From c96b6d8ee71315dfd9f4f2f9dab582c9dbb99dcb Mon Sep 17 00:00:00 2001 From: nobodysu Date: Tue, 2 Aug 2022 01:47:47 +0300 Subject: [PATCH] dbus-gtk --- apparmor.d/abstractions/dbus-gtk | 50 ++++++ apparmor.d/abstractions/nvidia.d/complete | 2 - apparmor.d/groups/apps/thunderbird | 14 +- apparmor.d/profiles-m-r/qbittorrent | 185 +++++++++------------- 4 files changed, 137 insertions(+), 114 deletions(-) create mode 100644 apparmor.d/abstractions/dbus-gtk diff --git a/apparmor.d/abstractions/dbus-gtk b/apparmor.d/abstractions/dbus-gtk new file mode 100644 index 00000000..d6aa8be9 --- /dev/null +++ b/apparmor.d/abstractions/dbus-gtk @@ -0,0 +1,50 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + + dbus (send) bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*), + + dbus (send) bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=ListMonitorImplementations + peer=(name=:*), + + dbus (send) bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus (send) bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus), + + dbus (send) bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + dbus (send, receive) bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + peer=(name=:*), + + dbus (receive) bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*), + + dbus (send) bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), + + dbus (send) bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), + + /etc/gtk-3.[0-9]/settings.ini r, + + owner /tmp/dbus-[0-9a-zA-Z]* rw, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index 5e85583f..906b9705 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -6,6 +6,4 @@ owner @{user_cache_dirs}/nvidia/GLCache/ rw, owner @{user_cache_dirs}/nvidia/GLCache/** rwk, - @{run}/nvidia-xdriver-* w, - unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"), diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird index aabd5501..3d21e05b 100644 --- a/apparmor.d/groups/apps/thunderbird +++ b/apparmor.d/groups/apps/thunderbird @@ -18,6 +18,7 @@ profile thunderbird @{exec_path} { include include include + include include include include @@ -35,7 +36,7 @@ profile thunderbird @{exec_path} { include include include - include if exists + include ptrace peer=@{profile_name}, @@ -53,26 +54,26 @@ profile thunderbird @{exec_path} { owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/uid_map w, - dbus send bus=session path=/org/freedesktop/DBus + dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RequestName peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]* + dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]* member={Get,MakeThreadHighPriority,MakeThreadRealtime} peer=(name=org.freedesktop.RealtimeKit[0-9]*), - dbus send bus=system path=/org/freedesktop/UPower + dbus (send) bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices peer=(name=org.freedesktop.UPower), - dbus send bus=session path=/ca/desrt/dconf/Writer/user + dbus (send) bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer member={Change,Notify} peer=(name=ca.desrt.dconf), - dbus bind bus=session + dbus (bind) bus=session name=org.mozilla.thunderbird.*, @{exec_path} mrix, @@ -142,6 +143,7 @@ profile thunderbird @{exec_path} { # gnome-tiny /etc/gnome/defaults.list r, @{run}/mount/utab r, + /usr/share/gvfs/remote-volume-monitors/{,*} r, deny @{sys}/devices/system/cpu/present r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 0ec27039..45b018cc 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -1,6 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2015-2022 Mikhail Morfikov -# Copyright (C) 2022 nobodysu +# Copyright (C) 2015-2020 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,7 +14,6 @@ profile qbittorrent @{exec_path} { include include include - include include include include @@ -29,14 +27,14 @@ profile qbittorrent @{exec_path} { include include include + include + include include include include include include include - include if exists - include if exists signal (send) set=(term, kill) peer=qbittorrent//python3, @@ -47,6 +45,71 @@ profile qbittorrent @{exec_path} { network netlink dgram, network netlink raw, + dbus (send) bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher), + + dbus (send) bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher), + + dbus (send) bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher), + + dbus (send) bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={NewToolTip,NewIcon} + peer=(name=org.freedesktop.DBus), + + dbus (receive) bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member=Activate + peer=(name=:*), + + dbus (receive) bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus (receive) bus=session path=/MenuBar + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus (send) bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member=ItemsPropertiesUpdated + peer=(name=org.freedesktop.DBus), + + dbus (receive) bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} + peer=(name=:*), + + dbus (send) bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus), + + dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + + dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*), + + dbus (bind) bus=session + name=org.kde.StatusNotifierItem-*, + + owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, + @{exec_path} mr, # For "search engine" @@ -57,7 +120,7 @@ profile qbittorrent @{exec_path} { owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9], owner @{user_share_dirs}/data/ rw, owner @{user_share_dirs}/{,data/}qBittorrent/ rw, - owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9], + owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/{,data/}qBittorrent/**/#[0-9]*[0-9], # Old dir, not recommended to use: # deny owner @{user_share_dirs}/data/qBittorrent/ rw, @@ -112,92 +175,9 @@ profile qbittorrent @{exec_path} { owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/ICEauthority r, - # DBus - deny dbus send - bus=session - path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo, - - dbus send - bus=session - path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=ListMonitorImplementations, - - dbus send - bus=session - path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.kde.StatusNotifierWatcher), - - dbus send - bus=session - path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.kde.StatusNotifierWatcher), - - dbus send - bus=session - path=/StatusNotifierWatcher - interface=org.kde.StatusNotifierWatcher - member=RegisterStatusNotifierItem - peer=(name=org.kde.StatusNotifierWatcher), - - dbus send - bus=session - path=/StatusNotifierItem - interface=org.kde.StatusNotifierItem - member=NewToolTip - peer=(name=org.freedesktop.DBus), - - dbus receive - bus=session - path=/StatusNotifierItem - interface=org.kde.StatusNotifierItem - member=Activate - peer=(name=:*), - - dbus receive - bus=session - path=/MenuBar - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), - - dbus send - bus=session - path=/MenuBar - interface=com.canonical.dbusmenu - member=ItemsPropertiesUpdated - peer=(name=org.freedesktop.DBus), - - dbus receive - bus=session - path=/MenuBar - interface=com.canonical.dbusmenu - member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} - peer=(name=:*), - - dbus receive - bus=session - path=/StatusNotifierItem - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), - - dbus send - bus=session - path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus), - - dbus bind - bus=session - name=org.kde.StatusNotifierItem-*, + # gnome-tiny + /usr/share/gvfs/remote-volume-monitors/{,*} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, # Launch external apps /{usr/,}bin/xdg-{open,mime} rCx -> open, @@ -217,7 +197,12 @@ profile qbittorrent @{exec_path} { profile open { include include - include if exists + include + + dbus (send) bus=session path=/org/gnome/{Nautilus,Totem,gedit} + interface=org.freedesktop.Application + member=Open + peer=(name="org.gnome.{Nautilus,Totem,gedit}"), /{usr/,}bin/xdg-open mr, @@ -231,6 +216,7 @@ profile qbittorrent @{exec_path} { /{usr/,}bin/qpdfview rPx, /{usr/,}bin/ebook-viewer rPx, /{usr/,}lib/firefox/firefox rPx, + /{usr/,}bin/engrampa rPx, /{usr/,}bin/{ba,da,}sh rix, /{usr/,}bin/{g,m,}awk rix, @@ -249,19 +235,6 @@ profile qbittorrent @{exec_path} { owner @{HOME}/.xsession-errors w, - dbus send - bus=session - path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=ListMonitorImplementations, - - dbus send - bus=session - path=/org/gnome/{Nautilus,Totem,gedit} - interface=org.freedesktop.Application - member=Open - peer=(name="org.gnome.{Nautilus,Totem,gedit}"), - include if exists }