diff --git a/apparmor.d/abstractions/bus/desktop b/apparmor.d/abstractions/bus/desktop index 9174601c..0cc04e26 100644 --- a/apparmor.d/abstractions/bus/desktop +++ b/apparmor.d/abstractions/bus/desktop @@ -4,7 +4,7 @@ dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties - member=Read + member={GetAll,Read} peer=(name="{:*,org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), dbus send bus=session path=/org/freedesktop/portal/desktop diff --git a/apparmor.d/abstractions/bus/notification b/apparmor.d/abstractions/bus/notification new file mode 100644 index 00000000..f22661b8 --- /dev/null +++ b/apparmor.d/abstractions/bus/notification @@ -0,0 +1,10 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gjs-console), + + include if exists diff --git a/apparmor.d/abstractions/bus/udisk b/apparmor.d/abstractions/bus/udisk index 58eef524..c5b93375 100644 --- a/apparmor.d/abstractions/bus/udisk +++ b/apparmor.d/abstractions/bus/udisk @@ -7,6 +7,11 @@ member=GetManagedObjects peer=(name=:*, label=udisksd), + dbus send bus=system path=/org/freedesktop/UDisks2/** + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=udisksd), + dbus receive bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded diff --git a/apparmor.d/abstractions/dbus-gtk b/apparmor.d/abstractions/dbus-gtk deleted file mode 100644 index 6ef96270..00000000 --- a/apparmor.d/abstractions/dbus-gtk +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus (send) bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name=:*), - - dbus (send) bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=ListMonitorImplementations - peer=(name=:*), - - dbus (send) bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), - - dbus (send, receive) bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.Notifications - peer=(name="{org.freedesktop.Notifications,org.freedesktop.DBus,:*}"), # all members - - # Include additions to the abstraction - include if exists diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index c03b3c1b..6c2ad052 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -20,13 +20,21 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager} - interface=org.freedesktop.{DBus.Properties,GeoClue2*}, + dbus bind bus=system name=org.freedesktop.GeoClue2, + dbus send bus=system path=/org/freedesktop/GeoClue2/* + interface=org.freedesktop.DBus.Properties + peer=(name="{:*,org.freedesktop.DBus}"), + dbus receive bus=system path=/org/freedesktop/GeoClue2/* + interface=org.freedesktop.DBus.Properties + peer=(name=:*), + dbus receive bus=system path=/org/freedesktop/GeoClue2/* + interface=org.freedesktop.GeoClue2.Manager + peer=(name=:*), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,ReleaseName,RequestName} - peer=(name=org.freedesktop.DBus), + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server @@ -36,9 +44,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Peer member=Ping, - dbus send bus=system path=/fi/w[0-9]/wpa_supplicant[0-9] + dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=org.freedesktop.DBus.Properties - member=GetAll, + member=PropertiesChanged + peer=(name=:*, label=wpa-supplicant), dbus send bus=system path=/org/freedesktop/ModemManager[0-9] interface=org.freedesktop.DBus.ObjectManager @@ -65,9 +74,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, - dbus bind bus=system - name=org.freedesktop.GeoClue2, - @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 4c0015cf..35616d40 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -10,6 +10,7 @@ include profile gnome-extension-ding @{exec_path} { include include + include include include include @@ -44,10 +45,10 @@ profile gnome-extension-ding @{exec_path} { member=GetAll peer=(name=:*, label=nautilus), - dbus send bus=session path=/org/freedesktop/Notifications + dbus send bus=system path=/net/hadess/SwitcherooControl interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gjs-console), + peer=(name=:*, label=switcheroo-control), dbus send bus=session path=/org/gnome/Nautilus/FileOperations* interface=org.freedesktop.DBus.Properties @@ -63,8 +64,11 @@ profile gnome-extension-ding @{exec_path} { member=Introspect peer=(name=:*, label=nautilus), - dbus send bus={systemd,session} path=/org/freedesktop/DBus - interface=org.freedesktop.DBus{,.Properties} + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* peer=(name=org.freedesktop.DBus, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index 30c34bb5..ebd24651 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -18,7 +18,7 @@ profile gnome-session-ctl @{exec_path} { dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={StartUnit,StopUnit} - peer=(name=org.freedesktop.systemd1), + peer=(name=org.freedesktop.systemd1, label="@{systemd}"), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index acfb5ac2..b510acc4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -13,8 +13,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include + include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 33305da9..03ad49b0 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -10,6 +10,8 @@ include profile gsd-color @{exec_path} flags=(attach_disconnected) { include include + include + include include include include @@ -23,6 +25,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, dbus bind bus=session name=org.gnome.SettingsDaemon.Color, + dbus receive bus=session path=/org/gnome/SettingsDaemon/Color + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), dbus (send, receive) bus=system path=/org/freedesktop/ColorManager{,/devices/*} interface=org.freedesktop.ColorManager*, @@ -31,36 +37,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll, - dbus receive bus=session path=/org/gnome/SettingsDaemon/Color - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member={GetResources,GetCrtcGamma} @@ -71,11 +47,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name=:*, label=gvfsd), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index b3821893..02a147b3 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,24 +9,17 @@ include @{exec_path} = @{lib}/gsd-disk-utility-notify profile gsd-disk-utility-notify @{exec_path} { include + include include include - dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} - interface=org.freedesktop.DBus.{Properties,ObjectManager}, - - dbus send bus=system path=/org/freedesktop/UDisks2 - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, + dbus bind bus=session name=org.gnome.Disks.NotificationMonitor, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gnome.Disks.NotificationMonitor, - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 43e9626d..c354e49c 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -10,6 +10,7 @@ include profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index b605d84d..d6456aeb 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -13,6 +13,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include @@ -40,31 +42,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=upowerd), - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=GetAll @@ -110,11 +87,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { member=WatchFired peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name=:*, label=gvfsd), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 018ba4df..e03c5854 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -13,6 +13,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -34,19 +35,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name="{org.freedesktop.DBus,:*}", label="{gsd-media-keys,gnome-shell}"), - dbus send bus=session path=/org/gnome/SessionManager{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=:*), - dbus send bus=session path=/org/gnome/SessionManager{,/**} - interface=org.gnome.SessionManager - peer=(name=:*), - dbus receive bus=session path=/org/gnome/SessionManager{,/**} - interface=org.gnome.SessionManager{,.*} - peer=(name=:*, label=gnome-session-binary), - dbus receive bus=session path=/org/gnome/SessionManager{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=gnome-session-binary), - dbus send bus=session path=/org/gnome/Mutter/** interface=org.freedesktop.DBus.{Properties,ObjectManager} peer=(name=:*, label=gnome-shell), @@ -79,9 +67,14 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=power-profiles-daemon), - dbus send bus=system path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/login1/session/auto interface=org.freedesktop.DBus.Properties - peer=(name=org.freedesktop.systemd1, label="@{systemd}"), + member=GetAll + peer=(name=:*, label=systemd-logind), + dbus send bus=system path=/org/freedesktop/login1/session/auto + interface=org.freedesktop.login1.Session + member=SetBrightness + peer=(name=:*, label=systemd-logind), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index d07e9e34..c91aa452 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -21,50 +22,23 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.gnome.SettingsDaemon.PrintNotifications, - dbus (send,receive) bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser - member={CacheExhausted,AllForNow,CacheExhausted,AllForNow,Free}, - + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + peer=(name=:*, label=avahi-daemon), + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer - member=Ping, - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={GetAPIVersion,GetState,ServiceBrowserNew}, - - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged, + member=Ping + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier, - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index d0b8714e..fdb4b30d 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -20,30 +21,6 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { dbus bind bus=system name=com.redhat.PrinterDriversInstaller, - dbus (send,receive) bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - peer=(name=:*), - - dbus send bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={EndSession,QueryEndSession,CancelEndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Presence - interface=org.gnome.SessionManager.Presence - member=StatusChanged - peer=(name=:*, label=gnome-session-binary), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 95ab671c..801a25b7 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include + include include include @@ -16,6 +17,8 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus bind bus=session name=org.gnome.SettingsDaemon.Rfkill, + dbus send bus=system path=/org/freedesktop/hostname[0-9] interface=org.freedesktop.DBus.Properties member=Get, @@ -41,31 +44,6 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill interface=org.freedesktop.DBus.Properties member=GetAll @@ -81,9 +59,6 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gnome.SettingsDaemon.Rfkill, - @{exec_path} mr, @{sys}/devices/virtual/misc/rfkill/uevent r, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index af0ea909..1ff0336e 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -9,46 +9,20 @@ include @{exec_path} = @{lib}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), + dbus bind bus=session name=org.freedesktop.ScreenSaver, - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), + dbus bind bus=session name=org.gnome.SettingsDaemon.ScreensaverProxy, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.freedesktop.ScreenSaver, - - dbus bind bus=session - name=org.gnome.SettingsDaemon.ScreensaverProxy, - @{exec_path} mr, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 66ffb9b8..30cb0b4b 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -16,6 +17,8 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus bind bus=session name=org.gnome.SettingsDaemon.Sharing, + dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects @@ -56,31 +59,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=CheckPermissions peer=(name=:*, label=NetworkManager), - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/**} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=StopUnit @@ -91,9 +69,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gnome.SettingsDaemon.Sharing, - dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 4a4d002b..b1c58f35 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,37 +9,15 @@ include @{exec_path} = @{lib}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include - include + include include include + include include signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), + dbus bind bus=session name=org.gnome.SettingsDaemon.Smartcard, dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard interface=org.freedesktop.DBus.ObjectManager @@ -56,9 +34,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gnome.SettingsDaemon.Smartcard, - @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 151df92d..52ceebfe 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -10,49 +10,20 @@ include profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include + include + include include include signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), + dbus bind bus=session name=org.gnome.SettingsDaemon.Sound, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name=:*, label=gvfsd), - - dbus bind bus=session - name=org.gnome.SettingsDaemon.Sound, - @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index b25794ac..c2b91514 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -10,6 +10,7 @@ include profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -23,32 +24,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, dbus bind bus=session name=org.gnome.SettingsDaemon.Wacom, - - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client@{int}} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - dbus receive bus=session path=/org/gnome/SettingsDaemon/Wacom interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 1e985f0e..a821c61a 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -49,6 +49,11 @@ profile gsd-xsettings @{exec_path} { member=Get peer=(name=org.gnome.Shell.Introspect, label=gnome-shell), + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} + interface=org.freedesktop.Accounts.User + member=SetInputSources + peer=(name=:*, label=accounts-daemon), + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetId diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index d227f018..76845e2a 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -29,7 +29,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.gnome.Nautilus, dbus (send, receive) bus=session path=/org/gnome/Nautilus interface=org.gtk.{Actions,Application}, - dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/**} + dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/**} interface=org.freedesktop.DBus.Properties peer=(name=:*), diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 80f77934..ef3ba5b4 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -9,6 +9,8 @@ include @{exec_path} = @{lib}/tracker-extract-3 profile tracker-extract @{exec_path} flags=(attach_disconnected) { include + include + include include include include @@ -42,31 +44,21 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported,MountAdded} peer=(name=:*, label=gvfs-*-volume-monitor), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMount* - peer=(name=:*, label=gvfsd), - dbus receive bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={Mounted,ListMounts2} - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=ListMonitorImplementations - peer=(name=:*, label=gvfsd), + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={MountAdded,VolumeChanged} + peer=(name=:*, label=gvfs-*-volume-monitor), dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member={GetTreeFromDevice,Remove} peer=(name=:*, label=gvfsd-metadata), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 27303158..c6f35e4f 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -36,7 +36,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor - member={List,IsSupported} + member={List,IsSupported,VolumeChanged,MountAdded} peer=(name=:*, label=gvfs-*-volume-monitor), dbus receive bus=session diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 0b854f7e..2bcf2fc6 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -11,6 +11,7 @@ include profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -45,11 +46,10 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved peer=(name=:*, label=udisksd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name=:*, label=gvfsd), + dbus receive bus=system path=/org/freedesktop/UDisks2/** + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=udisksd), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index fb947a2a..d1c6bb89 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -17,32 +17,10 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { capability sys_admin, # To set a hostname dbus bind bus=system name=org.freedesktop.hostname1, - - dbus receive bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.hostname1 - member=SetHostname - peer=(name=:*, label=systemd//&systemd-networkd), - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus), - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1), - dbus receive bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties - member={Get,GetAll} peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.hostname1 - member=Set*Hostname - peer=(name=:*, label=hostnamectl), - @{exec_path} mr, @{etc_rw}/.#hostname* rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index c8b9ec12..7c3f06d2 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -11,6 +11,7 @@ include profile fwupd @{exec_path} flags=(complain,attach_disconnected) { include include + include include include include diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 18f6f576..0c704f41 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -66,7 +66,13 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} interface=org.freedesktop.DBus.{Properties,ObjectManager} peer=(name="{:*,org.freedesktop.DBus}"), - + dbus send bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.DBus.{Properties,ObjectManager} + peer=(name=org.freedesktop.DBus), + dbus send bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.UDisks2.Job + peer=(name=org.freedesktop.DBus), + dbus (send,receive) bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect,