profile(abs): rewrite the way we manage accessibility

- Add some missing dbus access
- Split bus access in abstractions
- Use trough the new accessibility abs.

apparmor.d/abstractions/accessibility

@@ -0,0 +1,15 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow communication with Assistive Technology Service Provider Interface (AT-SPI
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus/accessibility/org.a11y>
+  include <abstractions/bus/session/org.a11y>
+
+  include if exists <abstractions/accessibility.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/accessibility/org.a11y

@@ -0,0 +1,65 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2017 Canonical Ltd
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  # Allow the accessibility services in the user session to send us any events
+
+  dbus receive bus=accessibility
+       peer=(label="@{p_at_spi2_registryd}"),
+
+  # Allow querying for capabilities and registering
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member={GetKeystrokeListeners,GetDeviceEventListeners}
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member=NotifyListenersSync
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
+
+  # org.a11y.atspi is not designed for application isolation and these rules
+  # can be used to send change events for other processes.
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Event.Object
+       member=ChildrenChanged
+       peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Accessible
+       member=Get*
+       peer=(label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
+       interface=org.a11y.atspi.Event.Object
+       member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved}
+       peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll}
+       peer=(label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/cache
+       interface=org.a11y.atspi.Cache
+       member={AddAccessible,RemoveAccessible}
+       peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
+
+  include if exists <abstractions/bus/accessibility/org.a11y.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.a11y

@@ -1,63 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  # Accessibility bus
-
-  dbus receive bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=EventListenerDeregistered
-       peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
-
-  dbus send bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=GetRegisteredEvents
-       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
-
-  dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
-       interface=org.a11y.atspi.DeviceEventController
-       member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
-
-  dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.freedesktop.DBus.Properties
-       member=Set
-       peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
-
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
-
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=org.a11y.atspi.Registry),
-
-  # Session bus
-
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
-
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
-
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=Get
-       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
-
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus),
-
-  include if exists <abstractions/bus/org.a11y.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.a11y

@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.a11y.Bus
+       member=Get
+       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.a11y.Bus
+       member=GetAddress
+       peer=(name=org.a11y.Bus),
+
+  include if exists <abstractions/bus/session/org.a11y.d>
+
+# vim:syntax=apparmor