnome/Shell/Screencast - interface=org.freedesktop.DBus.Properties - peer=(name=:*), # all members dbus send bus=session path=/org/gnome/Mutter/ScreenCast interface=org.freedesktop.DBus.Properties peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=GetActive + peer=(name=org.gnome.Shell.ScreenShield, label=gnome-shell), + @{exec_path} mr, @{bin}/ r, diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 6de134ed..9afb3f4b 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -15,7 +15,7 @@ profile gnome-disks @{exec_path} { include include - dbus bind bus=session name=org.gnome.DiskUtility, + # dbus: own bus=session name=org.gnome.DiskUtility @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index c49e438f..7d0f55f9 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -22,24 +22,8 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=ssh-agent, - dbus bind bus=session name=org.gnome.keyring, - dbus (send, receive) bus=session path=/org/gnome/keyring/daemon - interface=org.gnome.keyring.Daemon - peer=(name="{org.gnome.keyring,:*}", label=@{profile_name}), - - dbus bind bus=session name=org.freedesktop.secrets, - dbus receive bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus receive bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.Secret.* - peer=(name=:*), - dbus send bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.Secret.Collection - peer=(name=org.freedesktop.DBus), - dbus send bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.DBus), + # dbus: own bus=session name=org.gnome.keyring + # dbus: own bus=session name=org.freedesktop.secrets dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index f173a94d..e2468929 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -36,19 +36,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=at-spi-bus-launcher, signal (send) set=(term) peer=gsd-*, - dbus bind bus=session name=org.gnome.SessionManager{,.*}, - dbus receive bus=session path=/org/gnome/SessionManager{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus receive bus=session path=/org/gnome/SessionManager{,/**} - interface=org.gnome.SessionManager{,.*} - peer=(name=:*), - dbus send bus=session path=/org/gnome/SessionManager{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.DBus), - dbus send bus=session path=/org/gnome/SessionManager{,/**} - interface=org.gnome.SessionManager{,.*} - peer=(name=org.freedesktop.DBus), + # dbus: own bus=session name=org.gnome.SessionManager dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -60,11 +48,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { member={CanPowerOff,PowerOff,Reboot} peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login1/session/c1 - interface=org.freedesktop.login1.Session - member=SetIdleHint - peer=(name=org.freedesktop.login1, label=systemd-logind), - dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager peer=(name=org.freedesktop.systemd1, label=@{systemd}), diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 6f289feb..1649d018 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -84,10 +84,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface={org.gnome.*,org.freedesktop.{Application,DBus.Properties,DBus.ObjectManager},org.gtk.{Actions,Application}} peer=(name="{:*,org.gnome.*,org.freedesktop.DBus}"), - dbus bind bus=session name=org.gtk.MountOperationHandler, - dbus receive bus=session path=/org/gtk/MountOperationHandler - interface=org.freedesktop.DBus.Properties - peer=(name=:*), + # dbus: own bus=session name=org.gtk.MountOperationHandler dbus bind bus=session name=com.canonical.Unity, dbus receive bus=session path=/com/canonical/unity/** diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 01049b2b..522e9a2d 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -35,10 +35,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { interface={org.gnome.Nautilus,org.freedesktop.{Application,DBus.Properties},org.gtk.{Actions,Application}} peer=(name="{:*,org.gnome.Nautilus,org.freedesktop.DBus}"), - dbus bind bus=session name=org.freedesktop.FileManager1, - dbus (send, receive) bus=session path=/org/freedesktop/FileManager1 - interface=org.freedesktop.DBus.Properties - peer=(name="{:*,org.freedesktop.DBus}"), + # dbus: own bus=session name=org.freedesktop.FileManager1 dbus receive bus=session path=/org/gnome/Nautilus/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index ee8adff6..622ec8a5 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -42,19 +42,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=dnsmasq, - dbus bind bus=system name=org.freedesktop.NetworkManager, - dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} - interface=org.freedesktop.NetworkManager{,.*} - peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus send bus=system path=/org/freedesktop/NetworkManager{,/**} - interface=org.freedesktop.NetworkManager - peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/org/freedesktop/NetworkManager{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.DBus), + # dbus: own bus=system name=org.freedesktop.NetworkManager dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 43c4b8df..d944b630 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -27,36 +27,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, - dbus bind bus=system name=org.freedesktop.login1, - dbus (send, receive) bus=system path=/org/freedesktop/login1{,/**} - interface=org.freedesktop.login1.* - peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/login1{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus (send, receive) bus=system path=/org/freedesktop/login1{,/**} - interface=org.freedesktop.login1.* - peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/org/freedesktop/login1{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.DBus), + # dbus: own bus=system name=org.freedesktop.login1 - dbus receive bus=system path=/org/freedesktop/systemd1{,/{unit,job}/**} - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label="@{systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/** - interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.systemd1, label="@{systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/** - interface=org.freedesktop.systemd1.Scope - peer=(name=org.freedesktop.systemd1, label="@{systemd}"), + # dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}" dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager peer=(name=org.freedesktop.systemd1), - dbus receive bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - peer=(name=:*, label="@{systemd}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 456f948d..ac1a4ebc 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -24,33 +24,9 @@ profile systemd-machined @{exec_path} { capability sys_chroot, capability sys_ptrace, - dbus bind bus=system name=org.freedesktop.machine1, - dbus receive bus=system path=/org/freedesktop/machine1{,/**} - interface=org.freedesktop.machine1.Manager - peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/machine1{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=:*), + # dbus: own bus=system name=org.freedesktop.machine1 - dbus send bus=system path=/org/freedesktop/systemd1/{,{unit,job}/*} - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.systemd1), - - dbus receive bus=system path=/org/freedesktop/systemd1{,/{unit,job}/*} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*), - - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={StopUnit,UnrefUnit,StartTransientUnit,Subscribe} - peer=(name=org.freedesktop.systemd1), - - dbus receive bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={JobRemoved,UnitRemoved,Reloading} - peer=(name=:*), + # dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 1b91db40..82bbe055 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -27,10 +27,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { network packet dgram, network packet raw, - dbus bind bus=system name=org.freedesktop.network1, - dbus (send, receive) bus=system path=/org/freedesktop/network1{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name="{:*,org.freedesktop.DBus}"), + # dbus: own bus=system name=org.freedesktop.network1 @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index c8fe3ef5..e78df3e1 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -30,10 +30,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - dbus bind bus=system name=org.freedesktop.resolve1, - dbus receive bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.resolve1.Manager - peer=(name=:*), + # dbus: own bus=system name=org.freedesktop.resolve1 dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 5b00b71a..50ce8f44 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -15,13 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - dbus bind bus=system name=org.freedesktop.timedate1, - dbus receive bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.timedate1 - peer=(name=:*), + # dbus: own bus=system name=org.freedesktop.timedate1 dbus send bus=system path=/org/freedesktop/systemd1/unit/* interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index e0e2ea62..c6b1f34e 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -17,13 +17,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus bind bus=system name=org.freedesktop.bolt, - dbus (send, receive) bus=system path=/org/freedesktop/bolt - interface=org.freedesktop.bolt1{,.*} - peer=(name=:*), - dbus (send, receive) bus=system path=/org/freedesktop/bolt - interface=org.freedesktop.DBus.Properties - peer=(name=:*), + # dbus: own bus=system name=org.freedesktop.bolt @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index b2cc30f8..d2f714ff 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -33,10 +33,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { network netlink raw, - dbus bind bus=system name=org.freedesktop.fwupd, - dbus (send, receive) bus=system path=/ - interface={org.freedesktop.fwupd,org.freedesktop.DBus{,.Properties}} - peer=(name="{:*,org.freedesktop.fwupd,org.freedesktop.DBus}"), + # dbus: own bus=system name=org.freedesktop.fwupd path=/ dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index aff324fb..aa11bcba 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -15,11 +15,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus bind bus=system name=net.hadess.SwitcherooControl, - dbus receive bus=system path=/net/hadess/SwitcherooControl - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), + # dbus: own bus=system name=net.hadess.SwitcherooControl @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 1eb9e52b..03338179 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -59,19 +59,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { signal (receive) set=(int) peer=@{systemd}, - dbus bind bus=system name=org.freedesktop.UDisks2, - dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} - interface=org.freedesktop.UDisks2.* - peer=(name="{:*,org.freedesktop.DBus}"), - dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} - interface=org.freedesktop.DBus.{Properties,ObjectManager} - peer=(name="{:*,org.freedesktop.DBus}"), - dbus send bus=system path=/org/freedesktop/UDisks2{,/**} - interface=org.freedesktop.DBus.{Properties,ObjectManager} - peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/org/freedesktop/UDisks2{,/**} - interface=org.freedesktop.UDisks2.Job - peer=(name=org.freedesktop.DBus), + # dbus: own bus=system name=org.freedesktop.UDisks2 dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus