refractor(abs): reorganize dbus abstraction (2)

- new upower-observe abstraction
2025-09-13 23:52:37 +02:00 · 2025-09-13 23:52:37 +02:00 · 3c49755d18
commit 3c49755d18
parent 34aa208ec9
22 changed files with 37 additions and 38 deletions
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -27,13 +27,11 @@
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.bluez>
+  include <abstractions/bus/system/org.bluez>
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.FileManager1>
-  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
  include <abstractions/bus/org.gnome.SessionManager>
-  include <abstractions/bus/org.kde.kwalletd>
  include <abstractions/camera>
  include <abstractions/common/chromium>
  include <abstractions/dconf-write>
@ -48,6 +46,7 @@
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/uim>
+  include <abstractions/upower-observe>
  include <abstractions/user-download-strict>
  include <abstractions/user-read-strict>

--- a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1
+++ b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1
@ -11,6 +11,6 @@
       member=GetSupportedTypes
       peer=(name="@{busname}", label="@{p_file_roller}"),

-  include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
+  include if exists <abstractions/bus/session/org.gnome.ArchiveManager1.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2
+++ b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2
@ -6,6 +6,6 @@

  #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus

-  include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
+  include if exists <abstractions/bus/session/org.gnome.Nautilus.FileOperations2.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager
+++ b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager
@ -15,7 +15,7 @@

  dbus send bus=system path=/org/freedesktop/ColorManager
       interface=org.freedesktop.ColorManager
-       member=CreateDevice
+       member={CreateProfile,CreateDevice,DeleteDevice}
       peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"),

  dbus receive bus=system path=/org/freedesktop/ColorManager
@ -28,6 +28,6 @@
       member={FindDeviceByProperty,FindDeviceById}
       peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"),

-  include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
+  include if exists <abstractions/bus/system/org.freedesktop.ColorManager.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower
+++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower
@ -29,6 +29,6 @@
       member={DeviceAdded,DeviceRemoved}
       peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"),

-  include if exists <abstractions/bus/org.freedesktop.UPower.d>
+  include if exists <abstractions/bus/system/org.freedesktop.UPower.d>

 # vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cupsd
+++ b/apparmor.d/groups/cups/cupsd
@ -12,7 +12,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/authentication>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.Avahi>
-  include <abstractions/bus/org.freedesktop.ColorManager>
+  include <abstractions/bus/system/org.freedesktop.ColorManager>
  include <abstractions/nameservice-strict>
  include <abstractions/python>

@ -46,15 +46,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {

  signal (send) set=(term) peer=cups-notifier-dbus,

-  dbus send bus=system path=/org/freedesktop/ColorManager
-       interface=org.freedesktop.ColorManager
-       member=DeleteDevice
-       peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"),
-  dbus send bus=system path=/org/freedesktop/ColorManager
-       interface=org.freedesktop.ColorManager
-       member=FindDeviceById
-       peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"),
-
  @{exec_path} mr,

  @{sh_path}                 rix,
--- a/apparmor.d/groups/freedesktop/upower
+++ b/apparmor.d/groups/freedesktop/upower
@ -13,7 +13,7 @@ profile upower @{exec_path} {
  include <abstractions/bus-system>
  include <abstractions/consoles>

-  #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
+  #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}"

  @{exec_path} mr,

--- a/apparmor.d/groups/freedesktop/wireplumber
+++ b/apparmor.d/groups/freedesktop/wireplumber
@ -15,11 +15,12 @@ profile wireplumber @{exec_path} {
  include <abstractions/bus/org.bluez>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
-  include <abstractions/bus/org.freedesktop.UPower>
+  include <abstractions/bus/system/org.bluez.ProfileManager1>
  include <abstractions/camera>
  include <abstractions/devices-usb>
  include <abstractions/media-control>
  include <abstractions/nameservice-strict>
+  include <abstractions/upower-observe>

  network bluetooth raw,
  network bluetooth seqpacket,
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -19,8 +19,8 @@ profile gnome-extension-ding @{exec_path} {
  include <abstractions/bus/net.hadess.SwitcherooControl>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.FileManager1>
-  include <abstractions/bus/org.gnome.ArchiveManager1>
-  include <abstractions/bus/org.gnome.Nautilus.FileOperations2>
+  include <abstractions/bus/session/org.gnome.ArchiveManager1>
+  include <abstractions/bus/session/org.gnome.Nautilus.FileOperations2>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/bus/org.gtk.vfs.Daemon>
  include <abstractions/bus/org.gtk.vfs.Metadata>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -28,7 +28,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/org.freedesktop.systemd1>
-  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gnome.keyring.internal.Prompter>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/camera>
@ -45,6 +44,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/secrets-service>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
+  include <abstractions/upower-observe>

  capability sys_nice,
  capability sys_ptrace,
@ -73,17 +73,25 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  #aa:dbus own bus=session name=com.canonical.{U,u}nity
  #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu}
+  #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting
  #aa:dbus own bus=session name=com.rastersoft.dingextension
  #aa:dbus own bus=session name=org.ayatana.NotificationItem
  #aa:dbus own bus=session name=org.freedesktop.a11y.Manager
+  #aa:dbus own bus=session name=org.gnome.Shell
  #aa:dbus own bus=session name=org.gtk.Actions path=/**
  #aa:dbus own bus=session name=org.gtk.MountOperationHandler
  #aa:dbus own bus=session name=org.gtk.Notifications
+  #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/
  #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher
-  #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting
+

  # Talk with gnome-shell

+  # The strategy with dbus rules in this profile is first to declare all communications
+  # needed on buses and to limit them only to their profiles in apparmor.d. As such,
+  # only dbus directive is used for this. Later, some communications could be
+  # restricted.
+
  #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
  #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd
  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
@ -95,6 +103,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
  #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs
+  #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy
  #aa:dbus talk bus=session name=org.gnome.* label=gnome-*
  #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=*
  #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus
@ -102,7 +111,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-*
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"

-
  # Session bus

  dbus send bus=session path=/org/gnome/**
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -16,7 +16,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.hostname1>
  include <abstractions/bus/org.freedesktop.login1>
-  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -26,6 +25,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
+  include <abstractions/upower-observe>

  signal (receive) set=(term, hup) peer=gdm*,

--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@ -20,7 +20,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.systemd1>
  include <abstractions/bus/org.freedesktop.UPower.PowerProfiles>
-  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -31,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
  include <abstractions/nameservice-strict>
  include <abstractions/notifications>
  include <abstractions/screensaver>
+  include <abstractions/upower-observe>

  network inet stream,
  network netlink raw,
--- a/apparmor.d/groups/gnome/localsearch
+++ b/apparmor.d/groups/gnome/localsearch
@ -11,7 +11,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/bus/org.gtk.vfs.Daemon>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -24,6 +23,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) {
  include <abstractions/gstreamer>
  include <abstractions/nameservice-strict>
  include <abstractions/sqlite>
+  include <abstractions/upower-observe>

  network netlink raw,

--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -11,7 +11,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/bus/org.gtk.vfs.Daemon>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -24,6 +23,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
  include <abstractions/media-control>
  include <abstractions/nameservice-strict>
  include <abstractions/sqlite>
+  include <abstractions/upower-observe>

  network netlink raw,

--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@ -17,11 +17,11 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
-  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>
+  include <abstractions/upower-observe>

  capability wake_alarm,

--- a/apparmor.d/groups/kde/kscreenlocker_greet
+++ b/apparmor.d/groups/kde/kscreenlocker_greet
@ -13,15 +13,15 @@ profile kscreenlocker_greet @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.login1.Session>
-  include <abstractions/bus/org.freedesktop.UPower>
+  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-shader-cache>
+  include <abstractions/upower-observe>

  network netlink raw,

--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@ -18,7 +18,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.UDisks2>
-  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/consoles>
  include <abstractions/cups-client>
  include <abstractions/devices-usb>
@ -31,6 +30,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  include <abstractions/recent-documents-write>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
+  include <abstractions/upower-observe>

  userns,

--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@ -14,12 +14,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1>
-  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/shells>
+  include <abstractions/upower-observe>
  include <abstractions/wutmp>

  capability audit_write,
--- a/apparmor.d/groups/kde/sddm-greeter
+++ b/apparmor.d/groups/kde/sddm-greeter
@ -13,13 +13,13 @@ profile sddm-greeter @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1>
-  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/graphics>
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-shader-cache>
+  include <abstractions/upower-observe>

  network netlink raw,

--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@ -17,7 +17,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
-  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/common/apt>
  include <abstractions/consoles>
@ -26,6 +25,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/ssl_certs>
+  include <abstractions/upower-observe>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/profiles-m-r/power-profiles-daemon
+++ b/apparmor.d/profiles-m-r/power-profiles-daemon
@ -12,8 +12,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
-  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/nameservice-strict>
+  include <abstractions/upower-observe>

  capability dac_read_search,
  capability net_admin,
--- a/apparmor.d/profiles-s-z/thermald
+++ b/apparmor.d/profiles-s-z/thermald
@ -13,7 +13,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/net.hadess.PowerProfiles>
-  include <abstractions/bus/org.freedesktop.UPower>
+  include <abstractions/upower-observe>

  capability sys_boot,