feat(tunable): add p_dbus_* variables.

This allow for better integration for system when dbus is not confined.
2024-11-13 12:23:36 +00:00 · 2024-11-13 12:23:36 +00:00 · 24ea5f0a3a
commit 24ea5f0a3a
parent 7c148fca95
33 changed files with 47 additions and 42 deletions
--- a/apparmor.d/abstractions/bus-accessibility
+++ b/apparmor.d/abstractions/bus-accessibility
@ -7,12 +7,12 @@
  dbus send bus=accessibility path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
  dbus send bus=accessibility path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
  owner @{run}/user/@{uid}/at-spi/ rw,
  owner @{run}/user/@{uid}/at-spi/bus rw,
--- a/apparmor.d/abstractions/bus-session
+++ b/apparmor.d/abstractions/bus-session
@ -11,12 +11,12 @@
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
--- a/apparmor.d/abstractions/bus-system
+++ b/apparmor.d/abstractions/bus-system
@ -7,12 +7,12 @@
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{run}/dbus/system_bus_socket rw,
--- a/apparmor.d/abstractions/bus/org.a11y
+++ b/apparmor.d/abstractions/bus/org.a11y
@ -36,7 +36,7 @@
  dbus send bus=session path=/org/a11y/bus
       interface=org.a11y.Bus
       member=GetAddress
-       peer=(name=org.a11y.Bus, label=dbus-accessibility),
+       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
  dbus send bus=session path=/org/a11y/bus
       interface=org.a11y.Bus
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -138,7 +138,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetConnectionUnixUser
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{bin}/**                         Px,
  @{lib}/**                         Px,
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -43,7 +43,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus/Bus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetConnectionUnixUser}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  dbus send bus=system
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/bus/at-spi2-registryd
+++ b/apparmor.d/groups/bus/at-spi2-registryd
@ -20,7 +20,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  signal receive set=hup  peer=gdm-session-worker,
  #aa:dbus own bus=accessibility name=org.a11y.atspi
-  #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility
+  #aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}"
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/freedesktop/accounts-daemon
+++ b/apparmor.d/groups/freedesktop/accounts-daemon
@ -28,7 +28,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -25,7 +25,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mrix,
--- a/apparmor.d/groups/freedesktop/geoclue
+++ b/apparmor.d/groups/freedesktop/geoclue
@ -29,7 +29,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -28,7 +28,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@ -26,7 +26,7 @@ profile pipewire-media-session @{exec_path} {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetConnectionUnixProcessID
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -26,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -47,7 +47,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -40,7 +40,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetConnectionUnixUser}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -38,14 +38,14 @@ profile gnome-extension-ding @{exec_path} {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus*
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus*
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  dbus send bus=session path=/org/gtk/vfs/metadata
       interface=org.gtk.vfs.Metadata
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -37,7 +37,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment}
-       peer=(name=org.freedesktop.DBus label=dbus-session),
+       peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"),
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -112,22 +112,22 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  # Session bus
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Properties
       member=GetAll
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetNameOwner,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
       interface=org.a11y.atspi.Socket
@ -161,7 +161,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  dbus send bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/gnome/*/SearchProvider
      interface=org.gnome.Shell.SearchProvider2
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -43,7 +43,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/
       interface=org.freedesktop.DBus
       member=ListNames
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/gnome/SettingsDaemon/Power
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -41,7 +41,7 @@ profile gsd-xsettings @{exec_path} {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetId
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -43,12 +43,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=ListActivatableNames
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/freedesktop/dbus
       interface=org.freedesktop.DBus
       member=NameHasOwner
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -70,7 +70,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/ssh/ssh-agent-launch
+++ b/apparmor.d/groups/ssh/ssh-agent-launch
@ -27,7 +27,7 @@ profile ssh-agent-launch @{exec_path} {
    dbus send bus=session path=/org/freedesktop/DBus
         interface=org.freedesktop.DBus
         member=UpdateActivationEnvironment
-         peer=(name=org.freedesktop.DBus, label=dbus-session),
+         peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
    dbus send bus=session path=/org/freedesktop/systemd1
         interface=org.freedesktop.systemd1.Manager
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@ -33,7 +33,7 @@ profile busctl @{exec_path} {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Monitoring
       member=BecomeMonitor
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -25,7 +25,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetConnectionUnixUser
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -43,7 +43,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -34,7 +34,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -42,7 +42,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  dbus send bus=system path=/org/freedesktop/UDisks2/Manager
       interface=org.freedesktop.UDisks2.Manager
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -43,7 +43,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/profiles-m-r/rtkit-daemon
+++ b/apparmor.d/profiles-m-r/rtkit-daemon
@ -26,7 +26,7 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -67,7 +67,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/tunables/multiarch.d/profiles
+++ b/apparmor.d/tunables/multiarch.d/profiles
@ -11,4 +11,9 @@
@{p_systemd}=unconfined
@{p_systemd_user}=unconfined
 # Name of the dbus daemon profiles
@{p_dbus_system}=dbus-system
@{p_dbus_session}=dbus-session
@{p_dbus_accessibility}=dbus-accessibility
 # vim:syntax=apparmor
--- a/docs/development/guidelines.md
+++ b/docs/development/guidelines.md
@ -85,7 +85,7 @@ For DBus, try to determine peer's label when possible. E.g.:
 dbus send bus=session path=/org/freedesktop/DBus
     interface=org.freedesktop.DBus
     member={RequestName,ReleaseName}
-     peer=(name=org.freedesktop.DBus, label=dbus-session),
+     peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 ```
 If there is no predictable label it can be omitted.