feat(dbus): improve dbus introspectable rules.

2024-11-14 23:43:56 +01:00 · 2023-09-15 18:14:39 +01:00 · 2023-09-15 18:14:39 +01:00 · f7d1931bdf
commit f7d1931bdf
parent 2d2693bd99
37 changed files with 51 additions and 69 deletions
--- a/apparmor.d/groups/bus/ibus-daemon
+++ b/apparmor.d/groups/bus/ibus-daemon
@ -34,7 +34,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
       member=ListMountableInfo
       peer=(name=:*, label=gvfsd),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@ -19,7 +19,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????",          label=ibus-daemon),
  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/bus/ibus-extension-gtk3
+++ b/apparmor.d/groups/bus/ibus-extension-gtk3
@ -57,7 +57,7 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
       member=Embed
       peer=(name=org.a11y.atspi.Registry), # all peer's labels

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@ -19,7 +19,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
       member={RequestName,ReleaseName}
       peer=(name=org.freedesktop.DBus, label=dbus-daemon),

-  dbus receive bus=session path=/{,org}
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -73,7 +73,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
       member=GetAddress
       peer=(name=org.a11y.Bus, label=at-spi-bus-launcher),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/freedesktop/dconf-service
+++ b/apparmor.d/groups/freedesktop/dconf-service
@ -29,7 +29,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
       member=Change
       peer=(name=:*), # all peer's labels

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -38,7 +38,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
       member=Get
       peer=(name=org.freedesktop.RealtimeKit[0-9]),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@ -31,7 +31,7 @@ profile pipewire-media-session @{exec_path} {
       member=MakeThreadRealtime
       peer=(name=org.freedesktop.RealtimeKit1),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -75,7 +75,8 @@ profile pulseaudio @{exec_path} {

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect,
+       member=Introspect
+       peer=(name=:*, label=gnome-shell),

  dbus bind bus=session
       name=org.freedesktop.ReserveDevice[0-9].Audio[0-9],
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -97,7 +97,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
       member=Lookup
       peer=(name=:*, label=xdg-permission-store),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -117,7 +117,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
       member=Read
       peer=(name=:*, label=xdg-desktop-portal),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/evolution-source-registry
+++ b/apparmor.d/groups/gnome/evolution-source-registry
@ -21,12 +21,9 @@ profile evolution-source-registry @{exec_path} {
  network inet6 dgram,
  network netlink raw,

-  dbus (receive) bus=session path=/org/gnome/evolution/dataserver{,/**}
-         interface=org.freedesktop.DBus.Introspectable
-         peer=(name=:*, label=gnome-shell),
-
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
       peer=(name=:*, label=gnome-shell),

  dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager
--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@ -31,7 +31,7 @@ profile gdm-wayland-session @{exec_path} {
       member=Get
       peer=(name=org.freedesktop.systemd[0-9]*, label=unconfined),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -41,14 +41,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
       member=GetAll
       peer=(name=:*, label=gnome-shell),

-  dbus receive bus=session path=/org/freedesktop/Notifications
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
-       peer=(name=:*, label=gnome-shell),
-
-  dbus receive bus=session path=/org/freedesktop
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
       peer=(name=:*, label=gnome-shell),

  dbus receive bus=session path=/org/freedesktop/Notifications
@ -68,11 +63,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.DBus.Properties
       peer=(name=:*, label=gnome-shell),

-  dbus receive bus=session path=/{,org}
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=:*, label=gnome-shell),
-
  dbus bind bus=session name=org.gnome.ScreenSaver,

  dbus bind bus=session name=org.freedesktop.Notifications,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -324,10 +324,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
       member=Introspect
       peer=(name=:*), # all paths and peer's labels

-  dbus receive bus=session path=/{,org,StatusNotifierWatcher}
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
-       peer=(name=:*, label=gnome-shell), # itself
+       peer=(name=:*, label=gnome-shell),

  dbus (send, receive) bus=session path=/org/gnome/SettingsDaemon/Rfkill
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/groups/gnome/gsd-a11y-settings
+++ b/apparmor.d/groups/gnome/gsd-a11y-settings
@ -44,7 +44,7 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
       member={CancelEndSession,QueryEndSession,EndSession,Stop}
       peer=(name=:*, label=gnome-session-binary),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@ -108,7 +108,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
       member=Embed
       peer=(name=org.a11y.atspi.Registry), # all peer's labels

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gsd-datetime
+++ b/apparmor.d/groups/gnome/gsd-datetime
@ -44,7 +44,7 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
       member={CancelEndSession,QueryEndSession,EndSession,Stop}
       peer=(name=:*, label=gnome-session-binary),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gsd-keyboard
+++ b/apparmor.d/groups/gnome/gsd-keyboard
@ -85,7 +85,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
       member=ListMountableInfo
       peer=(name=:*, label=gvfsd),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -149,7 +149,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
       member=EventListenerDeregistered
       peer=(name=:*, label=at-spi2-registryd),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@ -160,7 +160,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
       member=ActiveChanged
       peer=(name=:*, label=gjs-console),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@ -68,7 +68,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
       member=RegisterClient
       peer=(name=:*, label=gnome-session-binary),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gsd-printer
+++ b/apparmor.d/groups/gnome/gsd-printer
@ -45,10 +45,10 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
       member={EndSession,QueryEndSession,CancelEndSession,Stop}
       peer=(name=:*, label=gnome-session-binary),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
-       peer=(name=:*),
+       member=Introspect
+       peer=(name=:*, label=gnome-shell),

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/gsd-rfkill
+++ b/apparmor.d/groups/gnome/gsd-rfkill
@ -76,7 +76,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
       member=PropertiesChanged
       peer=(name=org.freedesktop.DBus, label=gnome-shell),

-  dbus receive bus=session path=/{,org}
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gsd-screensaver-proxy
+++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy
@ -43,7 +43,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) {
       member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded}
       peer=(name=:*, label=gnome-session-binary),

-  dbus receive bus=session path=/{,org}
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@ -91,7 +91,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
       member=StopUnit
       peer=(name=org.freedesktop.systemd[0-9]*), # all peer's labels

-  dbus receive bus=session path=/{,org}
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gsd-smartcard
+++ b/apparmor.d/groups/gnome/gsd-smartcard
@ -56,7 +56,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
       member=GetAll
       peer=(name=:*, label=gnome-shell),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gsd-sound
+++ b/apparmor.d/groups/gnome/gsd-sound
@ -45,7 +45,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
       member={CancelEndSession,QueryEndSession,EndSession,Stop}
       peer=(name=:*, label=gnome-session-binary),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gsd-wacom
+++ b/apparmor.d/groups/gnome/gsd-wacom
@ -75,7 +75,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
       member=GetAll
       peer=(name=:*, label=gnome-shell),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -60,7 +60,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
       peer=(name=:*, label=gnome-shell),

  dbus receive bus=session path=/org/gtk/vfs/mounttracker
--- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
@ -52,7 +52,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
       member={List,IsSupported}
       peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"),

-  dbus receive bus=session path=/{,org,org/gtk,org/gtk/Private,org/gtk/Private/RemoteVolumeMonitor}
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@ -35,7 +35,7 @@ profile gvfsd-trash @{exec_path} {
       member=Spawned
       peer=(name=:*, label=gvfsd),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/ubuntu/software-properties-dbus
+++ b/apparmor.d/groups/ubuntu/software-properties-dbus
@ -20,16 +20,16 @@ profile software-properties-dbus @{exec_path} {
       member=RequestName
       peer=(name=org.freedesktop.DBus),
 
-  dbus receive bus=system path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect,
+       member=Introspect
+       peer=(name=:*, label=gnome-shell),

  dbus receive bus=system path=/
       interface=com.ubuntu.SoftwareProperties
       member=Reload,

-  dbus bind bus=system 
-       name=com.ubuntu.SoftwareProperties,
+  dbus bind bus=system name=com.ubuntu.SoftwareProperties,

  @{exec_path} mr,

--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@ -20,13 +20,10 @@ profile software-properties-gtk @{exec_path} {
  include <abstractions/python>
  include <abstractions/wayland>

-  dbus (send,receive) bus=system path=/com/canonical/UbuntuAdvantage/{,**}
-      interface=org.freedesktop.DBus.Introspectable
-      member=Introspect,
-
-  dbus send bus=system path=/
-      interface=org.freedesktop.DBus.Introspectable
-      member=Introspect,
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=:*, label=gnome-shell),

  dbus send bus=system path=/
      interface=com.ubuntu.SoftwareProperties
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
@ -19,13 +19,10 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected)
       member=RequestName
       peer=(name=org.freedesktop.DBus),

-  dbus receive bus=system path=/com/canonical/UbuntuAdvantage/{Manager,Services/*}
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect,
-
-  dbus receive bus=system path=/
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect,
+       member=Introspect
+       peer=(name=:*, label=gnome-shell),

  dbus receive bus=system path=/
       interface=org.freedesktop.DBus.ObjectManager
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@ -75,8 +75,8 @@ profile thunderbird @{exec_path} {
       member={UserAdded,UserRemoved}
       peer=(name=:*, label=systemd-logind),

-  dbus receive bus=system path=/{,org{,/mozilla{,/thunderbird{,/Remote}}}}
-       interface==org.freedesktop.DBus.Introspectable
+  dbus receive bus=system
+       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),

--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@ -25,7 +25,7 @@ profile wireplumber @{exec_path} {

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
       peer=(name=:*, label=gnome-shell),

  @{exec_path} mr,