feat(profile): improve dbus rule in chromium based profiles.

2025-01-29 22:35:15 +01:00 · 2024-05-15 23:07:05 +01:00 · 2024-05-15 23:07:05 +01:00 · f5ac8cd4a1
commit f5ac8cd4a1
parent ad960d477b
7 changed files with 40 additions and 23 deletions
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -19,7 +19,15 @@
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.bluez>
+  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/org.freedesktop.FileManager1>
+  include <abstractions/bus/org.freedesktop.Notifications>
+  include <abstractions/bus/org.freedesktop.ScreenSaver>
+  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/bus/org.freedesktop.UPower>
+  include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/bus/org.kde.kwalletd>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
@ -41,6 +49,16 @@
  capability sys_chroot,
  capability sys_ptrace,

+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  signal (receive) peer=@{profile_name}-crashpad-handler,
+  signal (send) set=(term, kill) peer=@{profile_name}-sandbox,
+  signal (send) set=(term, kill) peer=keepassxc-proxy,
+
  ptrace (read) peer=browserpass,
  ptrace (read) peer=chrome-gnome-shell,
  ptrace (read) peer=gnome-browser-connector-host,
@ -50,21 +68,6 @@
  ptrace (read) peer=xdg-settings,
  ptrace (trace) peer=@{profile_name},

-  signal (receive) peer=@{profile_name}-crashpad-handler,
-  signal (send) set=(term, kill) peer=@{profile_name}-sandbox,
-  signal (send) set=(term, kill) peer=keepassxc-proxy,
-
-  network inet dgram,
-  network inet6 dgram,
-  network inet stream,
-  network inet6 stream,
-  network netlink raw,
-
-  dbus send bus=system path=/
-       interface=org.freedesktop.DBus.ObjectManager
-       member=GetManagedObjects
-       peer=(name=org.bluez, label=bluetoothd),
-
  @{lib_dirs}/{,**} r,
  @{lib_dirs}/*.so* mr,
  @{lib_dirs}/chrome_crashpad_handler  rPx,
@ -103,7 +106,6 @@

  /usr/share/@{name}/{,**} r,
  /usr/share/chromium/extensions/{,**} r,
-  /usr/share/hwdata/pnp.ids r,
  /usr/share/mozilla/extensions/{,**} r,
  /usr/share/webext/{,**} r,

@ -132,11 +134,6 @@
  owner @{config_dirs}/ rw,
  owner @{config_dirs}/** rwk,
  owner @{config_dirs}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw,
-  owner @{user_config_dirs}/kdedefaults/ r,
-  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
-  owner @{user_config_dirs}/kdedefaults/kwinrc r,
-  owner @{user_config_dirs}/kdeglobals r,
-  owner @{user_config_dirs}/kwinrc r,

  owner @{cache_dirs}/{,**} rw,

--- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications
@ -7,9 +7,19 @@
       member=GetAll
       peer=(name=:*, label=gjs-console),

-  dbus receive bus=session path=/org/freedesktop/Notifications
+  dbus send bus=session path=/org/freedesktop/Notifications
       interface=org.freedesktop.DBus.Properties
-       member=GetAll
+       member={GetCapabilities,GetServerInformation,Notify}
       peer=(name=:*, label=gjs-console),

+  dbus receive bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.DBus.Properties
+       member={GetAll,NotificationClosed,CloseNotification}
+       peer=(name=:*, label=gjs-console),
+
+  dbus receive bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.DBus.Properties
+       member=Notify
+       peer=(name=org.freedesktop.DBus, label=gjs-console),
+
  include if exists <abstractions/bus/org.freedesktop.Notifications.d>
--- a/apparmor.d/groups/browsers/brave
+++ b/apparmor.d/groups/browsers/brave
@ -20,6 +20,8 @@ profile brave @{exec_path} {

  unix (send, receive) type=stream peer=(label=brave-crashpad-handler),

+  #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2
+
  @{exec_path} mrix,

  @{bin}/man  rPUx, #  For "brave --help"
--- a/apparmor.d/groups/browsers/chrome
+++ b/apparmor.d/groups/browsers/chrome
@ -18,6 +18,8 @@ profile chrome @{exec_path} {
  include <abstractions/base>
  include <abstractions/app/chromium>

+  #aa:dbus own bus=session name=org.mpris.MediaPlayer2.chrome path=/org/mpris/MediaPlayer2
+
  @{exec_path} mrix,

  @{bin}/man  rPUx, #  For "chrome --help"
--- a/apparmor.d/groups/browsers/chromium
+++ b/apparmor.d/groups/browsers/chromium
@ -18,6 +18,8 @@ profile chromium @{exec_path} {
  include <abstractions/base>
  include <abstractions/app/chromium>

+  #aa:dbus own bus=session name=org.mpris.MediaPlayer2.chromium path=/org/mpris/MediaPlayer2
+
  @{exec_path} mrix,

  include if exists <local/chromium>
--- a/apparmor.d/groups/browsers/msedge
+++ b/apparmor.d/groups/browsers/msedge
@ -18,6 +18,8 @@ profile msedge @{exec_path} {
  include <abstractions/base>
  include <abstractions/app/chromium>

+  #aa:dbus own bus=session name=org.mpris.MediaPlayer2.msedge path=/org/mpris/MediaPlayer2
+
  @{exec_path} mrix,

  @{bin}/man  rPUx, #  For "chrome --help"
--- a/apparmor.d/groups/browsers/opera
+++ b/apparmor.d/groups/browsers/opera
@ -18,6 +18,8 @@ profile opera @{exec_path} {
  include <abstractions/base>
  include <abstractions/app/chromium>

+  #aa:dbus own bus=session name=org.mpris.MediaPlayer2.opera path=/org/mpris/MediaPlayer2
+
  @{exec_path} mrix,

  @{lib_dirs}/opera_autoupdate    krix,