From 156cce5362ab7914c8bddd0ead505e9281c9bcab Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 25 Sep 2024 00:48:42 +0100
Subject: [PATCH] feat(profile): restrict dbus in dbus

even dbus-* profiles do not need access to the full bus.
---
 apparmor.d/groups/bus/dbus-accessibility | 3 +--
 apparmor.d/groups/bus/dbus-session       | 2 +-
 apparmor.d/groups/bus/dbus-system        | 2 +-
 apparmor.d/tunables/multiarch.d/system   | 2 +-
 4 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility
index 1c5f8cd30..0f43955e8 100644
--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@@ -25,8 +25,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
   signal (receive) set=(term hup kill) peer=dbus-session,
   signal (receive) set=(term hup kill) peer=gdm{,-session-worker},
 
-  dbus bus=accessibility,
-
+  #aa:dbus own bus=accessibility name=org.freedesktop.DBus
   #aa:dbus own bus=session name=org.a11y.{B,b}us
 
   dbus receive bus=session
diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session
index fa6305055..99467d9f5 100644
--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@@ -29,7 +29,7 @@ profile dbus-session flags=(attach_disconnected) {
   signal (send)    set=(term hup kill) peer=dconf-service,
   signal (send)    set=(term hup kill) peer=xdg-*,
 
-  dbus bus=session,
+  #aa:dbus own bus=session name=org.freedesktop.DBus
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
index f532bb29b..d6c92bae1 100644
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@@ -32,7 +32,7 @@ profile dbus-system flags=(attach_disconnected) {
 
   ptrace (read) peer=@{p_systemd},
 
-  dbus bus=system,
+  #aa:dbus own bus=system name=org.freedesktop.DBus
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index d51ede6ca..95e42888c 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -120,7 +120,7 @@
 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511
 
 # Dbus unique name
-@{busname}=:1.@{u16}
+@{busname}=:1.@{u16} :not.active.yet
 
 # Common architecture names
 @{arch}=x86_64 amd64 i386 i686