From dc3f292d45446686509623a6f49557f05b15e221 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 16 Dec 2023 21:26:10 +0000
Subject: [PATCH] feat(dbus): add/update dbus abstraction.

---
 .../abstractions/bus/org.freedesktop.PackageKit       | 10 ++++++++++
 .../abstractions/bus/org.freedesktop.login1.Session   |  4 ++--
 apparmor.d/abstractions/bus/org.freedesktop.resolve1  | 10 ++++++++++
 .../bus/org.gtk.Private.RemoteVolumeMonitor           | 11 ++++++++---
 apparmor.d/groups/freedesktop/at-spi-bus-launcher     |  5 ++++-
 5 files changed, 34 insertions(+), 6 deletions(-)
 create mode 100644 apparmor.d/abstractions/bus/org.freedesktop.resolve1

diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
index 0912689e..4c0c06ba 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
+++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
@@ -7,4 +7,14 @@
        member=GetAll
        peer=(name=:*, label=packagekitd),
 
+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=org.freedesktop.PackageKit, label=packagekitd),
+
+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.PackageKit
+       member=StateHasChanged
+       peer=(name=org.freedesktop.PackageKit, label=packagekitd),
+
   include if exists <abstractions/bus/org.freedesktop.PackageKit.d>
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
index af7c1828..97ab3670 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
+++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
@@ -15,7 +15,7 @@
   dbus send bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.login1.Session
        member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
-       peer=(name=:*, label=systemd-logind),
+       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
 
   dbus receive bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.DBus.Properties
@@ -25,6 +25,6 @@
   dbus receive bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.login1.Session
        member={PauseDevice,Unlock}
-       peer=(name=:*, label=systemd-logind),
+       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
 
   include if exists <abstractions/bus/org.freedesktop.login1.Session.d>
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1
new file mode 100644
index 00000000..e6f095af
--- /dev/null
+++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1
@@ -0,0 +1,10 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  dbus send bus=system path=/org/freedesktop/resolve1
+       interface=org.freedesktop.resolve1.Manager
+       member={SetLink*,ResolveHostname}
+       peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
+
+  include if exists <abstractions/bus/org.freedesktop.resolve1.d>
diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
index 49af23db..d6288e58 100644
--- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
+++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
@@ -5,11 +5,16 @@
   dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
        interface=org.gtk.Private.RemoteVolumeMonitor
        member={List,IsSupported,VolumeChanged,VolumeMount,MountAdded}
-       peer=(name=:*, label=gvfs-*-monitor),
+       peer=(name=:*, label=gvfs-udisks2-volume-monitor),
 
   dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
        interface=org.gtk.Private.RemoteVolumeMonitor
-       member={MountAdded,VolumeChanged}
-       peer=(name=:*, label=gvfs-*-volume-monitor),
+       member={MountAdded,MountChanged,VolumeChanged,VolumeRemoved}
+       peer=(name=:*, label=gvfs-udisks2-volume-monitor),
+
+  dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
+       interface=org.gtk.Private.RemoteVolumeMonitor
+       member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged}
+       peer=(name=:*, label=gvfs-udisks2-volume-monitor),
 
   include if exists <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor.d>
diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
index 64edd241..ad144f32 100644
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@@ -44,7 +44,10 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
   /var/lib/lightdm/.Xauthority r,
   /var/log/lightdm/seat[0-9]*-greeter.log w,
 
-  @{run}/systemd/users/@{uid} r,
+        @{run}/systemd/users/@{uid} r,
+  owner @{run}/user/@{uid}/at-spi/ rw,
+  owner @{run}/user/@{uid}/at-spi/bus rw,
+  owner @{run}/user/@{uid}/at-spi/bus_@{int} rw,
 
   @{sys}/kernel/security/apparmor/.access rw,
   @{sys}/kernel/security/apparmor/features/dbus/mask r,