From fc43400c268cef7db07f01d97eb860343f17bd76 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 9 Oct 2024 22:19:01 +0100 Subject: [PATCH] feat(abs): add abi reference to all abstractions. --- apparmor.d/abstractions/X-strict | 3 +++ apparmor.d/abstractions/app-launcher-root | 2 ++ apparmor.d/abstractions/app-launcher-user | 2 ++ apparmor.d/abstractions/app-open | 2 ++ apparmor.d/abstractions/app/bus | 2 ++ apparmor.d/abstractions/app/chromium | 2 ++ apparmor.d/abstractions/app/editor | 2 ++ apparmor.d/abstractions/app/firefox | 2 ++ apparmor.d/abstractions/app/kmod | 2 ++ apparmor.d/abstractions/app/open | 2 ++ apparmor.d/abstractions/app/pgrep | 2 ++ apparmor.d/abstractions/app/pkexec | 2 ++ apparmor.d/abstractions/app/sudo | 2 ++ apparmor.d/abstractions/app/systemctl | 2 ++ apparmor.d/abstractions/app/udevadm | 2 ++ apparmor.d/abstractions/audio-client | 2 ++ apparmor.d/abstractions/audio-server | 2 ++ apparmor.d/abstractions/bash-strict | 2 ++ apparmor.d/abstractions/bus-accessibility | 2 ++ apparmor.d/abstractions/bus-session | 2 ++ apparmor.d/abstractions/bus-system | 2 ++ apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry | 2 ++ apparmor.d/abstractions/bus/com.canonical.dbusmenu | 2 ++ apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 | 2 ++ apparmor.d/abstractions/bus/net.hadess.PowerProfiles | 2 ++ apparmor.d/abstractions/bus/net.hadess.SwitcherooControl | 2 ++ apparmor.d/abstractions/bus/net.reactivated.Fprint | 2 ++ apparmor.d/abstractions/bus/org.a11y | 2 ++ apparmor.d/abstractions/bus/org.bluez | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.Accounts | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.Avahi | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.ColorManager | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.FileManager1 | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.NetworkManager | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.Notifications | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.PackageKit | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver | 2 ++ .../abstractions/bus/org.freedesktop.Tracker3.Miner.Files | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.UDisks2 | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.UPower | 2 ++ .../abstractions/bus/org.freedesktop.background.Monitor | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.hostname1 | 2 ++ .../bus/org.freedesktop.impl.portal.PermissionStore | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.locale1 | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.login1 | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.login1.Session | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.network1 | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.resolve1 | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.secrets | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.systemd1 | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.systemd1-session | 2 ++ apparmor.d/abstractions/bus/org.freedesktop.timedate1 | 2 ++ apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 | 2 ++ apparmor.d/abstractions/bus/org.gnome.DisplayManager | 2 ++ apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig | 2 ++ apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor | 2 ++ .../abstractions/bus/org.gnome.Nautilus.FileOperations2 | 2 ++ apparmor.d/abstractions/bus/org.gnome.ScreenSaver | 2 ++ apparmor.d/abstractions/bus/org.gnome.SessionManager | 2 ++ apparmor.d/abstractions/bus/org.gnome.Shell.Introspect | 2 ++ .../abstractions/bus/org.gtk.Private.RemoteVolumeMonitor | 2 ++ apparmor.d/abstractions/bus/org.gtk.vfs.Daemon | 2 ++ apparmor.d/abstractions/bus/org.gtk.vfs.Metadata | 2 ++ apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker | 2 ++ apparmor.d/abstractions/bus/org.kde.StatusNotifierItem | 1 + apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher | 2 ++ apparmor.d/abstractions/bus/org.kde.kwalletd | 2 ++ apparmor.d/abstractions/common/app | 2 ++ apparmor.d/abstractions/common/apt | 2 ++ apparmor.d/abstractions/common/bwrap | 2 ++ apparmor.d/abstractions/common/chromium | 2 ++ apparmor.d/abstractions/common/electron | 2 ++ apparmor.d/abstractions/common/game | 2 ++ apparmor.d/abstractions/common/gnome | 2 ++ apparmor.d/abstractions/common/steam-game | 2 ++ apparmor.d/abstractions/common/systemd | 2 ++ apparmor.d/abstractions/dconf-write | 2 ++ apparmor.d/abstractions/deny-sensitive-home | 2 ++ apparmor.d/abstractions/desktop | 2 ++ apparmor.d/abstractions/devices-usb | 2 ++ apparmor.d/abstractions/disks-read | 2 ++ apparmor.d/abstractions/disks-write | 2 ++ apparmor.d/abstractions/dri | 2 ++ apparmor.d/abstractions/fish | 2 ++ apparmor.d/abstractions/fontconfig-cache-read | 2 ++ apparmor.d/abstractions/fontconfig-cache-write | 2 ++ apparmor.d/abstractions/glfw | 2 ++ apparmor.d/abstractions/gnome-strict | 2 ++ apparmor.d/abstractions/graphics | 2 ++ apparmor.d/abstractions/graphics-full | 2 ++ apparmor.d/abstractions/gstreamer | 2 ++ apparmor.d/abstractions/kde-strict | 2 ++ apparmor.d/abstractions/nameservice-strict | 4 +++- apparmor.d/abstractions/nvidia-strict | 2 ++ apparmor.d/abstractions/qt5-shader-cache | 2 ++ apparmor.d/abstractions/shells | 2 ++ apparmor.d/abstractions/thumbnails-cache-read | 2 ++ apparmor.d/abstractions/thumbnails-cache-write | 2 ++ apparmor.d/abstractions/trash-strict | 2 ++ apparmor.d/abstractions/uim | 2 ++ apparmor.d/abstractions/user-download-strict | 2 ++ apparmor.d/abstractions/user-read | 2 ++ apparmor.d/abstractions/user-read-strict | 2 ++ apparmor.d/abstractions/user-write-strict | 2 ++ apparmor.d/abstractions/vulkan-strict | 2 ++ apparmor.d/abstractions/xfce | 2 ++ apparmor.d/abstractions/zsh | 2 ++ 112 files changed, 225 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 6a29d176..4c506da6 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -2,6 +2,9 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + # The unix socket to use to connect to the display unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 2aaecbd2..5d2f7436 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -3,6 +3,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + @{bin}/** PUx, /usr/local/{s,}bin/** PUx, diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 04b20e84..800de510 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -3,6 +3,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + @{bin}/** PUx, /opt/*/** PUx, /usr/share/** PUx, diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index f0fd3220..900fdc3c 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -8,6 +8,8 @@ # Ultimately, only sandbox manager such as like bwrap, snap, flatpak, firejail # should be present here. Until this day, this profile will be a controlled mess. + abi , + # Sandbox managers @{bin}/bwrap rPUx, @{bin}/firejail rPUx, diff --git a/apparmor.d/abstractions/app/bus b/apparmor.d/abstractions/app/bus index d1d0d8cb..d1bd606a 100644 --- a/apparmor.d/abstractions/app/bus +++ b/apparmor.d/abstractions/app/bus @@ -4,6 +4,8 @@ # Minimal set of rules for dbus-send/dbus-launch. + abi , + include @{bin}/dbus-launch mix, diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 81d37113..6bf3f26e 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -16,6 +16,8 @@ # or abstractions/common/electron instead. # + abi , + include include include diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index d6e346f3..9daec6ad 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -3,6 +3,8 @@ # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only + abi , + include include diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index c94ef847..2f9c9393 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -12,6 +12,8 @@ # @{cache_dirs} = @{user_cache_dirs}/mozilla/ # + abi , + include include include diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index ae10dbbf..ad02acc5 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include @{bin}/depmod mr, diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index f21a2a7d..9ae49c4b 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -4,6 +4,8 @@ # Full set of rules for child-open-* profiles. + abi , + include @{open_path} mrix, diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index aaf14d85..13ebcd39 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -4,6 +4,8 @@ # Minimal set of rules for pgrep/pkill. + abi , + include capability sys_ptrace, diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec index 2c3669bc..5b919795 100644 --- a/apparmor.d/abstractions/app/pkexec +++ b/apparmor.d/abstractions/app/pkexec @@ -4,6 +4,8 @@ # Minimal set of rules for pkexec. + abi , + include include include diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index b10c66c6..0149cc88 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -4,6 +4,8 @@ # Minimal set of rules for sudo. Interactive sudo need more rules. + abi , + include include include diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 62b4aafd..9f0da659 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index 72fb4c61..cba83e1f 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + ptrace read peer=@{p_systemd}, @{bin}/udevadm mr, diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 7ed4d6b8..45028f48 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -5,6 +5,8 @@ # Most programs do not need access to audio devices, audio-client only includes # configuration files to be used by client applications. + abi , + /usr/share/alsa/{,**} r, /usr/share/openal/hrtf/{,**} r, /usr/share/pipewire/client-rt.conf r, diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index ef69d2d5..97850305 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -5,6 +5,8 @@ # Provide access to audio devices. It should only be used by audio servers that # need direct access to them. + abi , + include @{run}/udev/data/+sound:card@{int} r, # for sound card diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index 832f2add..9ea35f8c 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -5,6 +5,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + /usr/share/bash-completion/{,**} r, /usr/share/terminfo/{,**} r, diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index f032f842..ee0a16b9 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index d5ca957e..811787ba 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + unix (bind, listen) type=stream addr="@/tmp/dbus-*", unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"), diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 0148d071..0bfe9681 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} diff --git a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry index 7aa5e7f7..9363bb75 100644 --- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry +++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry @@ -4,6 +4,8 @@ # Access required for connecting to/communicating with the Unity Launcher + abi , + dbus send bus=session path=/com/canonical/unity/launcherentry/@{int} interface=com.canonical.Unity.LauncherEntry member=Update diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu index 290a86de..c5f74a6d 100644 --- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu +++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include if exists diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index 458d99ee..4b7d6c89 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged} diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 1bee9da4..4da87324 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/net/hadess/PowerProfiles interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl index 84422b28..7f68d2d0 100644 --- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl +++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/net/hadess/SwitcherooControl interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index ad16d10a..41735f1b 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index deb517f1..357c0647 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + # Accessibility bus dbus receive bus=accessibility path=/org/a11y/atspi/registry diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index d6ed8922..7b709ab9 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index 946189fe..f2048c80 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserByName,ListCachedUsers} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index 73ddaf14..ccf5b30a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 6f5c7acf..205557ad 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=GetDevices diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index 36f5b405..101e493a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/FileManager1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index af34b33f..ddbf4d1d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 84ce80b6..5c514d54 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 61f27fca..af2b6d2b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications index 27e1e713..eee09ffa 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index 1a6839b1..b65bc1ef 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 006dcee8..ab9e373a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 527c1e91..ff290693 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver index 842057a1..43ed93af 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/ScreenSaver interface=org.freedesktop.ScreenSaver member={Inhibit,UnInhibit} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files index 567740a3..48fa7e39 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer member=Ping diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index cd415f39..30abb219 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 148db02d..36944807 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor index ff7d5798..f6019eed 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor +++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/background/monitor interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 51b0a5ce..8957c4cd 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 0fabcd31..c4e4a5fb 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 index 74e51b1d..50218ced 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 595b8133..77271fe2 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index d5b62f73..4affc3d2 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index 268a21de..56460a52 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/network1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 820b57ff..1561491c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties member={Get,GetAll,Read} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index 7f5b6d1a..7714a871 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member={SetLink*,ResolveHostname} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index bb8014fc..0b169a04 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/secrets{,/**} interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 49e4b014..115aefd7 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session index 8edda758..97db8023 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 32cc2f45..443d35ee 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index 078835c4..120330ac 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/org.gnome.DisplayManager index 0d76f238..10786883 100644 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=system path=/org/gnome/DisplayManager/Manager interface=org.gnome.DisplayManager.Manager member=RegisterDisplay diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig index 1449ff4e..605e9031 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member={GetResources,GetCrtcGamma} diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 2726a7c5..68769f2c 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 index da9f7229..185937e7 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver index 15eec0c6..ba13aa7d 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/ScreenSaver interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager index 19242d56..c683edda 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -4,6 +4,8 @@ # FIXME: Too large, restrict it. + abi , + dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect index ed39a253..efe53af6 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor index 0ad921ed..9060c8c1 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported,VolumeChanged,VolumeMount,MountAdded} diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon index 3e0d95f1..e813f5c4 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member={GetConnection,ListMonitorImplementations,ListMountableInfo} diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata index e755faa6..80daa492 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/vfs/metadata interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index 575401ee..1c80ca6e 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem index 4fca40e8..43947d52 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -2,6 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , include if exists diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index 67ac1fb6..5217a50f 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/bus/org.kde.kwalletd index c0d2ecba..1ae5a1ac 100644 --- a/apparmor.d/abstractions/bus/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/org.kde.kwalletd @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 7b6a5fdd..392ea2c5 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -9,6 +9,8 @@ # applications (bwrap) that have no way to restrict access depending on the # application being confined. + abi , + include include include diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index 77c5a0b7..5dd8b26b 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index 711117f6..7f337aff 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -7,6 +7,8 @@ # - the flag: attach_disconnected # - bwrap execution: '@{bin}/bwrap rix,' + abi , + userns, capability net_admin, diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index cad07669..9fba7b8b 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -6,6 +6,8 @@ # This abstraction is for chromium based application. Chromium based browsers # need to use abstractions/chromium instead. + abi , + userns, capability setgid, # If kernel.unprivileged_userns_clone = 1 diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index da792131..7bfae1ff 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -12,6 +12,8 @@ # @{cache_dirs} = @{user_cache_dirs}/@{name} # + abi , + include include include diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 678327f0..3b4a982f 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -10,6 +10,8 @@ # (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") # - @{user_games_dirs} for user specific game directories (eg: steam storage dir) + abi , + include include include diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 653221e1..ccb5de8b 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -4,6 +4,8 @@ # Minimal set of rules for all gnome based UI application. + abi , + include include include diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index 4bd211f2..b3c66e03 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include @{lib_dirs}/ r, diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index 34e9be9d..df138bf6 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + ptrace read peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index 41145e51..b83a585e 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -5,6 +5,8 @@ # Permissions for querying dconf settings with write access; use the dconf # abstraction first, and dconf-write only for specific application's profile. + abi , + dbus send bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer member=Change diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index 1f1047ce..4291762a 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -11,6 +11,8 @@ # The only legitimate use in this project is for file browser and search engine. + abi , + # User defined private directories deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index ae585999..a9a3665d 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -7,6 +7,8 @@ # When supported in apparmor, condition will be used in this abstraction to filter # resources specific for supported DE. + abi , + include include include diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 5a2a8b74..1a85a010 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + /dev/ r, /dev/bus/usb/ r, /dev/bus/usb/@{int}/ r, diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 10beb258..10cf0c90 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -5,6 +5,8 @@ # The /sys/ entries probably should be tightened + abi , + /dev/ r, /dev/block/ r, /dev/disk/{,*/} r, diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index 361b60d8..bd34a6f4 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -5,6 +5,8 @@ # The /sys/ entries probably should be tightened + abi , + /dev/ r, /dev/block/ r, /dev/disk/{,*/} r, diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index a1eb1cd4..af634ff9 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -6,6 +6,8 @@ # Linux graphics stack which allows unprivileged user-space programs to issue # commands to graphics hardware without conflicting with other programs. + abi , + @{lib}/dri/** mr, @{lib}/@{multiarch}/dri/** mr, @{lib}/fglrx/dri/** mr, diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index fe3cab89..2ae6ab93 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -5,6 +5,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + /usr/share/fish/{,**} r, /etc/fish/{,**} r, diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index 21607564..30678737 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -9,6 +9,8 @@ # fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use # the "fontconfig-cache-write" abstraction. + abi , + owner @{user_cache_dirs}/fontconfig/ r, deny @{user_cache_dirs}/fontconfig/ w, deny @{user_cache_dirs}/fontconfig/** w, diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 19fa7c53..922a15a6 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -3,6 +3,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/fontconfig/ rw, owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, diff --git a/apparmor.d/abstractions/glfw b/apparmor.d/abstractions/glfw index f52fb926..5dbda197 100644 --- a/apparmor.d/abstractions/glfw +++ b/apparmor.d/abstractions/glfw @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{run}/user/@{uid}/glfw-shared-@{rand6} rw, include if exists diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index ed3f2f4c..27d64824 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -2,6 +2,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 9b7954f0..101fe1b4 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index fe2d2001..1f2b0ffd 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 4a5deb7c..b9f1cbad 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, @{lib}/frei0r-@{int}/*.so mr, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 11e897ab..490cf48a 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index 0cac5a1a..5f49a63d 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -6,6 +6,8 @@ # Many programs wish to perform nameservice-like operations, such as looking up # users by name or id, groups by name or id, hosts by name or IP, etc. + abi , + include @{etc_ro}/default/nss r, @@ -33,6 +35,6 @@ @{run}/systemd/resolve/resolv.conf r, @{run}/systemd/resolve/stub-resolv.conf r, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 6521c984..6069ddd9 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -2,6 +2,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, /usr/share/nvidia/nvidia-application-profiles-* r, diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index e43ca64e..d40aa376 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/ w, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#@{int} rw, diff --git a/apparmor.d/abstractions/shells b/apparmor.d/abstractions/shells index b269f233..35d3a580 100644 --- a/apparmor.d/abstractions/shells +++ b/apparmor.d/abstractions/shells @@ -5,6 +5,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + include include include diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read index dc164c6b..adb80dd4 100644 --- a/apparmor.d/abstractions/thumbnails-cache-read +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -3,6 +3,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/thumbnails/ r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ r, diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index 01de0407..5a31de22 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/thumbnails/ rw, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ rw, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ rw, diff --git a/apparmor.d/abstractions/trash-strict b/apparmor.d/abstractions/trash-strict index 1f420281..a2b024d3 100644 --- a/apparmor.d/abstractions/trash-strict +++ b/apparmor.d/abstractions/trash-strict @@ -9,6 +9,8 @@ # There is no 'owner' rule on expunged folders because some internally sandboxed # app (using bwrap) run on a different private user. + abi , + owner @{user_config_dirs}/#@{int} rwk, owner @{user_config_dirs}/trashrc rw, owner @{user_config_dirs}/trashrc.* rwl, diff --git a/apparmor.d/abstractions/uim b/apparmor.d/abstractions/uim index 03ae9e3e..88d75ec1 100644 --- a/apparmor.d/abstractions/uim +++ b/apparmor.d/abstractions/uim @@ -3,6 +3,8 @@ # Copyright (C) 2024 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only + abi , + /usr/share/uim/* r, /var/lib/uim/* r, diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index 3feed5cd..ab0e05f0 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{HOME}/@{XDG_DESKTOP_DIR}/ w, owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index 4187ab9e..bd350186 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -4,6 +4,8 @@ # Warning: This abstraction gives unrestricted read access on all non hidden user directories. + abi , + owner @{HOME}/ r, owner @{MOUNTS}/ r, diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index 5211b034..f7eb186b 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -5,6 +5,8 @@ # This abstraction gives read access on all defined user directories. It should # only be used if access to **ALL** folders is required. + abi , + owner @{HOME}/ r, owner @{MOUNTS}/ r, diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 223fc660..026825b2 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -5,6 +5,8 @@ # This abstraction gives write only access on all defined user directories. It should # only be used if access to **ALL** folders is required. + abi , + owner @{HOME}/ r, owner @{MOUNTS}/ r, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index 7dbb8f42..edb25828 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + /usr/share/egl/egl_external_platform.d/{,*.json} r, /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/libdrm/*.ids r, diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 067de914..0d510a3f 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 15711713..a22895c9 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -6,6 +6,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, /usr/share/zsh/{,**} r,