apparmor/profiles/apparmor.d/abstractions/ubuntu-unity7-base

# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2013-2014 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#
# Rules common to applications running under Unity 7
#

#include <abstractions/gnome>

  # Allow connecting to session bus and where to connect to services
  dbus (send)
       bus=session
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=Hello
       peer=(name=org.freedesktop.DBus),
  dbus (send)
       bus=session
       path=/org/freedesktop/{db,DB}us
       interface=org.freedesktop.DBus
       member={Add,Remove}Match
       peer=(name=org.freedesktop.DBus),
  # NameHasOwner and GetNameOwner could leak running processes and apps
  # depending on how services are implemented
  dbus (send)
       bus=session
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetNameOwner
       peer=(name=org.freedesktop.DBus),
  dbus (send)
       bus=session
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=NameHasOwner
       peer=(name=org.freedesktop.DBus),

  # Allow starting services on the session bus (actual communications with
  # the service are mediated elsewhere)
  dbus (send)
       bus=session
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=StartServiceByName
       peer=(name=org.freedesktop.DBus),

  # Allow connecting to system bus and where to connect to services. Put these
  # here so we don't need to repeat these rules in multiple places (actual
  # communications with any system services is mediated elsewhere). This does
  # allow apps to brute-force enumerate system services, but our system
  # services aren't a secret.
  /{,var/}run/dbus/system_bus_socket rw,
  dbus (send)
       bus=system
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=Hello
       peer=(name=org.freedesktop.DBus),
  dbus (send)
       bus=system
       path=/org/freedesktop/{db,DB}us
       interface=org.freedesktop.DBus
       member={Add,Remove}Match
       peer=(name=org.freedesktop.DBus),
  # NameHasOwner and GetNameOwner could leak running processes and apps
  # depending on how services are implemented
  dbus (send)
       bus=system
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetNameOwner
       peer=(name=org.freedesktop.DBus),
  dbus (send)
       bus=system
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=NameHasOwner
       peer=(name=org.freedesktop.DBus),

  #
  # Access required for connecting to/communication with Unity HUD
  #
  dbus (send)
       bus=session
       path="/com/canonical/hud",
  dbus (send)
       bus=session
       interface="com.canonical.hud.*",
  dbus (send)
       bus=session
       path="/com/canonical/hud/applications/*",
  dbus (receive)
       bus=session
       path="/com/canonical/hud",
  dbus (receive)
       bus=session
       interface="com.canonical.hud.*",

  #
  # Allow access for connecting to/communication with the appmenu
  #
  # dbusmenu
  dbus (send)
       bus=session
       interface="com.canonical.AppMenu.*",
  dbus (receive, send)
        bus=session
        path=/com/canonical/menu/**,

  # gmenu
  dbus (receive, send)
       bus=session
       interface=org.gtk.Actions,
  dbus (receive, send)
       bus=session
       interface=org.gtk.Menus,

  #
  # Access required for using freedesktop notifications
  #
  dbus (send)
       bus=session
       path=/org/freedesktop/Notifications
       member=GetCapabilities,
  dbus (send)
       bus=session
       path=/org/freedesktop/Notifications
       member=GetServerInformation,
  dbus (send)
       bus=session
       path=/org/freedesktop/Notifications
       member=Notify,
  dbus (receive)
       bus=session
       member="Notify"
       peer=(name="org.freedesktop.DBus"),
  dbus (receive)
       bus=session
       path=/org/freedesktop/Notifications
       member=NotificationClosed,
  dbus (send)
       bus=session
       path=/org/freedesktop/Notifications
       member=CloseNotification,

  # accessibility
  dbus (send)
       bus=session
       peer=(name=org.a11y.Bus),
  dbus (receive)
       bus=session
       interface=org.a11y.atspi*,
  dbus (receive, send)
       bus=accessibility,

  #
  # Deny potentially dangerous access
  #
  deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**,