mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(dbus): rewrite some dbus rules (5).

Browse source
This commit is contained in:
Alexandre Pujol 2023-12-04 21:54:45 +00:00
parent f5862c9862
commit da3b5103e4
Failed to generate hash of commit
40 changed files with 119 additions and 400 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
apparmor.d/abstractions/bus/desktop
View file

@ -4,7 +4,7 @@
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member={GetAll,Read}
member=Read
peer=(name="{:*,org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
@ -17,4 +17,14 @@
member=SettingChanged
peer=(name=:*, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Settings
member=Read
peer=(name=:*, label=xdg-desktop-portal),
include if exists <abstractions/bus/desktop.d>

4
apparmor.d/abstractions/bus/session-manager
View file

@ -17,6 +17,10 @@
member=GetAll
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.gnome.SessionManager.ClientPrivate

2
apparmor.d/groups/_full/default-sudo
View file

@ -34,7 +34,7 @@ profile default-sudo @{exec_path} {
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.logi1.Manager
member=CreateSession
peer=(name=org.freedesktop.login1),
peer=(name=org.freedesktop.login1, label=systemd-logind),
dbus (send receive) bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd.Manager

22
apparmor.d/groups/browsers/firefox
View file

@ -17,6 +17,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/bus/atspi>
include <abstractions/bus/desktop>
include <abstractions/bus/login>
include <abstractions/bus/rtkit>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -60,21 +62,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.ScreenSaver
peer=(name=org.freedesktop.ScreenSaver),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=Read
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=SettingChanged
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member={GetAll,Read}
peer=(name=:*),
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
@ -95,11 +82,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
member=GetPlaylists
peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/login1*
interface=org.freedesktop.login1*.Manager
member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown}
peer=(name=:*),
dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata
member=GetTreeFromDevice

7
apparmor.d/groups/children/child-systemctl
View file

@ -28,9 +28,10 @@ profile child-systemctl flags=(attach_disconnected) {
network inet stream,
network inet6 stream,
dbus send bus=system path=/org/freedesktop/systemd1{,/Unit}
interface=org.freedesktop.systemd[0-9].Manager
member=GetUnitFileState,
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=GetUnitFileState
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
@{exec_path} mr,

15
apparmor.d/groups/freedesktop/at-spi2-registryd
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus/atspi>
include <abstractions/bus/session-manager>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/nameservice-strict>
@ -57,20 +58,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=at-spi-bus-launcher),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={ClientAdded,ClientRemoved,SessionRunning}
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect

18
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -12,6 +12,7 @@ include <tunables/global>
profile pulseaudio @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/bus/hostname>
include <abstractions/bus/rtkit>
include <abstractions/consoles>
include <abstractions/dbus-session-strict>
@ -82,7 +83,7 @@ profile pulseaudio @{exec_path} {
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi),
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
@ -94,21 +95,6 @@ profile pulseaudio @{exec_path} {
member=StateChanged
peer=(name=org.freedesktop.Avahi),
dbus send bus=system path=/
interface=org.freedesktop.hostname1
member=Get
peer=(name=/org/freedesktop/hostname1),
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=/org/freedesktop/hostname1),
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.hostname1),
dbus receive bus=system path=/org/bluez/hci*/**
interface=org.freedesktop.DBus.Properties
peer=(name=:*),

3
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -47,6 +47,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.DBus.Properties
peer=(name=:*, label=xdg-permission-store),
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.impl.portal.PermissionStore
peer=(name=:*, label=xdg-permission-store),
dbus send bus=session path=/org/freedesktop/portal/documents
interface=org.freedesktop.DBus.Properties

11
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/base>
include <abstractions/bus/account-daemon>
include <abstractions/bus/desktop>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
@ -64,16 +65,6 @@ profile xdg-desktop-portal-gnome @{exec_path} {
member=SettingChanged
peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Settings
member=Read
peer=(name=:*, label=xdg-desktop-portal),
dbus (send, receive) bus=session path=/org/gnome/Mutter/*
interface=org.gnome.Mutter.*
peer=(name=:*, label="{gnome-shell,gsd-xsettings}"),

54
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View file

@ -11,6 +11,9 @@ profile xdg-desktop-portal-gtk @{exec_path} {
include <abstractions/base>
include <abstractions/bus/account-daemon>
include <abstractions/bus/atspi>
include <abstractions/bus/desktop>
include <abstractions/bus/gnome-screensaver>
include <abstractions/bus/session-manager>
include <abstractions/bus/vfs/mount>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
@ -33,65 +36,24 @@ profile xdg-desktop-portal-gtk @{exec_path} {
dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk,
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member=RegisterClient
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=CheckPermissions,
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={ClientAdded,ClientRemoved,SessionRunning}
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager{,/Client[0-9]*}
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]*
interface=org.gnome.SessionManager.ClientPrivate
member=EndSessionResponse
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]*
interface=org.gnome.SessionManager.ClientPrivate
member={EndSession,QueryEndSession,CancelEndSession,Stop}
peer=(name=:*, label=gnome-session-binary),
member=PropertiesChanged,
dbus receive bus=session path=/org/gnome/Shell/Introspect
interface=org.gnome.Shell.Introspect
member={RunningApplicationsChanged,WindowsChanged}
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gjs-console),
dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member=GetActive
peer=(name=:*, label=gjs-console),
dbus send bus=session path=/org/gnome/Shell/Introspect
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member=ActiveChanged
peer=(name=:*, label=gjs-console),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Settings
member=SettingChanged
peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=xdg-desktop-portal),
dbus send bus=session path=/org/gtk/Notifications
interface=org.freedesktop.DBus.Properties
member=GetAll

16
apparmor.d/groups/freedesktop/xdg-permission-store
View file

@ -16,29 +16,19 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term hup kill) peer=dbus-daemon,
signal (receive) set=(term hup kill) peer=gdm*,
dbus bind bus=session name=org.freedesktop.impl.portal.PermissionStore,
dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label="{gnome-shell,xdg-document-portal}"),
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.impl.portal.PermissionStore
member=Lookup
peer=(name=:*, label="{gnome-shell,xdg-desktop-portal,wireplumber}"),
peer=(name=:*),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=xdg-desktop-portal),
dbus bind bus=session
name=org.freedesktop.impl.portal.PermissionStore,
@{exec_path} mr,
@{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw,

5
apparmor.d/groups/gnome/evolution-addressbook-factory
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,evolution-data-server/}evolution-addressbook-factory
profile evolution-addressbook-factory @{exec_path} {
include <abstractions/base>
include <abstractions/bus/locale>
include <abstractions/bus/network-manager>
include <abstractions/bus/vfs/mount>
include <abstractions/dbus-session-strict>
@ -48,10 +49,6 @@ profile evolution-addressbook-factory @{exec_path} {
member=PropertiesChanged
peer=(name=org.freedesktop.DBus, label=evolution-calendar-factory),
dbus send bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties
peer=(name=:*, label=systemd-localed),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect

9
apparmor.d/groups/gnome/gdm-wayland-session
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gdm-wayland-session @{exec_path} {
include <abstractions/base>
include <abstractions/bash>
include <abstractions/bus/systemd-session>
include <abstractions/consoles>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -25,12 +26,8 @@ profile gdm-wayland-session @{exec_path} {
dbus send bus=system path=/org/gnome/DisplayManager/Manager
interface=org.gnome.DisplayManager.Manager
member=RegisterDisplay,
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.systemd1, label=@{systemd}),
member=RegisterDisplay
peer=(name=:*, label=gdm),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable

8
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -10,6 +10,8 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-keyring-daemon
profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus/desktop>
include <abstractions/bus/session-manager>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/openssl>
@ -36,6 +38,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member=Setenv
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
dbus (send, receive) bus=session path=/org/gnome/keyring/daemon
@ -87,11 +90,6 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
member=GetAll
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=xdg-desktop-portal),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect

33
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -10,6 +10,9 @@ include <tunables/global>
profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus/atspi>
include <abstractions/bus/gnome-screensaver>
include <abstractions/bus/login>
include <abstractions/bus/systemd-session>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -46,11 +49,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
member={CanPowerOff,GetSession,PowerOff,Inhibit,Reboot}
peer=(name=:*, label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved,PrepareForSleep}
peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session
member=SetIdleHint
@ -84,11 +82,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
member=GetAll
peer=(name=:*, label=gnome-shell),
dbus (send, receive) bus=system path=/org/freedesktop/login1*
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=systemd-logind),
dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/**}
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
@ -96,15 +89,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
peer=(name=org.freedesktop.systemd1, label=@{systemd}), # all members
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
peer=(name=:*, label=@{systemd}),
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
peer=(name=:*, label=@{systemd}),
peer=(name=org.freedesktop.systemd1, label=@{systemd}),
dbus send bus=session path=/org/gnome/Mutter/IdleMonitor
interface=org.freedesktop.DBus.ObjectManager
@ -121,16 +106,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
member=WatchFired
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member=GetActive
peer=(name=:*),
dbus receive bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member={ActiveChanged,WakeUpScreen}
peer=(name=:*, label=gjs-console),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect

16
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gnome-terminal-server @{exec_path} {
include <abstractions/base>
include <abstractions/bus/atspi>
include <abstractions/bus/desktop>
include <abstractions/bus/vfs/mount>
include <abstractions/consoles>
include <abstractions/dbus-accessibility-strict>
@ -30,10 +31,23 @@ profile gnome-terminal-server @{exec_path} {
peer=(name=:*),
dbus receive bus=session path=/org/gnome/Terminal{,/**}
interface=org.freedesktop.DBus.Properties
peer=(name=:*, label=unconfined),
peer=(name=:*),
dbus receive bus=session path=/org/gnome/Terminal{,/**}
interface=org.gtk.Actions
peer=(name=:*),
dbus send bus=session path=/org/gnome/Terminal{,/**}
interface=org.gtk.Actions
peer=(name=org.freedesktop.DBus),
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=StartTransientUnit
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
@{exec_path} mr,

29
apparmor.d/groups/gnome/gsd-a11y-settings
View file

@ -9,44 +9,19 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-a11y-settings
profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus/session-manager>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
signal (receive) set=(term, hup) peer=gdm*,
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member=RegisterClient
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded}
peer=(name=:*, label=gnome-session-binary),
dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*}
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]*
interface=org.gnome.SessionManager.ClientPrivate
member=EndSessionResponse
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]*
interface=org.gnome.SessionManager.ClientPrivate
member={CancelEndSession,QueryEndSession,EndSession,Stop}
peer=(name=:*, label=gnome-session-binary),
dbus bind bus=session name=org.gnome.SettingsDaemon.A11ySettings,
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
dbus bind bus=session
name=org.gnome.SettingsDaemon.A11ySettings,
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,

26
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/bus/session-manager>
include <abstractions/bus/vfs/mount>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
@ -20,31 +21,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
dbus bind bus=session name=org.gnome.SettingsDaemon.Housekeeping,
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member=RegisterClient
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded}
peer=(name=:*, label=gnome-session-binary),
dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*}
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]*
interface=org.gnome.SessionManager.ClientPrivate
member=EndSessionResponse
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]*
interface=org.gnome.SessionManager.ClientPrivate
member={CancelEndSession,QueryEndSession,EndSession,Stop}
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect

31
apparmor.d/groups/gnome/gsd-keyboard
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus/atspi>
include <abstractions/bus/session-manager>
include <abstractions/bus/vfs/mount>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
@ -25,36 +26,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
dbus bind bus=session name=org.gnome.SettingsDaemon.Keyboard,
dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*}
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]*
interface=org.gnome.SessionManager.ClientPrivate
member=EndSessionResponse
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]*
interface=org.gnome.SessionManager.ClientPrivate
member={CancelEndSession,QueryEndSession,EndSession,Stop}
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member=RegisterClient
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded}
peer=(name=:*, label=gnome-session-binary),
dbus send bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=systemd-localed),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect

28
apparmor.d/groups/gnome/gsd-media-keys
View file

@ -11,6 +11,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/bus/atspi>
include <abstractions/bus/hostname>
include <abstractions/bus/login>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -28,35 +30,11 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
dbus bind bus=session name=org.gnome.SettingsDaemon.MediaKeys,
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=Inhibit
peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=PowerOff
peer=(name=:*, label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
peer=(name=:*, label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=systemd-hostnamed),
dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice}
interface=org.freedesktop.DBus.Properties
member=GetAll
@ -94,7 +72,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
dbus receive bus=session path=/org/gnome/Shell
interface=org.freedesktop.DBus.Properties
member=GetAll
member={GetAll,PropertiesChanged}
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/Shell

12
apparmor.d/groups/gnome/gsd-power
View file

@ -11,6 +11,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/bus/atspi>
include <abstractions/bus/gnome-screensaver>
include <abstractions/bus/login>
include <abstractions/bus/upower>
include <abstractions/bus/vfs/mount>
@ -78,17 +79,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
member=GetAll
peer=(name=:*, label=power-profiles-daemon),
dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*}
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/ScreenSaver
interface=org.gnome.ScreenSaver
member=ActiveChanged
peer=(name=:*, label=gjs-console),
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),

2
apparmor.d/groups/gnome/gsd-sharing
View file

@ -84,7 +84,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=StopUnit
peer=(name=org.freedesktop.systemd1), # all peer's labels
peer=(name=org.freedesktop.systemd1),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable

36
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -11,6 +11,8 @@ profile gsd-xsettings @{exec_path} {
include <abstractions/base>
include <abstractions/bus/account-daemon>
include <abstractions/bus/atspi>
include <abstractions/bus/session-manager>
include <abstractions/bus/vfs/mount>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -31,33 +33,11 @@ profile gsd-xsettings @{exec_path} {
network netlink raw,
dbus bind bus=session name=org.gtk.Settings,
dbus bind bus=session name=org.gnome.SettingsDaemon.XSettings,
dbus receive bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*), # many peer's labels
peer=(name=:*),
dbus receive bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={ClientAdded,ClientRemoved,SessionRunning}
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.gnome.SessionManager.ClientPrivate
member=EndSessionResponse
peer=(name=:*, label=gnome-session-binary),
dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
interface=org.gnome.SessionManager.ClientPrivate
member={EndSession,QueryEndSession,CancelEndSession,Stop}
peer=(name=:*, label=gnome-session-binary),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-session-binary),
dbus bind bus=session name=org.gnome.SettingsDaemon.XSettings,
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig
@ -69,10 +49,10 @@ profile gsd-xsettings @{exec_path} {
member=Get
peer=(name=org.gnome.Shell.Introspect, label=gnome-shell),
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo
peer=(name=:*, label=gvfsd),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetId
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable

17
apparmor.d/groups/gnome/nautilus
View file

@ -10,6 +10,8 @@ include <tunables/global>
profile nautilus @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus/atspi>
include <abstractions/bus/desktop>
include <abstractions/bus/hostname>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -55,16 +57,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
interface=org.gtk.Private.RemoteVolumeMonitor
peer=(name=:*, label=gvfs-*-monitor),
dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=Read
peer=(name=:*, label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus.Properties
member={GetAll,ListActivatableNames}
@ -90,11 +82,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
member=Print
peer=(name=:*, label=nautilus),
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=systemd-hostnamed),
dbus send bus=session path=/com/canonical/unity/launcherentry/@{int}
interface=com.canonical.Unity.LauncherEntry
member=Update

8
apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
View file

@ -38,6 +38,14 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
interface=org.gtk.Private.RemoteVolumeMonitor
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/UDisks2/**
interface=org.freedesktop.UDisks2.Filesystem
peer=(name=:*, label=udisksd),
dbus receive bus=system path=/org/freedesktop/UDisks2
interface=org.freedesktop.DBus.ObjectManager
member=InterfacesRemoved
peer=(name=:*, label=udisksd),
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo

2
apparmor.d/groups/gvfs/gvfsd
View file

@ -32,7 +32,7 @@ profile gvfsd @{exec_path} {
member=Mount
peer=(name=:*, label=gvfsd-*),
dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]*
dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
interface=org.gtk.vfs.Spawner
member=Spawned
peer=(name=:*, label=gvfsd-*),

5
apparmor.d/groups/network/ModemManager
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile ModemManager @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus/polkit>
include <abstractions/bus/login>
include <abstractions/consoles>
include <abstractions/dbus-strict>
include <abstractions/devices-usb>
@ -23,10 +24,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.{ObjectManager,Properties}
peer=(name=:*),
dbus (send, receive) bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
peer=(name=:*, label=systemd-logind),
@{exec_path} mr,
@{run}/udev/data/+pci:* r,

6
apparmor.d/groups/network/NetworkManager
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/NetworkManager
profile NetworkManager @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus/hostname>
include <abstractions/bus/network-manager>
include <abstractions/bus/polkit>
include <abstractions/dbus-strict>
@ -65,11 +66,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
member={SetLink*,ResolveHostname}
peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=systemd-hostnamed),
dbus send bus=system path=/org/freedesktop/ModemManager1
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects,

2
apparmor.d/groups/ssh/sshd
View file

@ -57,7 +57,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={CreateSession,ReleaseSession}
peer=(name=org.freedesktop.login1),
peer=(name=org.freedesktop.login1, label=systemd-logind),
@{exec_path} mrix,

2
apparmor.d/groups/systemd/systemd-localed
View file

@ -21,7 +21,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
dbus receive bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=evolution-addressbook-factory),
peer=(name=:*),
@{exec_path} mr,

12
apparmor.d/groups/ubuntu/update-manager
View file

@ -10,8 +10,10 @@ include <tunables/global>
profile update-manager @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/consoles>
include <abstractions/bus/login>
include <abstractions/bus/network-manager>
include <abstractions/bus/upower>
include <abstractions/consoles>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
@ -43,14 +45,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.{Properties,Introspectable}
member={Introspect,Get},
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.DBus.{Properties,Introspectable}
member={Get,Introspect},
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=Inhibit,
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=StateChanged,

11
apparmor.d/profiles-a-f/evince
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile evince @{exec_path} {
include <abstractions/base>
include <abstractions/bus/atspi>
include <abstractions/bus/desktop>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
@ -30,16 +31,6 @@ profile evince @{exec_path} {
member={Set,GetTreeFromDevice}
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=Read
peer=(name=:*),
dbus send bus=session path=/org/gnome/evince/Daemon
interface=org.gnome.evince.Daemon
member=RegisterDocument

6
apparmor.d/profiles-m-r/packagekitd
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/packagekitd
profile packagekitd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus/login>
include <abstractions/bus/polkit>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
@ -64,11 +65,6 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged}
peer=(name=:*, label=NetworkManager),
dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved,PrepareForSleep}
peer=(name=:*, label=systemd-logind),
@{exec_path} mr,
@{bin}/gpg{,2} rCx -> gpg,

14
apparmor.d/profiles-s-z/snap
View file

@ -25,17 +25,15 @@ profile snap @{exec_path} {
mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/,
dbus (send, receive) bus=session path=/org/freedesktop/
dbus send bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member={StartTransientUnit,JobRemoved}
peer=(name=:*, label=unconfined),
member=StartTransientUnit
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
dbus (send, receive) bus=system path=/org/freedesktop/
dbus receive bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member={StartTransientUnit,JobRemoved},
dbus (send, receive) bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager,
member=JobRemoved
peer=(name=:*, label="@{systemd}"),
dbus send bus=session path=/org/freedesktop/portal/documents
interface=org.freedesktop.portal.Documents

6
apparmor.d/profiles-s-z/spice-vdagent
View file

@ -11,6 +11,7 @@ profile spice-vdagent @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/bus/atspi>
include <abstractions/bus/desktop>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -26,11 +27,6 @@ profile spice-vdagent @{exec_path} {
member=GetCurrentState
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Realtime
member=MakeThreadRealtimeWithPID

5
apparmor.d/profiles-s-z/spice-vdagentd
View file

@ -13,9 +13,10 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
capability sys_nice,
dbus receive bus=system path=/org/freedesktop/login1/session/_[0-9]*
dbus receive bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.login1.Session
member=Unlock,
member=Unlock
peer=(name=:*, label=systemd-logind),
@{exec_path} mr,

5
apparmor.d/profiles-s-z/system-config-printer
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += /usr/share/system-config-printer/system-config-printer.py
profile system-config-printer @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/bus/hostname>
include <abstractions/bus/polkit>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -28,10 +29,6 @@ profile system-config-printer @{exec_path} flags=(complain) {
network inet6 stream,
network netlink raw,
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=GetAll,
@{exec_path} mrix,
@{bin}/{,ba,da}sh rix,

11
apparmor.d/profiles-s-z/thunderbird
View file

@ -18,6 +18,7 @@ profile thunderbird @{exec_path} {
include <abstractions/audio>
include <abstractions/bus/atspi>
include <abstractions/bus/rtkit>
include <abstractions/bus/desktop>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
@ -51,16 +52,6 @@ profile thunderbird @{exec_path} {
dbus bind bus=session name=org.mozilla.thunderbird.*,
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/portal/desktops
interface=org.freedesktop.portal.Settings
member=Read
peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={UserAdded,UserRemoved}

2
apparmor.d/profiles-s-z/udisksd
View file

@ -65,7 +65,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
peer=(name="{:*,org.freedesktop.DBus}"),
dbus receive bus=system path=/org/freedesktop/UDisks2{,/**}
interface=org.freedesktop.DBus.{Properties,ObjectManager}
peer=(name=:*),
peer=(name="{:*,org.freedesktop.DBus}"),
dbus (send,receive) bus=system path=/
interface=org.freedesktop.DBus.Introspectable