diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index a10e539c..9a4c3b9d 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -12,15 +12,12 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus bind bus=session name=org.gtk.vfs.GoaVolumeMonitor, dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported} - peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + peer=(name=:*, label="{gnome-shell,nautilus,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -32,9 +29,6 @@ profile gvfs-goa-volume-monitor @{exec_path} { member=GetManagedObjects peer=(name=:*, label=goa-daemon), - dbus bind bus=session - name=org.gtk.vfs.GoaVolumeMonitor, - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 02cb3c60..32aa83cd 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -16,11 +16,6 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported} diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index db353830..5919f952 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -32,11 +32,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.{DBus.*,UDisks2.*} peer=(label=udisksd), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 79f9888e..2ca3131e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -13,11 +13,6 @@ profile gvfsd-dnssd @{exec_path} { include include - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={Ping,GetAPIVersion,GetState,ServiceBrowserNew}, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 4f3fdfd1..72e4c1ea 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -17,7 +17,7 @@ profile gvfsd-fuse @{exec_path} { mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, - dbus send bus=session path=/org/gtk/vfs/mounttracker + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker peer=(name=:*, label=gvfsd), # all members diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index fbd27323..e8092486 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -33,7 +33,7 @@ profile gvfsd-metadata @{exec_path} { member=GetAll peer=(name=:*, label=gnome-extension-ding), - dbus send bus=session path=/org/gtk/vfs/metadata + dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=AttributeChanged peer=(name=org.freedesktop.DBus, label=gnome-extension-ding), diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index c4db24fe..a8dfafdf 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -13,11 +13,6 @@ profile gvfsd-network @{exec_path} { include include - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* interface=org.gtk.vfs.Spawner member=Spawned @@ -28,12 +23,12 @@ profile gvfsd-network @{exec_path} { member=Mount peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member={MountLocation,LookupMount,RegisterMount,ListMountableInfo} peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/Daemon + dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection peer=(name=:*, label=gvfsd-dnssd), diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 4d4a5902..0dbd4e38 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -25,7 +25,7 @@ profile gvfsd-smb-browse @{exec_path} { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/gtk/vfs/mounttracker + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMounts2 peer=(name=:*, label=gvfsd), diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 93e263e9..6be0fda9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021-2022 Mikhail Morfikov -# Copyright (C) 2021-2022 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,7 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-trash profile gvfsd-trash @{exec_path} { include - include include include include @@ -20,29 +19,38 @@ profile gvfsd-trash @{exec_path} { network inet stream, network inet6 stream, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus bind bus=session name=org.gtk.vfs.mountpoint_@{int}, dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=:*, label=gnome-control-center), + peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gtk.vfs.mountpoint_[0-9]*, - @{exec_path} mr, # Can restore all user files diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 7b62e994..25546e77 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -24,12 +24,7 @@ profile systemd-machined @{exec_path} { capability sys_chroot, capability sys_ptrace, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=system path=/org/freedesktop/systemd1/{,{unit,job}/*} + dbus send bus=system path=/org/freedesktop/systemd1/{,{unit,job}/*} interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.systemd1), @@ -39,7 +34,7 @@ profile systemd-machined @{exec_path} { member=PropertiesChanged peer=(name=:*), - dbus send bus=system path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={StopUnit,UnrefUnit,StartTransientUnit,Subscribe} peer=(name=org.freedesktop.systemd1), diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index f6e9ddda..f1ea2a12 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -23,11 +23,6 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { dbus bind bus=system name=org.freedesktop.timesync1, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - @{exec_path} mr, @{etc_rw}/adjtime r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 457eb109..bd93da5d 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -14,6 +14,7 @@ profile update-notifier @{exec_path} { include include include + include include include include @@ -27,9 +28,20 @@ profile update-notifier @{exec_path} { interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties} peer=(name=:*, label=gnome-shell), - dbus (send) bus=accessibility path=/org/a11y/atspi/registry{,/**} - interface=org.a11y.atspi.DeviceEventController - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 0d174862..e76cf1f8 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -25,12 +25,12 @@ profile evince @{exec_path} { deny network inet, deny network inet6, - dbus send bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus), - dbus send bus=session path=/org/gtk/vfs/metadata + dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member={Set,GetTreeFromDevice} peer=(name=:*), diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 91ab1b08..c4a11506 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -13,8 +13,8 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { capability sys_nice, - dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* - interface=org.freedesktop.login[0-9].Session + dbus receive bus=system path=/org/freedesktop/login1/session/_[0-9]* + interface=org.freedesktop.login1.Session member=Unlock, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 6d27c377..23d6fd1d 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -17,16 +17,6 @@ profile thermald @{exec_path} flags=(attach_disconnected) { dbus (bind) bus=system name=org.freedesktop.thermald, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=system path=/net/hadess/PowerProfiles interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index cd8f1ec7..ff83101f 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -70,7 +70,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=Changed, + member=Changed + peer=(name=:*, label=polkitd), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus