mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(dbus): dbus rules cleanup (2)

Browse source
This commit is contained in:
Alexandre Pujol 2023-11-30 22:42:49 +00:00
parent 8a49f2ebe1
commit cd391bae01
Failed to generate hash of commit
16 changed files with 49 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
View file

@ -12,15 +12,12 @@ profile gvfs-goa-volume-monitor @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
dbus send bus=session path=/org/freedesktop/DBus dbus bind bus=session name=org.gtk.vfs.GoaVolumeMonitor,
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor
member={List,IsSupported} member={List,IsSupported}
peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), peer=(name=:*, label="{gnome-shell,nautilus,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"),
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
@ -32,9 +29,6 @@ profile gvfs-goa-volume-monitor @{exec_path} {
member=GetManagedObjects member=GetManagedObjects
peer=(name=:*, label=goa-daemon), peer=(name=:*, label=goa-daemon),
dbus bind bus=session
name=org.gtk.vfs.GoaVolumeMonitor,
@{exec_path} mr, @{exec_path} mr,
include if exists <local/gvfs-goa-volume-monitor> include if exists <local/gvfs-goa-volume-monitor>

5
apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
View file

@ -16,11 +16,6 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} {
network netlink raw, network netlink raw,
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor
member={List,IsSupported} member={List,IsSupported}

5
apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
View file

@ -32,11 +32,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.{DBus.*,UDisks2.*} interface=org.freedesktop.{DBus.*,UDisks2.*}
peer=(label=udisksd), peer=(label=udisksd),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=session path=/org/gtk/vfs/mounttracker dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker interface=org.gtk.vfs.MountTracker
member=ListMountableInfo member=ListMountableInfo

5
apparmor.d/groups/gvfs/gvfsd-dnssd
View file

@ -13,11 +13,6 @@ profile gvfsd-dnssd @{exec_path} {
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=system path=/ dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server interface=org.freedesktop.Avahi.Server
member={Ping,GetAPIVersion,GetState,ServiceBrowserNew}, member={Ping,GetAPIVersion,GetState,ServiceBrowserNew},

2
apparmor.d/groups/gvfs/gvfsd-fuse
View file

@ -17,7 +17,7 @@ profile gvfsd-fuse @{exec_path} {
mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/,
dbus send bus=session path=/org/gtk/vfs/mounttracker dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker interface=org.gtk.vfs.MountTracker
peer=(name=:*, label=gvfsd), # all members peer=(name=:*, label=gvfsd), # all members

2
apparmor.d/groups/gvfs/gvfsd-metadata
View file

@ -33,7 +33,7 @@ profile gvfsd-metadata @{exec_path} {
member=GetAll member=GetAll
peer=(name=:*, label=gnome-extension-ding), peer=(name=:*, label=gnome-extension-ding),
dbus send bus=session path=/org/gtk/vfs/metadata dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata interface=org.gtk.vfs.Metadata
member=AttributeChanged member=AttributeChanged
peer=(name=org.freedesktop.DBus, label=gnome-extension-ding), peer=(name=org.freedesktop.DBus, label=gnome-extension-ding),

9
apparmor.d/groups/gvfs/gvfsd-network
View file

@ -13,11 +13,6 @@ profile gvfsd-network @{exec_path} {
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]*
interface=org.gtk.vfs.Spawner interface=org.gtk.vfs.Spawner
member=Spawned member=Spawned
@ -28,12 +23,12 @@ profile gvfsd-network @{exec_path} {
member=Mount member=Mount
peer=(name=:*, label=gvfsd), peer=(name=:*, label=gvfsd),
dbus send bus=session path=/org/gtk/vfs/mounttracker dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker interface=org.gtk.vfs.MountTracker
member={MountLocation,LookupMount,RegisterMount,ListMountableInfo} member={MountLocation,LookupMount,RegisterMount,ListMountableInfo}
peer=(name=:*, label=gvfsd), peer=(name=:*, label=gvfsd),
dbus send bus=session path=/org/gtk/vfs/Daemon dbus send bus=session path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon interface=org.gtk.vfs.Daemon
member=GetConnection member=GetConnection
peer=(name=:*, label=gvfsd-dnssd), peer=(name=:*, label=gvfsd-dnssd),

2
apparmor.d/groups/gvfs/gvfsd-smb-browse
View file

@ -25,7 +25,7 @@ profile gvfsd-smb-browse @{exec_path} {
member={RequestName,ReleaseName} member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon), peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=session path=/org/gtk/vfs/mounttracker dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker interface=org.gtk.vfs.MountTracker
member=ListMounts2 member=ListMounts2
peer=(name=:*, label=gvfsd), peer=(name=:*, label=gvfsd),

30
apparmor.d/groups/gvfs/gvfsd-trash
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2022 Mikhail Morfikov # Copyright (C) 2021-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -10,7 +10,6 @@ include <tunables/global>
@{exec_path} = @{lib}/{,gvfs/}gvfsd-trash @{exec_path} = @{lib}/{,gvfs/}gvfsd-trash
profile gvfsd-trash @{exec_path} { profile gvfsd-trash @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-gtk>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -20,29 +19,38 @@ profile gvfsd-trash @{exec_path} {
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
dbus send bus=session path=/org/freedesktop/DBus dbus bind bus=session name=org.gtk.vfs.mountpoint_@{int},
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus receive bus=session path=/org/gtk/vfs/Daemon dbus receive bus=session path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon interface=org.gtk.vfs.Daemon
member=GetConnection member=GetConnection
peer=(name=:*, label=gnome-control-center), peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* dbus receive bus=session path=/org/gtk/vfs/mountable
interface=org.gtk.vfs.Mountable
member=Mount
peer=(name=:*, label=gvfsd),
dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
interface=org.gtk.vfs.Spawner interface=org.gtk.vfs.Spawner
member=Spawned member=Spawned
peer=(name=:*, label=gvfsd), peer=(name=:*, label=gvfsd),
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=RegisterMount
peer=(name=:*, label=gvfsd),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
dbus bind bus=session
name=org.gtk.vfs.mountpoint_[0-9]*,
@{exec_path} mr, @{exec_path} mr,
# Can restore all user files # Can restore all user files

9
apparmor.d/groups/systemd/systemd-machined
View file

@ -24,12 +24,7 @@ profile systemd-machined @{exec_path} {
capability sys_chroot, capability sys_chroot,
capability sys_ptrace, capability sys_ptrace,
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/systemd1/{,{unit,job}/*}
interface=org.freedesktop.DBus
member=GetConnectionUnixUser
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=system path=/org/freedesktop/systemd1/{,{unit,job}/*}
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Get member=Get
peer=(name=org.freedesktop.systemd1), peer=(name=org.freedesktop.systemd1),
@ -39,7 +34,7 @@ profile systemd-machined @{exec_path} {
member=PropertiesChanged member=PropertiesChanged
peer=(name=:*), peer=(name=:*),
dbus send bus=system path=/org/freedesktop/systemd1 dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager interface=org.freedesktop.systemd1.Manager
member={StopUnit,UnrefUnit,StartTransientUnit,Subscribe} member={StopUnit,UnrefUnit,StartTransientUnit,Subscribe}
peer=(name=org.freedesktop.systemd1), peer=(name=org.freedesktop.systemd1),

5
apparmor.d/groups/systemd/systemd-timesyncd
View file

@ -23,11 +23,6 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
dbus bind bus=system name=org.freedesktop.timesync1, dbus bind bus=system name=org.freedesktop.timesync1,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
@{exec_path} mr, @{exec_path} mr,
@{etc_rw}/adjtime r, @{etc_rw}/adjtime r,

18
apparmor.d/groups/ubuntu/update-notifier
View file

@ -14,6 +14,7 @@ profile update-notifier @{exec_path} {
include <abstractions/bus/atspi> include <abstractions/bus/atspi>
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -27,9 +28,20 @@ profile update-notifier @{exec_path} {
interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties} interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
peer=(name=:*, label=gnome-shell), peer=(name=:*, label=gnome-shell),
dbus (send) bus=accessibility path=/org/a11y/atspi/registry{,/**} dbus send bus=session path=/org/gtk/Settings
interface=org.a11y.atspi.DeviceEventController interface=org.freedesktop.DBus.Properties
peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), member=GetAll
peer=(name=:*, label=gsd-xsettings),
dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(name=:*, label=gnome-shell),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr, @{exec_path} mr,

4
apparmor.d/profiles-a-f/evince
View file

@ -25,12 +25,12 @@ profile evince @{exec_path} {
deny network inet, deny network inet,
deny network inet6, deny network inet6,
dbus send bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={RequestName,ReleaseName} member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus send bus=session path=/org/gtk/vfs/metadata dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata interface=org.gtk.vfs.Metadata
member={Set,GetTreeFromDevice} member={Set,GetTreeFromDevice}
peer=(name=:*), peer=(name=:*),

4
apparmor.d/profiles-s-z/spice-vdagentd
View file

@ -13,8 +13,8 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
capability sys_nice, capability sys_nice,
dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* dbus receive bus=system path=/org/freedesktop/login1/session/_[0-9]*
interface=org.freedesktop.login[0-9].Session interface=org.freedesktop.login1.Session
member=Unlock, member=Unlock,
@{exec_path} mr, @{exec_path} mr,

10
apparmor.d/profiles-s-z/thermald
View file

@ -17,16 +17,6 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
dbus (bind) bus=system name=org.freedesktop.thermald, dbus (bind) bus=system name=org.freedesktop.thermald,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=system path=/net/hadess/PowerProfiles dbus send bus=system path=/net/hadess/PowerProfiles
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll

3
apparmor.d/profiles-s-z/udisksd
View file

@ -70,7 +70,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority interface=org.freedesktop.PolicyKit1.Authority
member=Changed, member=Changed
peer=(name=:*, label=polkitd),
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus