diff --git a/apparmor.d/groups/freedesktop/colord-session b/apparmor.d/groups/freedesktop/colord-session index 82e911a8..86943fc4 100644 --- a/apparmor.d/groups/freedesktop/colord-session +++ b/apparmor.d/groups/freedesktop/colord-session @@ -10,6 +10,9 @@ include @{exec_path} = @{lib}/{,colord/}colord-session profile colord-session @{exec_path} { include + include + + # dbus: own bus=session name=org.freedesktop.ColorHelper @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index 5f308ebc..956868f6 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -14,6 +14,8 @@ profile iio-sensor-proxy @{exec_path} { network netlink raw, + # dbus: own bus=system name=net.hadess.SensorProxy + @{exec_path} mr, @{run}/udev/data/+platform:* r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 7ceb1ba4..b04cc743 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -28,7 +28,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { signal (receive) set=term peer=gdm, - dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome, + # dbus: own bus=session name=org.freedesktop.impl.portal.desktop.gnome dbus send bus=session path=/org/gnome/Shell/Screenshot interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 949fc987..3d30a261 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -31,7 +31,8 @@ profile xdg-desktop-portal-gtk @{exec_path} { unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), - dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk, + # dbus: own bus=session name=org.freedesktop.impl.portal.desktop.gtk + dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=:*), diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 59fc0c13..bc7e85a6 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -25,7 +25,7 @@ profile evolution-addressbook-factory @{exec_path} { network inet6 dgram, network netlink raw, - dbus bind bus=session name=org.gnome.evolution.dataserver.AddressBook@{int}, + # dbus: own bus=session name=org.gnome.evolution.dataserver.AddressBook10 dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index f1a59102..a54f4968 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -24,7 +24,7 @@ profile evolution-calendar-factory @{exec_path} { network inet6 dgram, network netlink raw, - dbus bind bus=session name=org.gnome.evolution.dataserver.Calendar@{int}, + # dbus: own bus=session name=org.gnome.evolution.dataserver.Calendar8 dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 0a17f366..093bab4e 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -22,6 +22,7 @@ profile evolution-source-registry @{exec_path} { network inet6 dgram, network netlink raw, + # dbus: own bus=session name=org.gnome.evolution.dataserver.Sources5 dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties} diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 54499336..db278aae 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -11,16 +11,15 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include + include include network inet stream, network inet6 stream, + # dbus: own bus=session name=org.gnome.RemoteDesktop.User + @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - owner @{run}/user/@{uid}/wayland-@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 30f150d2..cf7bfb88 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -9,8 +9,11 @@ include @{exec_path} = @{lib}/gsd-usb-protection profile gsd-usb-protection @{exec_path} { include + include include + # dbus: own bus=session name=org.gnome.SettingsDaemon.UsbProtection + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 554e4e44..c0e4d693 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/tracker-miner-fs-{,control-}3 +@{exec_path} = @{lib}/tracker-miner-fs-{,control-,rss-}3 profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include @@ -28,7 +28,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, kill) peer=gdm, signal (receive) set=(hup) peer=gdm-session-worker, - # dbus: own bus=session name=org.freedesktop.Tracker3 interface=org.freedesktop.DBus.{Properties,Peer} + # dbus: own bus=session name=org.freedesktop.Tracker3.Miner.Files interface=org.freedesktop.DBus.{Properties,Peer} + # dbus: own bus=session name=org.freedesktop.Tracker3.Miner.Files.Control + # dbus: own bus=session name=org.freedesktop.Tracker3.Miner.RSS @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index efe6f3ec..655361c0 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -12,10 +12,7 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include - dbus bind bus=session name=org.gtk.vfs.GoaVolumeMonitor, - dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - peer=(name="{:*,org.freedesktop.DBus}"), + # dbus: own bus=session name=org.gtk.vfs.GoaVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 7d9f93fb..589abc28 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -16,10 +16,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, - dbus bind bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor, - dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - peer=(name="{:*,org.freedesktop.DBus}"), + # dbus: own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index e145a24d..3a0dccbe 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -15,10 +15,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, - dbus bind bus=session name=org.gtk.vfs.MTPVolumeMonitor, - dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - peer=(name="{:*,org.freedesktop.DBus}"), + # dbus: own bus=session name=org.gtk.vfs.MTPVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index a214aedd..9e44235c 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -30,22 +30,9 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { ptrace (read), - dbus bind bus=session name=org.gtk.vfs.UDisks2VolumeMonitor, - dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - peer=(name="{:*,org.freedesktop.DBus}"), + # dbus: own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor - dbus send bus=system path=/org/freedesktop/UDisks2/** - interface=org.freedesktop.UDisks2.Filesystem - peer=(name=:*, label=udisksd), - dbus receive bus=system path=/org/freedesktop/UDisks2 - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=:*, label=udisksd), - dbus receive bus=system path=/org/freedesktop/UDisks2/** - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=udisksd), + # dbus: talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index e7e5f491..b112b795 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -12,7 +12,7 @@ profile gvfsd @{exec_path} { include include - dbus bind bus=session name=org.gtk.vfs.Daemon, + # dbus: own bus=session name=org.gtk.vfs.Daemon dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker @@ -22,11 +22,6 @@ profile gvfsd @{exec_path} { interface=org.gtk.vfs.MountTracker peer=(name=:*), # all members - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=ListMonitorImplementations - peer=(name=:*), # all peer's labels - dbus send bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 79ca92d0..490f58af 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -9,8 +9,13 @@ include @{exec_path} = @{bin}/libvirt-dbus profile libvirt-dbus @{exec_path} { include + include + include include + # dbus: own bus=session name=org.libvirt + # dbus: own bus=system name=org.libvirt + @{exec_path} mr, @{bin}/libvirtd rPx, diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism index a06fd1a2..13541b19 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -21,6 +21,8 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + # dbus: own bus=system name=org.blueman.Mechanism + @{exec_path} mr, @{lib}/ r, diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index 179e3650..f1025539 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -39,6 +39,8 @@ profile firewalld @{exec_path} { member={changeZoneOfInterface,removeInterface} peer=(name=:*, label=libvirtd), + # dbus: own bus=system name=org.fedoraproject.FirewallD1 + @{exec_path} mr, @{bin}/ r, diff --git a/apparmor.d/profiles-a-f/flatpak-oci-authenticator b/apparmor.d/profiles-a-f/flatpak-oci-authenticator index ba2af563..c357c49c 100644 --- a/apparmor.d/profiles-a-f/flatpak-oci-authenticator +++ b/apparmor.d/profiles-a-f/flatpak-oci-authenticator @@ -9,6 +9,9 @@ include @{exec_path} = @{lib}/flatpak-oci-authenticator profile flatpak-oci-authenticator @{exec_path} { include + include + + # dbus: own bus=session name=org.flatpak.Authenticator.Oci @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal index 0fe9aa69..facbf1d5 100644 --- a/apparmor.d/profiles-a-f/flatpak-portal +++ b/apparmor.d/profiles-a-f/flatpak-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/flatpak-portal profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include + include include capability sys_ptrace, @@ -19,6 +20,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { signal send, + # dbus: own bus=session name=org.freedesktop.portal.Flatpak + @{exec_path} mr, @{bin}/flatpak rPx, diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper index d290ed29..a06524d5 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -9,12 +9,15 @@ include @{exec_path} = @{lib}/flatpak-session-helper profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { include + include include include include signal (send) set=(int) peer=@{systemd}, + # dbus: own bus=session name=org.freedesktop.Flatpak + @{exec_path} mr, @{bin}/dbus-monitor rPUx, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index ca14e9d0..bb26b07c 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -24,6 +24,8 @@ profile flatpak-system-helper @{exec_path} { ptrace (read), + # dbus: own bus=system name=org.freedesktop.Flatpak.SystemHelper + @{exec_path} mr, @{bin}/bwrap rPUx, diff --git a/apparmor.d/profiles-g-l/glib-pacrunner b/apparmor.d/profiles-g-l/glib-pacrunner index 3e37d1e5..30ca0dbb 100644 --- a/apparmor.d/profiles-g-l/glib-pacrunner +++ b/apparmor.d/profiles-g-l/glib-pacrunner @@ -19,6 +19,8 @@ profile glib-pacrunner @{exec_path} { network inet6 stream, network netlink raw, + # dbus: own bus=session name=org.gtk.GLib.PACRunner + @{exec_path} mr, @{PROC}/cmdline r,