feat(abs): rewrite the avahi abs, add avahi-observe

2025-09-14 13:06:06 +02:00 · 2025-09-14 13:06:06 +02:00 · 2ceaa16d9a
commit 2ceaa16d9a
parent 962b372390
30 changed files with 267 additions and 71 deletions
--- a/apparmor.d/groups/avahi/avahi-browse
+++ b/apparmor.d/groups/avahi/avahi-browse
@ -11,14 +11,10 @@ include <tunables/global>
 profile avahi-browse @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser>
  include <abstractions/consoles>

-  dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
-       interface=org.freedesktop.Avahi.ServiceTypeBrowser
-       member={ItemNew,AllForNow,CacheExhausted}
-       peer=(name=:*, label="@{p_avahi_daemon}"),
-
  @{exec_path} mr,

  @{lib}/@{multiarch}/avahi/service-types.db rwk,
--- a/apparmor.d/groups/avahi/avahi-resolve
+++ b/apparmor.d/groups/avahi/avahi-resolve
@ -11,19 +11,11 @@ include <tunables/global>
 profile avahi-resolve @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/system/org.freedesktop.Avahi.AddressResolver>
+  include <abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
  include <abstractions/consoles>

-  dbus send bus=system path=/Client@{int}/AddressResolver@{int}
-       interface=org.freedesktop.Avahi.AddressResolver
-       member={Free,HostNameResolverNew}
-       peer=(name=:*, label="@{p_avahi_daemon}"),
-
-  dbus receive bus=system path=/Client@{int}/AddressResolver@{int}
-       interface=org.freedesktop.Avahi.AddressResolver
-       member={Failure,Found}
-       peer=(name=:*, label="@{p_avahi_daemon}"),
-
  @{exec_path} mr,

  include if exists <local/avahi-resolve>
--- a/apparmor.d/groups/avahi/avahi-set-host-name
+++ b/apparmor.d/groups/avahi/avahi-set-host-name
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/4.0>,
@ -9,6 +10,8 @@ include <tunables/global>
@{exec_path} = @{bin}/avahi-set-host-name
 profile avahi-set-host-name @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
  include <abstractions/consoles>

  @{exec_path} mr,
--- a/apparmor.d/groups/cups/cups-backend-dnssd
+++ b/apparmor.d/groups/cups/cups-backend-dnssd
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/cups/backend/dnssd
 profile cups-backend-dnssd @{exec_path} {
  include <abstractions/base>
-  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>

  @{exec_path} mr,

--- a/apparmor.d/groups/cups/cups-browsed
+++ b/apparmor.d/groups/cups/cups-browsed
@ -10,8 +10,10 @@ include <tunables/global>
 profile cups-browsed @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser>
  include <abstractions/cups-client>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
--- a/apparmor.d/groups/cups/cupsd
+++ b/apparmor.d/groups/cups/cupsd
@ -11,7 +11,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
  include <abstractions/bus/system/org.freedesktop.ColorManager>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
--- a/apparmor.d/groups/cups/ippfind
+++ b/apparmor.d/groups/cups/ippfind
@ -10,7 +10,7 @@ include <tunables/global>
 profile ippfind @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>

  @{exec_path} mr,

--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -11,8 +11,9 @@ include <tunables/global>
 profile colord @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser>
  include <abstractions/devices-usb>
  include <abstractions/mime>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/freedesktop/geoclue
+++ b/apparmor.d/groups/freedesktop/geoclue
@ -11,9 +11,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/fi.w1.wpa_supplicant1>
-  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.ModemManager1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser>
  include <abstractions/consoles>
  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -14,10 +14,12 @@ profile pulseaudio @{exec_path} {
  include <abstractions/audio-server>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.bluez>
-  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.hostname1>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
+  include <abstractions/bus/org.bluez>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver>
  include <abstractions/camera>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
@ -49,26 +51,11 @@ profile pulseaudio @{exec_path} {
       member=Introspect
       peer=(name=:*, label=gnome-shell),

-  dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
-       interface=org.freedesktop.Avahi.ServiceResolver
-       member=Found
-       peer=(name=:*, label="@{p_avahi_daemon}"),
-
-  dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
-       interface=org.freedesktop.Avahi.ServiceBrowser
-       member=ItemRemove
-       peer=(name=:*, label="@{p_avahi_daemon}"),
-
  dbus send bus=system path=/
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name=org.bluez),

-  dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
-       interface=org.freedesktop.Avahi.ServiceResolver
-       member={Found,Free}
-       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
-
  @{exec_path} mrix,

  @{lib}/pulse/gsettings-helper rix,
--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@ -14,7 +14,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/user-download-strict>
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -10,11 +10,11 @@ include <tunables/global>
 profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio-client>
+  include <abstractions/avahi-observe>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/camera>
--- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper
+++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@ -9,11 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/gnome-control-center-goa-helper
 profile gnome-control-center-goa-helper @{exec_path} {
  include <abstractions/base>
+  include <abstractions/avahi-observe>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@ -9,11 +9,14 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-print-notifications
 profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/bus/session/org.gnome.SessionManager>
+  include <abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser>
+  include <abstractions/consoles>
  include <abstractions/cups-client>
  include <abstractions/nameservice-strict>

@ -38,24 +41,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
       member=Introspect
       peer=(name=@{busname}, label=gnome-shell),

-  dbus send bus=system path=/
-       interface=org.freedesktop.Avahi.Server
-       member=RecordBrowserNew
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
-  dbus send bus=system path=/Client@{int}/RecordBrowser@{int}
-       interface=org.freedesktop.Avahi.RecordBrowser
-       member=Free
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
-
-  dbus receive bus=system path=/Client@{int}/RecordBrowser@{int}
-       interface=org.freedesktop.Avahi.RecordBrowser
-       member={CacheExhausted,ItemNew}
-       peer=(name=@{busname}, label=avahi-daemon),
-  dbus receive bus=system path=/Client4/RecordBrowser3
-       interface=org.freedesktop.Avahi.RecordBrowser
-       member=ItemNew
-       peer=(name=@{busname}, label=avahi-daemon),
-
  @{exec_path} mr,
  @{lib}/gsd-printer rPx,

--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@ -9,11 +9,11 @@ include <tunables/global>
@{exec_path} = @{bin}/seahorse
 profile seahorse @{exec_path} {
  include <abstractions/base>
+  include <abstractions/avahi-observe>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gvfs/gvfsd-dnssd
+++ b/apparmor.d/groups/gvfs/gvfsd-dnssd
@ -12,9 +12,10 @@ profile gvfsd-dnssd @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.gtk.vfs.Daemon>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser>

  #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd