dbus-gtk

2025-01-18 00:48:10 +01:00 · 2022-08-02 01:47:47 +03:00 · 2022-08-02 01:47:47 +03:00 · c96b6d8ee7
commit c96b6d8ee7
parent b8445e3b45
4 changed files with 137 additions and 114 deletions
--- a/apparmor.d/abstractions/dbus-gtk
+++ b/apparmor.d/abstractions/dbus-gtk
@ -0,0 +1,50 @@
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+  dbus (send) bus=session path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=ListMountableInfo
+       peer=(name=:*),
+
+  dbus (send) bus=session path=/org/gtk/vfs/Daemon
+       interface=org.gtk.vfs.Daemon
+       member=ListMonitorImplementations
+       peer=(name=:*),
+
+  dbus (send) bus=session path=/org/gtk/Settings
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*),
+
+  dbus (send) bus=session path=/org/a11y/bus
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.a11y.Bus),
+
+  dbus (send) bus=session path=/org/a11y/bus
+       interface=org.a11y.Bus
+       member=GetAddress
+       peer=(name=org.a11y.Bus),
+
+  dbus (send, receive) bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       peer=(name=:*),
+
+  dbus (receive) bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=EventListenerDeregistered
+       peer=(name=:*),
+
+  dbus (send) bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=org.a11y.atspi.Registry),
+
+  dbus (send) bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member={GetKeystrokeListeners,GetDeviceEventListeners}
+       peer=(name=org.a11y.atspi.Registry),
+
+  /etc/gtk-3.[0-9]/settings.ini r,
+
+  owner /tmp/dbus-[0-9a-zA-Z]* rw,
--- a/apparmor.d/abstractions/nvidia.d/complete
+++ b/apparmor.d/abstractions/nvidia.d/complete
@ -6,6 +6,4 @@
  owner @{user_cache_dirs}/nvidia/GLCache/ rw,
  owner @{user_cache_dirs}/nvidia/GLCache/** rwk,

-  @{run}/nvidia-xdriver-* w,
-
  unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"),
--- a/apparmor.d/groups/apps/thunderbird
+++ b/apparmor.d/groups/apps/thunderbird
@ -18,6 +18,7 @@ profile thunderbird @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/opencl-intel>
+  include <abstractions/wayland>
  include <abstractions/nvidia>
  include <abstractions/vulkan>
  include <abstractions/mesa>
@ -35,7 +36,7 @@ profile thunderbird @{exec_path} {
  include <abstractions/ibus>
  include <abstractions/dbus-strict>
  include <abstractions/dbus-session-strict>
-  include if exists <abstractions/ubuntu-unity7-base>
+  include <abstractions/dbus-gtk>

  ptrace peer=@{profile_name},

@ -53,26 +54,26 @@ profile thunderbird @{exec_path} {
  owner @{PROC}/@{pid}/gid_map w,
  owner @{PROC}/@{pid}/uid_map w,

-  dbus send bus=session path=/org/freedesktop/DBus
+  dbus (send) bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=RequestName
       peer=(name=org.freedesktop.DBus),

-  dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]*
+  dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]*
       member={Get,MakeThreadHighPriority,MakeThreadRealtime}
       peer=(name=org.freedesktop.RealtimeKit[0-9]*),

-  dbus send bus=system path=/org/freedesktop/UPower
+  dbus (send) bus=system path=/org/freedesktop/UPower
       interface=org.freedesktop.UPower
       member=EnumerateDevices
       peer=(name=org.freedesktop.UPower),

-  dbus send bus=session path=/ca/desrt/dconf/Writer/user
+  dbus (send) bus=session path=/ca/desrt/dconf/Writer/user
       interface=ca.desrt.dconf.Writer
       member={Change,Notify}
       peer=(name=ca.desrt.dconf),

-  dbus bind bus=session
+  dbus (bind) bus=session
       name=org.mozilla.thunderbird.*,

  @{exec_path} mrix,
@ -142,6 +143,7 @@ profile thunderbird @{exec_path} {
  # gnome-tiny
  /etc/gnome/defaults.list r,
  @{run}/mount/utab r,
+  /usr/share/gvfs/remote-volume-monitors/{,*} r,

  deny @{sys}/devices/system/cpu/present r,
  deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@ -1,6 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2015-2022 Mikhail Morfikov
-# Copyright (C) 2022 nobodysu
+# Copyright (C) 2015-2020 Mikhail Morfikov
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -15,7 +14,6 @@ profile qbittorrent @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/X>
  include <abstractions/gtk>
-  include <abstractions/gnome>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
@ -29,14 +27,14 @@ profile qbittorrent @{exec_path} {
  include <abstractions/dbus-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-gtk>
  include <abstractions/wayland>
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
-  include if exists <abstractions/ubuntu-unity7-base>
-  include if exists <abstractions/dbus-network-manager-strict>

  signal (send) set=(term, kill) peer=qbittorrent//python3,

@ -47,6 +45,71 @@ profile qbittorrent @{exec_path} {
  network netlink dgram,
  network netlink raw,

+  dbus (send) bus=session path=/StatusNotifierWatcher
+    interface=org.freedesktop.DBus.Introspectable
+    member=Introspect
+    peer=(name=org.kde.StatusNotifierWatcher),
+
+  dbus (send) bus=session path=/StatusNotifierWatcher
+    interface=org.freedesktop.DBus.Properties
+    member=Get
+    peer=(name=org.kde.StatusNotifierWatcher),
+
+  dbus (send) bus=session path=/StatusNotifierWatcher
+    interface=org.kde.StatusNotifierWatcher
+    member=RegisterStatusNotifierItem
+    peer=(name=org.kde.StatusNotifierWatcher),
+
+  dbus (send) bus=session path=/StatusNotifierItem
+    interface=org.kde.StatusNotifierItem
+    member={NewToolTip,NewIcon}
+    peer=(name=org.freedesktop.DBus),
+
+  dbus (receive) bus=session path=/StatusNotifierItem
+    interface=org.kde.StatusNotifierItem
+    member=Activate
+    peer=(name=:*),
+
+  dbus (receive) bus=session path=/StatusNotifierItem
+    interface=org.freedesktop.DBus.Properties
+    member=GetAll
+    peer=(name=:*),
+
+  dbus (receive) bus=session path=/MenuBar
+    interface=org.freedesktop.DBus.Properties
+    member=GetAll
+    peer=(name=:*),
+
+  dbus (send) bus=session path=/MenuBar
+    interface=com.canonical.dbusmenu
+    member=ItemsPropertiesUpdated
+    peer=(name=org.freedesktop.DBus),
+
+  dbus (receive) bus=session path=/MenuBar
+    interface=com.canonical.dbusmenu
+    member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
+    peer=(name=:*),
+
+  dbus (send) bus=session path=/org/freedesktop/DBus
+    interface=org.freedesktop.DBus
+    member={RequestName,ReleaseName}
+    peer=(name=org.freedesktop.DBus),
+
+  dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry),
+
+  dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.freedesktop.DBus.Properties
+       member=Set
+       peer=(name=:*),
+
+  dbus (bind) bus=session
+    name=org.kde.StatusNotifierItem-*,
+
+  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
+
  @{exec_path} mr,

  # For "search engine"
@ -57,7 +120,7 @@ profile qbittorrent @{exec_path} {
  owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9],
  owner @{user_share_dirs}/data/ rw,
  owner @{user_share_dirs}/{,data/}qBittorrent/ rw,
-  owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9],
+  owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/{,data/}qBittorrent/**/#[0-9]*[0-9],
  # Old dir, not recommended to use:
 #  deny owner @{user_share_dirs}/data/qBittorrent/ rw,

@ -112,92 +175,9 @@ profile qbittorrent @{exec_path} {
  owner @{run}/user/@{uid}/dconf/user   rw,
  owner @{run}/user/@{uid}/ICEauthority r,

-  # DBus
-  deny dbus send
-    bus=session
-    path=/org/gtk/vfs/mounttracker
-    interface=org.gtk.vfs.MountTracker
-    member=ListMountableInfo,
-
-  dbus send
-    bus=session
-    path=/org/gtk/vfs/Daemon
-    interface=org.gtk.vfs.Daemon
-    member=ListMonitorImplementations,
-
-  dbus send
-    bus=session
-    path=/StatusNotifierWatcher
-    interface=org.freedesktop.DBus.Introspectable
-    member=Introspect
-    peer=(name=org.kde.StatusNotifierWatcher),
-
-  dbus send
-    bus=session
-    path=/StatusNotifierWatcher
-    interface=org.freedesktop.DBus.Properties
-    member=Get
-    peer=(name=org.kde.StatusNotifierWatcher),
-
-  dbus send
-    bus=session
-    path=/StatusNotifierWatcher
-    interface=org.kde.StatusNotifierWatcher
-    member=RegisterStatusNotifierItem
-    peer=(name=org.kde.StatusNotifierWatcher),
-
-  dbus send
-    bus=session
-    path=/StatusNotifierItem
-    interface=org.kde.StatusNotifierItem
-    member=NewToolTip
-    peer=(name=org.freedesktop.DBus),
-
-  dbus receive
-    bus=session
-    path=/StatusNotifierItem
-    interface=org.kde.StatusNotifierItem
-    member=Activate
-    peer=(name=:*),
-
-  dbus receive
-    bus=session
-    path=/MenuBar
-    interface=org.freedesktop.DBus.Properties
-    member=GetAll
-    peer=(name=:*),
-
-  dbus send
-    bus=session
-    path=/MenuBar
-    interface=com.canonical.dbusmenu
-    member=ItemsPropertiesUpdated
-    peer=(name=org.freedesktop.DBus),
-
-  dbus receive
-    bus=session
-    path=/MenuBar
-    interface=com.canonical.dbusmenu
-    member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
-    peer=(name=:*),
-
-  dbus receive
-    bus=session
-    path=/StatusNotifierItem
-    interface=org.freedesktop.DBus.Properties
-    member=GetAll
-    peer=(name=:*),
-
-  dbus send
-    bus=session
-    path=/org/freedesktop/DBus
-    interface=org.freedesktop.DBus
-    member={RequestName,ReleaseName}
-    peer=(name=org.freedesktop.DBus),
-
-  dbus bind
-    bus=session
-    name=org.kde.StatusNotifierItem-*,
+  # gnome-tiny
+  /usr/share/gvfs/remote-volume-monitors/{,*} r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # Launch external apps
  /{usr/,}bin/xdg-{open,mime} rCx -> open,
@ -217,7 +197,12 @@ profile qbittorrent @{exec_path} {
  profile open {
    include <abstractions/base>
    include <abstractions/xdg-open>
-    include if exists <abstractions/ubuntu-unity7-base>
+    include <abstractions/dbus-gtk>
+
+    dbus (send) bus=session path=/org/gnome/{Nautilus,Totem,gedit}
+      interface=org.freedesktop.Application
+      member=Open
+      peer=(name="org.gnome.{Nautilus,Totem,gedit}"),

    /{usr/,}bin/xdg-open mr,

@ -231,6 +216,7 @@ profile qbittorrent @{exec_path} {
    /{usr/,}bin/qpdfview        rPx,
    /{usr/,}bin/ebook-viewer    rPx,
    /{usr/,}lib/firefox/firefox rPx,
+    /{usr/,}bin/engrampa        rPx,

    /{usr/,}bin/{ba,da,}sh        rix,
    /{usr/,}bin/{g,m,}awk         rix,
@ -249,19 +235,6 @@ profile qbittorrent @{exec_path} {

    owner @{HOME}/.xsession-errors w,

-    dbus send
-      bus=session
-      path=/org/gtk/vfs/Daemon
-      interface=org.gtk.vfs.Daemon
-      member=ListMonitorImplementations,
-
-    dbus send
-      bus=session
-      path=/org/gnome/{Nautilus,Totem,gedit}
-      interface=org.freedesktop.Application
-      member=Open
-      peer=(name="org.gnome.{Nautilus,Totem,gedit}"),
-
    include if exists <local/qbittorrent_open>
  }