felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(dbus): rewrite some dbus rules (9).

Browse source
This commit is contained in:
Alexandre Pujol 2023-12-06 19:55:48 +00:00
parent 3425419f0e
commit 1307250250
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
34 changed files with 63 additions and 380 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/gnome/evolution-calendar-factory
View file

@ -57,10 +57,6 @@ profile evolution-calendar-factory @{exec_path} {
member=Introspect
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
peer=(name=:*, label=gvfsd),
@{exec_path} mr,
@{exec_path}-subprocess rix,

13
apparmor.d/groups/gnome/gdm
View file

@ -35,15 +35,18 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.Properties
peer=(name=:*, label=gnome-shell),
dbus send bus=system path=/org/freedesktop/login1/seat/seat@{int}
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=:*, label=systemd-logind),
dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int}
interface=org.freedesktop.DBus.Properties
member={Get,PropertiesChanged}
peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1/seat/seat@{int}
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={UnlockSession,ActivateSessionOnSeat}
peer=(name=org.freedesktop.login1, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus

6
apparmor.d/groups/gnome/gdm-x-session
View file

@ -11,6 +11,7 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/bus/org.freedesktop.systemd1-session>
signal (receive) set=term peer=gdm{,-session-worker},
# signal (send) set=term peer=unconfined,
@ -18,11 +19,6 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
signal (send) set=term peer=xorg,
signal (send) set=term peer=gnome-session-binary,
dbus bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.systemd1),
dbus send bus=system path=/org/gnome/DisplayManager/Manager
interface=org.gnome.DisplayManager.Manager
member=RegisterDisplay

12
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -28,11 +28,9 @@ profile gnome-extension-ding @{exec_path} {
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
dbus bind bus=session name=com.rastersoft.ding,
dbus receive bus=session path=/com/rastersoft/ding
interface={org.gtk.Actions,org.freedesktop.DBus.Properties}
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/com/rastersoft/ding{,**}
interface=org.gtk.Actions
peer=(label=gnome-shell),
@ -42,16 +40,6 @@ profile gnome-extension-ding @{exec_path} {
member={IsSupported,List}
peer=(name=:*, label=gvfs-*-monitor),
dbus (send, receive) bus=session path=/org/freedesktop/FileManager1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=nautilus),
dbus send bus=system path=/net/hadess/SwitcherooControl
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=switcheroo-control),
dbus send bus=session path=/org/gnome/Nautilus/FileOperations*
interface=org.freedesktop.DBus.Properties
member=GetAll

81
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -22,91 +22,30 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term) peer=gdm,
signal (send) set=(term) peer=ssh-agent,
dbus send bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.login1),
dbus receive bus=system path=/org/freedesktop/login1/session/*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=systemd-logind),
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=GetSession
peer=(name=org.freedesktop.login1),
dbus send bus=session path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member=Setenv
peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
dbus bind bus=session name=org.gnome.keyring,
dbus (send, receive) bus=session path=/org/gnome/keyring/daemon
interface=org.gnome.keyring.Daemon
peer=(name="{org.gnome.keyring,:*}", label=@{profile_name}), # all members
peer=(name="{org.gnome.keyring,:*}", label=@{profile_name}),
dbus receive bus=session path=/org/freedesktop/secrets
dbus bind bus=session name=org.freedesktop.secrets,
dbus receive bus=session path=/org/freedesktop/secrets{,/**}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.Secret.Service
member=SearchItems
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/freedesktop/secrets/aliases/default
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/secrets{,/**}
interface=org.freedesktop.Secret.*
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/secrets{,/**}
interface=org.freedesktop.Secret.Collection
member=CreateItem
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/secrets/aliases/default
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/secrets/collection/login
interface=org.freedesktop.Secret.Collection
member=ItemCreated
peer=(name=org.freedesktop.DBus),
dbus send bus=session path=/org/freedesktop/secrets/collection/login
dbus send bus=session path=/org/freedesktop/secrets{,/**}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=org.freedesktop.DBus),
dbus receive bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.Secret.Service
member={ReadAlias,OpenSession}
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/secrets/collection/login/[0-9]*
interface=org.freedesktop.Secret.Item
member=GetSecret
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/secrets{,/collection/**}
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.Secret.Service
member={GetSecrets,SearchItems}
peer=(name=:*), # label="{unconfined,remmina}"),
dbus bind bus=session
name=org.gnome.keyring,
dbus bind bus=session
name=org.freedesktop.secrets,
@{exec_path} mr,
@{bin}/ssh-add rix,

1
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -62,7 +62,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
member=WatchFired
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment}

17
apparmor.d/groups/gnome/gsd-color
View file

@ -32,23 +32,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
member=GetAll
peer=(name=:*, label=gnome-shell),
dbus (send, receive) bus=system path=/org/freedesktop/ColorManager{,/devices/*}
interface=org.freedesktop.ColorManager*,
dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/*,/profiles/*}
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig
member={GetResources,GetCrtcGamma}
peer=(name=:*, label=gnome-shell),
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-shell),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect

10
apparmor.d/groups/gnome/gsd-print-notifications
View file

@ -23,16 +23,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
dbus bind bus=session name=org.gnome.SettingsDaemon.PrintNotifications,
dbus send bus=system path=/Client@{int}/ServiceBrowser@{int}
interface=org.freedesktop.Avahi.ServiceBrowser
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
interface=org.freedesktop.Avahi.ServiceBrowser
peer=(name=:*, label=avahi-daemon),
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
dbus receive bus=system path=/org/cups/cupsd/Notifier
interface=org.cups.cupsd.Notifier,

8
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -37,14 +37,12 @@ profile gsd-xsettings @{exec_path} {
dbus receive bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties
peer=(name=:*),
dbus send bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties
peer=(name=org.freedesktop.DBus),
dbus bind bus=session name=org.gnome.SettingsDaemon.XSettings,
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig
member=GetCurrentState
peer=(name=org.gnome.Mutter.DisplayConfig, label=gnome-shell),
dbus send bus=session path=/org/gnome/Shell/Introspect
interface=org.freedesktop.DBus.Properties
member=Get

5
apparmor.d/groups/gnome/nautilus
View file

@ -27,11 +27,14 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
include <abstractions/vulkan>
dbus bind bus=session name=org.gnome.Nautilus,
dbus (send, receive) bus=session path=/org/gnome/Nautilus
dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/**}
interface=org.gtk.{Actions,Application},
dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/**}
interface=org.freedesktop.DBus.Properties
peer=(name=:*),
dbus receive bus=session path=/org/gnome/Nautilus
interface=org.freedesktop.Application
peer=(name=:*),
dbus bind bus=session name=org.freedesktop.FileManager1,
dbus receive bus=session path=/org/freedesktop/FileManager1

5
apparmor.d/groups/gnome/seahorse
View file

@ -26,11 +26,6 @@ profile seahorse @{exec_path} {
interface=org.gnome.Shell.SearchProvider2
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/secrets
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*, label=gnome-keyring-daemon),
@{exec_path} mr,
@{bin}/gpgconf rPx,

6
apparmor.d/groups/gnome/tracker-miner
View file

@ -9,9 +9,9 @@ include <tunables/global>
@{exec_path} = @{lib}/tracker-miner-fs-{,control-}3
profile tracker-miner @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus/upower>
include <abstractions/bus/vfs/daemon>
include <abstractions/bus/vfs/mount>
include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/bus/org.gtk.vfs.Daemon>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>