refractor(abs): reorganize dbus abstraction (2)

- new upower-observe abstraction

apparmor.d/abstractions/app/chromium

@@ -27,13 +27,11 @@
   include <abstractions/audio-client>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.bluez>
+  include <abstractions/bus/system/org.bluez>
   include <abstractions/bus/org.freedesktop.Avahi>
   include <abstractions/bus/org.freedesktop.FileManager1>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
   include <abstractions/bus/org.gnome.SessionManager>
-  include <abstractions/bus/org.kde.kwalletd>
   include <abstractions/camera>
   include <abstractions/common/chromium>
   include <abstractions/dconf-write>
@@ -48,6 +46,7 @@
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/uim>
+  include <abstractions/upower-observe>
   include <abstractions/user-download-strict>
   include <abstractions/user-read-strict>
 

apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1

@@ -11,6 +11,6 @@
        member=GetSupportedTypes
        peer=(name="@{busname}", label="@{p_file_roller}"),
 
-  include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
+  include if exists <abstractions/bus/session/org.gnome.ArchiveManager1.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2

@@ -6,6 +6,6 @@
 
   #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus
 
-  include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
+  include if exists <abstractions/bus/session/org.gnome.Nautilus.FileOperations2.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager

@@ -15,7 +15,7 @@
 
   dbus send bus=system path=/org/freedesktop/ColorManager
        interface=org.freedesktop.ColorManager
-       member=CreateDevice
+       member={CreateProfile,CreateDevice,DeleteDevice}
        peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"),
 
   dbus receive bus=system path=/org/freedesktop/ColorManager
@@ -28,6 +28,6 @@
        member={FindDeviceByProperty,FindDeviceById}
        peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"),
 
-  include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
+  include if exists <abstractions/bus/system/org.freedesktop.ColorManager.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.UPower

@@ -29,6 +29,6 @@
        member={DeviceAdded,DeviceRemoved}
        peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"),
 
-  include if exists <abstractions/bus/org.freedesktop.UPower.d>
+  include if exists <abstractions/bus/system/org.freedesktop.UPower.d>
 
 # vim:syntax=apparmor

apparmor.d/groups/cups/cupsd

@@ -12,7 +12,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/authentication>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.Avahi>
-  include <abstractions/bus/org.freedesktop.ColorManager>
+  include <abstractions/bus/system/org.freedesktop.ColorManager>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 
@@ -46,15 +46,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
 
   signal (send) set=(term) peer=cups-notifier-dbus,
 
-  dbus send bus=system path=/org/freedesktop/ColorManager
-       interface=org.freedesktop.ColorManager
-       member=DeleteDevice
-       peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"),
-  dbus send bus=system path=/org/freedesktop/ColorManager
-       interface=org.freedesktop.ColorManager
-       member=FindDeviceById
-       peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"),
-
   @{exec_path} mr,
 
   @{sh_path}                 rix,

apparmor.d/groups/freedesktop/upower

@@ -13,7 +13,7 @@ profile upower @{exec_path} {
   include <abstractions/bus-system>
   include <abstractions/consoles>
 
-  #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
+  #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
 
   @{exec_path} mr,
 

apparmor.d/groups/freedesktop/wireplumber

@@ -15,11 +15,12 @@ profile wireplumber @{exec_path} {
   include <abstractions/bus/org.bluez>
   include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
   include <abstractions/bus/org.freedesktop.RealtimeKit1>
-  include <abstractions/bus/org.freedesktop.UPower>
+  include <abstractions/bus/system/org.bluez.ProfileManager1>
   include <abstractions/camera>
   include <abstractions/devices-usb>
   include <abstractions/media-control>
   include <abstractions/nameservice-strict>
+  include <abstractions/upower-observe>
 
   network bluetooth raw,
   network bluetooth seqpacket,

apparmor.d/groups/gnome/gnome-extension-ding

@@ -19,8 +19,8 @@ profile gnome-extension-ding @{exec_path} {
   include <abstractions/bus/net.hadess.SwitcherooControl>
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.FileManager1>
-  include <abstractions/bus/org.gnome.ArchiveManager1>
+  include <abstractions/bus/session/org.gnome.ArchiveManager1>
-  include <abstractions/bus/org.gnome.Nautilus.FileOperations2>
+  include <abstractions/bus/session/org.gnome.Nautilus.FileOperations2>
   include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
   include <abstractions/bus/org.gtk.vfs.Daemon>
   include <abstractions/bus/org.gtk.vfs.Metadata>

apparmor.d/groups/gnome/gnome-shell

@@ -28,7 +28,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.freedesktop.RealtimeKit1>
   include <abstractions/bus/org.freedesktop.systemd1>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gnome.keyring.internal.Prompter>
   include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
   include <abstractions/camera>
@@ -45,6 +44,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/secrets-service>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
+  include <abstractions/upower-observe>
 
   capability sys_nice,
   capability sys_ptrace,
@@ -73,17 +73,25 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   #aa:dbus own bus=session name=com.canonical.{U,u}nity
   #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu}
+  #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting
   #aa:dbus own bus=session name=com.rastersoft.dingextension
   #aa:dbus own bus=session name=org.ayatana.NotificationItem
   #aa:dbus own bus=session name=org.freedesktop.a11y.Manager
+  #aa:dbus own bus=session name=org.gnome.Shell
   #aa:dbus own bus=session name=org.gtk.Actions path=/**
   #aa:dbus own bus=session name=org.gtk.MountOperationHandler
   #aa:dbus own bus=session name=org.gtk.Notifications
+  #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/
   #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher
-  #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting
+
 
   # Talk with gnome-shell
 
+  # The strategy with dbus rules in this profile is first to declare all communications
+  # needed on buses and to limit them only to their profiles in apparmor.d. As such,
+  # only dbus directive is used for this. Later, some communications could be
+  # restricted.
+
   #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
   #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd
   #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
@@ -95,6 +103,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
   #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs
+  #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy
   #aa:dbus talk bus=session name=org.gnome.* label=gnome-*
   #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=*
   #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus
@@ -102,7 +111,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-*
   #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
 
-
   # Session bus
 
   dbus send bus=session path=/org/gnome/**

apparmor.d/groups/gnome/gsd-media-keys

@@ -16,7 +16,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.hostname1>
   include <abstractions/bus/org.freedesktop.login1>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
@@ -26,6 +25,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   include <abstractions/fontconfig-cache-write>
   include <abstractions/gnome-strict>
   include <abstractions/nameservice-strict>
+  include <abstractions/upower-observe>
 
   signal (receive) set=(term, hup) peer=gdm*,
 

apparmor.d/groups/gnome/gsd-power

@@ -20,7 +20,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/bus/org.freedesktop.UPower.PowerProfiles>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
@@ -31,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/notifications>
   include <abstractions/screensaver>
+  include <abstractions/upower-observe>
 
   network inet stream,
   network netlink raw,

apparmor.d/groups/gnome/localsearch

@@ -11,7 +11,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
   include <abstractions/bus/org.gtk.vfs.Daemon>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
@@ -24,6 +23,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
   include <abstractions/sqlite>
+  include <abstractions/upower-observe>
 
   network netlink raw,
 

apparmor.d/groups/gnome/tracker-miner

@@ -11,7 +11,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
   include <abstractions/bus/org.gtk.vfs.Daemon>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
@@ -24,6 +23,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   include <abstractions/media-control>
   include <abstractions/nameservice-strict>
   include <abstractions/sqlite>
+  include <abstractions/upower-observe>
 
   network netlink raw,
 

apparmor.d/groups/kde/kde-powerdevil

@@ -17,11 +17,11 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
+  include <abstractions/upower-observe>
 
   capability wake_alarm,
 

apparmor.d/groups/kde/kscreenlocker_greet

@@ -13,15 +13,15 @@ profile kscreenlocker_greet @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.login1.Session>
-  include <abstractions/bus/org.freedesktop.UPower>
+  include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/qt5-shader-cache>
+  include <abstractions/upower-observe>
 
   network netlink raw,
 

apparmor.d/groups/kde/plasmashell

@@ -18,7 +18,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.freedesktop.UDisks2>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/consoles>
   include <abstractions/cups-client>
   include <abstractions/devices-usb>
@@ -31,6 +30,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   include <abstractions/recent-documents-write>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
+  include <abstractions/upower-observe>
 
   userns,
 

apparmor.d/groups/kde/sddm

@@ -14,12 +14,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/shells>
+  include <abstractions/upower-observe>
   include <abstractions/wutmp>
 
   capability audit_write,

apparmor.d/groups/kde/sddm-greeter

@@ -13,13 +13,13 @@ profile sddm-greeter @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/qt5-shader-cache>
+  include <abstractions/upower-observe>
 
   network netlink raw,
 

apparmor.d/groups/ubuntu/update-manager

@@ -17,7 +17,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/common/apt>
   include <abstractions/consoles>
@@ -26,6 +25,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/python>
   include <abstractions/ssl_certs>
+  include <abstractions/upower-observe>
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/profiles-m-r/power-profiles-daemon

@@ -12,8 +12,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.PolicyKit1>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/nameservice-strict>
+  include <abstractions/upower-observe>
 
   capability dac_read_search,
   capability net_admin,

apparmor.d/profiles-s-z/thermald

@@ -13,7 +13,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/net.hadess.PowerProfiles>
-  include <abstractions/bus/org.freedesktop.UPower>
+  include <abstractions/upower-observe>
 
   capability sys_boot,