felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

profile(abs): rewrite the way we manage accessibility

Browse source 
- Add some missing dbus access
- Split bus access in abstractions
- Use trough the new accessibility abs.
This commit is contained in:
Alexandre Pujol 2025-09-14 18:38:02 +02:00
parent 1fba94a197
commit 14ec69cd15
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
4 changed files with 109 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

15
apparmor.d/abstractions/accessibility Normal file
View file

@ -0,0 +1,15 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow communication with Assistive Technology Service Provider Interface (AT-SPI
abi <abi/4.0>,
include <abstractions/bus-accessibility>
include <abstractions/bus/accessibility/org.a11y>
include <abstractions/bus/session/org.a11y>
include if exists <abstractions/accessibility.d>
# vim:syntax=apparmor

65
apparmor.d/abstractions/bus/accessibility/org.a11y Normal file
View file

@ -0,0 +1,65 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017 Canonical Ltd
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
# Allow the accessibility services in the user session to send us any events
dbus receive bus=accessibility
peer=(label="@{p_at_spi2_registryd}"),
# Allow querying for capabilities and registering
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member=NotifyListenersSync
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
# org.a11y.atspi is not designed for application isolation and these rules
# can be used to send change events for other processes.
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Event.Object
member=ChildrenChanged
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Accessible
member=Get*
peer=(label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
interface=org.a11y.atspi.Event.Object
member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved}
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/cache
interface=org.a11y.atspi.Cache
member={AddAccessible,RemoveAccessible}
peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
include if exists <abstractions/bus/accessibility/org.a11y.d>
# vim:syntax=apparmor

63
apparmor.d/abstractions/bus/org.a11y
View file

@ -1,63 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
# Accessibility bus
dbus receive bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=EventListenerDeregistered
peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
# Session bus
dbus send bus=session path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=Get
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(name=org.a11y.Bus),
include if exists <abstractions/bus/org.a11y.d>
# vim:syntax=apparmor

29
apparmor.d/abstractions/bus/session/org.a11y Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
dbus send bus=session path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=Get
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(name=org.a11y.Bus),
include if exists <abstractions/bus/session/org.a11y.d>
# vim:syntax=apparmor