feat(dbus): rewrite some dbus rules (9).

2023-12-06 19:55:48 +00:00 · 2023-12-06 19:55:48 +00:00 · 1307250250
commit 1307250250
parent 3425419f0e
34 changed files with 63 additions and 380 deletions
--- a/apparmor.d/profiles-a-f/cups-browsed
+++ b/apparmor.d/profiles-a-f/cups-browsed
@ -25,36 +25,6 @@ profile cups-browsed @{exec_path} {
  network inet6 stream,
  network netlink raw,

-  dbus send bus=system path=/
-       interface=org.freedesktop.Avahi.Server
-       member={GetAPIVersion,GetState,ServiceBrowserNew},
-
-  dbus send bus=system path=/
-       interface=org.freedesktop.DBus.Peer
-       member=Ping
-       peer=(name=org.freedesktop.Avahi),
-
-  dbus send bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll,
-
-  dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
-       interface=org.freedesktop.Avahi.ServiceBrowser
-       member=Free
-       peer=(name=org.freedesktop.Avahi),
-
-  dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
-       interface=org.freedesktop.Avahi.ServiceBrowser
-       member={AllForNow,CacheExhausted},
-
-  dbus receive bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.{DBus.Properties,NetworkManager}
-       member={CheckPermissions,PropertiesChanged,StateChanged,DeviceAdded},
-
-  dbus receive bus=system path=/
-       interface=org.freedesktop.Avahi.Server
-       member=StateChanged,
-
  @{exec_path} mr,

  /usr/share/cups/locale/{,**} r,
--- a/apparmor.d/profiles-a-f/cupsd
+++ b/apparmor.d/profiles-a-f/cupsd
@ -9,6 +9,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/org.freedesktop.ColorManager>
  include <abstractions/bus/system>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
@ -40,11 +41,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
  network rose dgram,
  network x25 seqpacket,

-  dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/cups_*}
-    interface=org.freedesktop.ColorManager{,.*}
-    member={CreateProfile,CreateDevice,FindDeviceById,AddProfile}
-    peer=(name=org.freedesktop.ColorManager),
-
  @{exec_path} mr,

  @{bin}/{,ba,da}sh          rix,
--- a/apparmor.d/profiles-a-f/evince
+++ b/apparmor.d/profiles-a-f/evince
@ -26,20 +26,18 @@ profile evince @{exec_path} {
  deny network inet,
  deny network inet6,

+  dbus bind bus=session name=org.gnome.evince.Daemon,
+  dbus send bus=session path=/org/gnome/evince/Daemon
+       interface=org.gnome.evince.Daemon
+       peer=(name=org.gnome.evince.Daemon),
+  dbus receive bus=session path=/org/gnome/evince/
+       peer=(name="{org.gnome.evince.Daemon,org.freedesktop.DBus,:*}", 
+       label=@{profile_name}), # all interfaces and members
+
  dbus send bus=session path=/org/gtk/vfs/metadata
       interface=org.gtk.vfs.Metadata
       member={Set,GetTreeFromDevice}
-       peer=(name=:*),
-
-  dbus send bus=session path=/org/gnome/evince/Daemon
-       interface=org.gnome.evince.Daemon
-       member=RegisterDocument
-       peer=(name=org.gnome.evince.Daemon), # no peer's labels
-
-  dbus (send, receive) bus=session path=/org/gnome/evince/{,**}
-       peer=(name="{org.gnome.evince.Daemon,org.freedesktop.DBus,:*}", label=@{profile_name}), # all interfaces and members
-
-  dbus bind bus=session name=org.gnome.evince.Daemon,
+       peer=(name=:*, label=gvfsd-metadata),

  @{exec_path} rix,