profile(abs): rewrite the way we manage accessibility
- Add some missing dbus access - Split bus access in abstractions - Use trough the new accessibility abs.
This commit is contained in:
Alexandre Pujol
parent
1fba94a197
commit
14ec69cd15
4 changed files with 109 additions and 63 deletions
15
apparmor.d/abstractions/accessibility
Normal file
15
apparmor.d/abstractions/accessibility
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow communication with Assistive Technology Service Provider Interface (AT-SPI
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus/accessibility/org.a11y>
|
||||
include <abstractions/bus/session/org.a11y>
|
||||
|
||||
include if exists <abstractions/accessibility.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
65
apparmor.d/abstractions/bus/accessibility/org.a11y
Normal file
65
apparmor.d/abstractions/bus/accessibility/org.a11y
Normal file
|
|
@ -0,0 +1,65 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2017 Canonical Ltd
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
# Allow the accessibility services in the user session to send us any events
|
||||
|
||||
dbus receive bus=accessibility
|
||||
peer=(label="@{p_at_spi2_registryd}"),
|
||||
|
||||
# Allow querying for capabilities and registering
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=GetRegisteredEvents
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
||||
interface=org.a11y.atspi.DeviceEventController
|
||||
member={GetKeystrokeListeners,GetDeviceEventListeners}
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
||||
interface=org.a11y.atspi.DeviceEventController
|
||||
member=NotifyListenersSync
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
# org.a11y.atspi is not designed for application isolation and these rules
|
||||
# can be used to send change events for other processes.
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Event.Object
|
||||
member=ChildrenChanged
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Accessible
|
||||
member=Get*
|
||||
peer=(label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
|
||||
interface=org.a11y.atspi.Event.Object
|
||||
member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved}
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll}
|
||||
peer=(label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/cache
|
||||
interface=org.a11y.atspi.Cache
|
||||
member={AddAccessible,RemoveAccessible}
|
||||
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
include if exists <abstractions/bus/accessibility/org.a11y.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
|
|
@ -1,63 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
# Accessibility bus
|
||||
|
||||
dbus receive bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=EventListenerDeregistered
|
||||
peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=GetRegisteredEvents
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
||||
interface=org.a11y.atspi.DeviceEventController
|
||||
member={GetKeystrokeListeners,GetDeviceEventListeners}
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Set
|
||||
peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry),
|
||||
|
||||
# Session bus
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=Get
|
||||
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=GetAddress
|
||||
peer=(name=org.a11y.Bus),
|
||||
|
||||
include if exists <abstractions/bus/org.a11y.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
29
apparmor.d/abstractions/bus/session/org.a11y
Normal file
29
apparmor.d/abstractions/bus/session/org.a11y
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=Get
|
||||
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=GetAddress
|
||||
peer=(name=org.a11y.Bus),
|
||||
|
||||
include if exists <abstractions/bus/session/org.a11y.d>
|
||||
|
||||
# vim:syntax=apparmor
|
||||
Loading…
Add table
Add a link
Reference in a new issue