From da3b5103e4cff3e29bfc604045707954edd6886f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Dec 2023 21:54:45 +0000 Subject: [PATCH] feat(dbus): rewrite some dbus rules (5). --- apparmor.d/abstractions/bus/desktop | 12 ++++- apparmor.d/abstractions/bus/session-manager | 4 ++ apparmor.d/groups/_full/default-sudo | 2 +- apparmor.d/groups/browsers/firefox | 22 +------- apparmor.d/groups/children/child-systemctl | 7 +-- .../groups/freedesktop/at-spi2-registryd | 15 +----- apparmor.d/groups/freedesktop/pulseaudio | 18 +------ .../groups/freedesktop/xdg-desktop-portal | 3 ++ .../freedesktop/xdg-desktop-portal-gnome | 11 +--- .../groups/freedesktop/xdg-desktop-portal-gtk | 54 +++---------------- .../groups/freedesktop/xdg-permission-store | 16 ++---- .../gnome/evolution-addressbook-factory | 5 +- apparmor.d/groups/gnome/gdm-wayland-session | 9 ++-- apparmor.d/groups/gnome/gnome-keyring-daemon | 8 ++- apparmor.d/groups/gnome/gnome-session-binary | 33 ++---------- apparmor.d/groups/gnome/gnome-terminal-server | 16 +++++- apparmor.d/groups/gnome/gsd-a11y-settings | 29 +--------- apparmor.d/groups/gnome/gsd-housekeeping | 26 +-------- apparmor.d/groups/gnome/gsd-keyboard | 31 +---------- apparmor.d/groups/gnome/gsd-media-keys | 28 ++-------- apparmor.d/groups/gnome/gsd-power | 12 +---- apparmor.d/groups/gnome/gsd-sharing | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 36 +++---------- apparmor.d/groups/gnome/nautilus | 17 +----- .../groups/gvfs/gvfs-udisks2-volume-monitor | 8 +++ apparmor.d/groups/gvfs/gvfsd | 2 +- apparmor.d/groups/network/ModemManager | 5 +- apparmor.d/groups/network/NetworkManager | 6 +-- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/systemd/systemd-localed | 2 +- apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/ubuntu/update-manager | 12 ++--- apparmor.d/profiles-a-f/evince | 11 +--- apparmor.d/profiles-m-r/packagekitd | 6 +-- apparmor.d/profiles-s-z/snap | 18 +++---- apparmor.d/profiles-s-z/spice-vdagent | 6 +-- apparmor.d/profiles-s-z/spice-vdagentd | 5 +- apparmor.d/profiles-s-z/system-config-printer | 5 +- apparmor.d/profiles-s-z/thunderbird | 11 +--- apparmor.d/profiles-s-z/udisksd | 2 +- 40 files changed, 119 insertions(+), 400 deletions(-) diff --git a/apparmor.d/abstractions/bus/desktop b/apparmor.d/abstractions/bus/desktop index d67f93bc..9174601c 100644 --- a/apparmor.d/abstractions/bus/desktop +++ b/apparmor.d/abstractions/bus/desktop @@ -4,7 +4,7 @@ dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties - member={GetAll,Read} + member=Read peer=(name="{:*,org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), dbus send bus=session path=/org/freedesktop/portal/desktop @@ -17,4 +17,14 @@ member=SettingChanged peer=(name=:*, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=Read + peer=(name=:*, label=xdg-desktop-portal), + include if exists diff --git a/apparmor.d/abstractions/bus/session-manager b/apparmor.d/abstractions/bus/session-manager index 8a4429b7..90bace48 100644 --- a/apparmor.d/abstractions/bus/session-manager +++ b/apparmor.d/abstractions/bus/session-manager @@ -17,6 +17,10 @@ member=GetAll peer=(name=:*, label=gnome-session-binary), + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gnome-session-binary), dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo index 84213813..7f6a26c2 100644 --- a/apparmor.d/groups/_full/default-sudo +++ b/apparmor.d/groups/_full/default-sudo @@ -34,7 +34,7 @@ profile default-sudo @{exec_path} { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.logi1.Manager member=CreateSession - peer=(name=org.freedesktop.login1), + peer=(name=org.freedesktop.login1, label=systemd-logind), dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index e6224d8a..5cd1397b 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -17,6 +17,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include @@ -60,21 +62,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.ScreenSaver peer=(name=org.freedesktop.ScreenSaver), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings - member=Read - peer=(name=:*), - - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings - member=SettingChanged - peer=(name=:*), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member={GetAll,Read} - peer=(name=:*), - dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices @@ -95,11 +82,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { member=GetPlaylists peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/login1* - interface=org.freedesktop.login1*.Manager - member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown} - peer=(name=:*), - dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=GetTreeFromDevice diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index cb793cca..16e89c21 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -28,9 +28,10 @@ profile child-systemctl flags=(attach_disconnected) { network inet stream, network inet6 stream, - dbus send bus=system path=/org/freedesktop/systemd1{,/Unit} - interface=org.freedesktop.systemd[0-9].Manager - member=GetUnitFileState, + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label="@{systemd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 2338e95f..3e7d1827 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -11,6 +11,7 @@ include profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -57,20 +58,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=at-spi-bus-launcher), - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,ClientRemoved,SessionRunning} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-session-binary), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 7159be1c..d99efdbf 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -12,6 +12,7 @@ include profile pulseaudio @{exec_path} { include include + include include include include @@ -82,7 +83,7 @@ profile pulseaudio @{exec_path} { dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi), + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server @@ -94,21 +95,6 @@ profile pulseaudio @{exec_path} { member=StateChanged peer=(name=org.freedesktop.Avahi), - dbus send bus=system path=/ - interface=org.freedesktop.hostname1 - member=Get - peer=(name=/org/freedesktop/hostname1), - - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=/org/freedesktop/hostname1), - - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.hostname1), - dbus receive bus=system path=/org/bluez/hci*/** interface=org.freedesktop.DBus.Properties peer=(name=:*), diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index b7188753..abb8bf1d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -47,6 +47,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.DBus.Properties peer=(name=:*, label=xdg-permission-store), + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + peer=(name=:*, label=xdg-permission-store), dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 08400838..a6659d14 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -10,6 +10,7 @@ include profile xdg-desktop-portal-gnome @{exec_path} { include include + include include include include @@ -64,16 +65,6 @@ profile xdg-desktop-portal-gnome @{exec_path} { member=SettingChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=Read - peer=(name=:*, label=xdg-desktop-portal), - dbus (send, receive) bus=session path=/org/gnome/Mutter/* interface=org.gnome.Mutter.* peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 71ef3b90..39470c19 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -11,6 +11,9 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include + include + include + include include include include @@ -33,65 +36,24 @@ profile xdg-desktop-portal-gtk @{exec_path} { dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk, - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,ClientRemoved,SessionRunning} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={EndSession,QueryEndSession,CancelEndSession,Stop} - peer=(name=:*, label=gnome-session-binary), + member=PropertiesChanged, dbus receive bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect member={RunningApplicationsChanged,WindowsChanged} peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gjs-console), - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name=:*, label=gjs-console), - dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=ActiveChanged - peer=(name=:*, label=gjs-console), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=SettingChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=xdg-desktop-portal), - dbus send bus=session path=/org/gtk/Notifications interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 370a5e83..afbddff4 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -16,29 +16,19 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, + dbus bind bus=session name=org.freedesktop.impl.portal.PermissionStore, dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label="{gnome-shell,xdg-document-portal}"), - + peer=(name=:*), dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.impl.portal.PermissionStore - member=Lookup - peer=(name=:*, label="{gnome-shell,xdg-desktop-portal,wireplumber}"), + peer=(name=:*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=xdg-desktop-portal), - - dbus bind bus=session - name=org.freedesktop.impl.portal.PermissionStore, - @{exec_path} mr, @{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 6dfd61da..4141c281 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,evolution-data-server/}evolution-addressbook-factory profile evolution-addressbook-factory @{exec_path} { include + include include include include @@ -48,10 +49,6 @@ profile evolution-addressbook-factory @{exec_path} { member=PropertiesChanged peer=(name=org.freedesktop.DBus, label=evolution-calendar-factory), - dbus send bus=system path=/org/freedesktop/locale1 - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=systemd-localed), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index e6a805e1..294aae65 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -10,6 +10,7 @@ include profile gdm-wayland-session @{exec_path} { include include + include include include include @@ -25,12 +26,8 @@ profile gdm-wayland-session @{exec_path} { dbus send bus=system path=/org/gnome/DisplayManager/Manager interface=org.gnome.DisplayManager.Manager - member=RegisterDisplay, - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.systemd1, label=@{systemd}), + member=RegisterDisplay + peer=(name=:*, label=gdm), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 4f8c8ded..28bde0c8 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,6 +10,8 @@ include @{exec_path} = @{bin}/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include + include + include include include include @@ -36,6 +38,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager + member=Setenv peer=(name=org.gnome.SessionManager, label=gnome-session-binary), dbus (send, receive) bus=session path=/org/gnome/keyring/daemon @@ -87,11 +90,6 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*), - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=xdg-desktop-portal), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 8a2bc371..18dde3e1 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -10,6 +10,9 @@ include profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include + include + include + include include include include @@ -46,11 +49,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { member={CanPowerOff,GetSession,PowerOff,Inhibit,Reboot} peer=(name=:*, label=systemd-logind), - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved,PrepareForSleep} - peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=SetIdleHint @@ -84,11 +82,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), - dbus (send, receive) bus=system path=/org/freedesktop/login1* - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=systemd-logind), - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/**} interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged} @@ -96,15 +89,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - peer=(name=org.freedesktop.systemd1, label=@{systemd}), # all members - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - peer=(name=:*, label=@{systemd}), - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=@{systemd}), + peer=(name=org.freedesktop.systemd1, label=@{systemd}), dbus send bus=session path=/org/gnome/Mutter/IdleMonitor interface=org.freedesktop.DBus.ObjectManager @@ -121,16 +106,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { member=WatchFired peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name=:*), - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name=:*, label=gjs-console), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 7710abe2..a4dc52d9 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,6 +10,7 @@ include profile gnome-terminal-server @{exec_path} { include include + include include include include @@ -30,10 +31,23 @@ profile gnome-terminal-server @{exec_path} { peer=(name=:*), dbus receive bus=session path=/org/gnome/Terminal{,/**} interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=unconfined), + peer=(name=:*), dbus receive bus=session path=/org/gnome/Terminal{,/**} interface=org.gtk.Actions peer=(name=:*), + dbus send bus=session path=/org/gnome/Terminal{,/**} + interface=org.gtk.Actions + peer=(name=org.freedesktop.DBus), + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{systemd}"), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index e18cc4d6..5e9d2a6b 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,44 +9,19 @@ include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include + include include include signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), + dbus bind bus=session name=org.gnome.SettingsDaemon.A11ySettings, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gnome.SettingsDaemon.A11ySettings, - @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index c3903382..cb9c9762 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,6 +10,7 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -20,31 +21,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.gnome.SettingsDaemon.Housekeeping, - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 620b8638..43e9626d 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -10,6 +10,7 @@ include profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -25,36 +26,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.gnome.SettingsDaemon.Keyboard, - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member=RegisterClient - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=system path=/org/freedesktop/locale1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=systemd-localed), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 0a31e1e9..b605d84d 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -11,6 +11,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include @@ -28,35 +30,11 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.gnome.SettingsDaemon.MediaKeys, - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Inhibit - peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff peer=(name=:*, label=systemd-logind), - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - peer=(name=:*, label=systemd-logind), - - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=systemd-hostnamed), - dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} interface=org.freedesktop.DBus.Properties member=GetAll @@ -94,7 +72,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties - member=GetAll + member={GetAll,PropertiesChanged} peer=(name=:*, label=gnome-shell), dbus send bus=session path=/org/gnome/Shell diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index f914d431..018ba4df 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -11,6 +11,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -78,17 +79,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=power-profiles-daemon), - dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-session-binary), - - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=ActiveChanged - peer=(name=:*, label=gjs-console), - dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.systemd1, label="@{systemd}"), diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index df7e6bbc..66ffb9b8 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -84,7 +84,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=StopUnit - peer=(name=org.freedesktop.systemd1), # all peer's labels + peer=(name=org.freedesktop.systemd1), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 3c189467..1e985f0e 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -11,6 +11,8 @@ profile gsd-xsettings @{exec_path} { include include include + include + include include include include @@ -31,33 +33,11 @@ profile gsd-xsettings @{exec_path} { network netlink raw, dbus bind bus=session name=org.gtk.Settings, - - dbus bind bus=session name=org.gnome.SettingsDaemon.XSettings, - dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), # many peer's labels + peer=(name=:*), - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,ClientRemoved,SessionRunning} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member={EndSession,QueryEndSession,CancelEndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-session-binary), + dbus bind bus=session name=org.gnome.SettingsDaemon.XSettings, dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig @@ -69,10 +49,10 @@ profile gsd-xsettings @{exec_path} { member=Get peer=(name=org.gnome.Shell.Introspect, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetId + peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index ba776d89..d227f018 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -10,6 +10,8 @@ include profile nautilus @{exec_path} flags=(attach_disconnected) { include include + include + include include include include @@ -55,16 +57,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { interface=org.gtk.Private.RemoteVolumeMonitor peer=(name=:*, label=gvfs-*-monitor), - dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings - member=Read - peer=(name=:*, label=xdg-desktop-portal), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=xdg-desktop-portal), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member={GetAll,ListActivatableNames} @@ -90,11 +82,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=Print peer=(name=:*, label=nautilus), - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=systemd-hostnamed), - dbus send bus=session path=/com/canonical/unity/launcherentry/@{int} interface=com.canonical.Unity.LauncherEntry member=Update diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 5af0db06..0b854f7e 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -38,6 +38,14 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { interface=org.gtk.Private.RemoteVolumeMonitor peer=(name=org.freedesktop.DBus), + dbus send bus=system path=/org/freedesktop/UDisks2/** + interface=org.freedesktop.UDisks2.Filesystem + peer=(name=:*, label=udisksd), + dbus receive bus=system path=/org/freedesktop/UDisks2 + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=:*, label=udisksd), + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index bd8b059d..5666d525 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -32,7 +32,7 @@ profile gvfsd @{exec_path} { member=Mount peer=(name=:*, label=gvfsd-*), - dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned peer=(name=:*, label=gvfsd-*), diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 25c9be4f..806e3cc8 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -10,6 +10,7 @@ include profile ModemManager @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -23,10 +24,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.{ObjectManager,Properties} peer=(name=:*), - dbus (send, receive) bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - peer=(name=:*, label=systemd-logind), - @{exec_path} mr, @{run}/udev/data/+pci:* r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 31d3d29a..758e43b4 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -65,11 +66,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member={SetLink*,ResolveHostname} peer=(name=org.freedesktop.resolve1, label=systemd-resolved), - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=systemd-hostnamed), - dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 8d3db19a..79342929 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -57,7 +57,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession} - peer=(name=org.freedesktop.login1), + peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 4dbb7ead..ebb05e99 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -21,7 +21,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=evolution-addressbook-factory), + peer=(name=:*), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 7b44494a..0358ae3a 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -47,7 +47,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { dbus send bus=system path=/org/freedesktop/systemd1/{unit,job}/** interface=org.freedesktop.DBus.Properties peer=(name=org.freedesktop.systemd1, label="@{systemd}"), - + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager peer=(name=org.freedesktop.systemd1), diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 9fac06e2..4bb84a70 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -10,8 +10,10 @@ include profile update-manager @{exec_path} flags=(attach_disconnected) { include include - include + include include + include + include include include include @@ -43,14 +45,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.{Properties,Introspectable} member={Introspect,Get}, - dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.DBus.{Properties,Introspectable} - member={Get,Introspect}, - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Inhibit, - dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=StateChanged, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index e2c33c8e..e71e6fa6 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -10,6 +10,7 @@ include profile evince @{exec_path} { include include + include include include include @@ -30,16 +31,6 @@ profile evince @{exec_path} { member={Set,GetTreeFromDevice} peer=(name=:*), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings - member=Read - peer=(name=:*), - dbus send bus=session path=/org/gnome/evince/Daemon interface=org.gnome.evince.Daemon member=RegisterDocument diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 3ada1a8c..2ca977fb 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -64,11 +65,6 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} peer=(name=:*, label=NetworkManager), - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved,PrepareForSleep} - peer=(name=:*, label=systemd-logind), - @{exec_path} mr, @{bin}/gpg{,2} rCx -> gpg, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 099e9bb0..70686cca 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -25,17 +25,15 @@ profile snap @{exec_path} { mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, - dbus (send, receive) bus=session path=/org/freedesktop/ - interface=org.freedesktop.systemd1.Manager - member={StartTransientUnit,JobRemoved} - peer=(name=:*, label=unconfined), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{systemd}"), - dbus (send, receive) bus=system path=/org/freedesktop/ - interface=org.freedesktop.systemd1.Manager - member={StartTransientUnit,JobRemoved}, - - dbus (send, receive) bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager, + dbus receive bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=JobRemoved + peer=(name=:*, label="@{systemd}"), dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 512b444d..a8547f52 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -11,6 +11,7 @@ profile spice-vdagent @{exec_path} { include include include + include include include include @@ -26,11 +27,6 @@ profile spice-vdagent @{exec_path} { member=GetCurrentState peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThreadRealtimeWithPID diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index c4a11506..edb5dbda 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -13,9 +13,10 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { capability sys_nice, - dbus receive bus=system path=/org/freedesktop/login1/session/_[0-9]* + dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session - member=Unlock, + member=Unlock + peer=(name=:*, label=systemd-logind), @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 05873b98..88ae544e 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -11,6 +11,7 @@ include @{exec_path} += /usr/share/system-config-printer/system-config-printer.py profile system-config-printer @{exec_path} flags=(complain) { include + include include include include @@ -28,10 +29,6 @@ profile system-config-printer @{exec_path} flags=(complain) { network inet6 stream, network netlink raw, - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=GetAll, - @{exec_path} mrix, @{bin}/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 85ede64b..c79a7648 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -18,6 +18,7 @@ profile thunderbird @{exec_path} { include include include + include include include include @@ -51,16 +52,6 @@ profile thunderbird @{exec_path} { dbus bind bus=session name=org.mozilla.thunderbird.*, - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), - - dbus send bus=session path=/org/freedesktop/portal/desktops - interface=org.freedesktop.portal.Settings - member=Read - peer=(name=:*), - dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={UserAdded,UserRemoved} diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 59624d04..18f6f576 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -65,7 +65,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { peer=(name="{:*,org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} interface=org.freedesktop.DBus.{Properties,ObjectManager} - peer=(name=:*), + peer=(name="{:*,org.freedesktop.DBus}"), dbus (send,receive) bus=system path=/ interface=org.freedesktop.DBus.Introspectable