From 3f13aa77bfd668f3f36b615b39a2598f451b6024 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 26 Sep 2024 20:29:33 +0100
Subject: [PATCH] feat(profile): update some dbus rules.

---
 .../bus/org.freedesktop.NetworkManager        | 14 ++------------
 .../abstractions/bus/org.freedesktop.UPower   |  2 +-
 apparmor.d/groups/bus/dbus-session            |  2 +-
 apparmor.d/groups/gnome/gnome-shell           |  8 ++------
 apparmor.d/groups/gnome/nautilus              |  5 -----
 apparmor.d/groups/gnome/yelp                  |  4 ++++
 apparmor.d/groups/gvfs/gvfsd-dnssd            |  1 +
 apparmor.d/groups/ubuntu/update-manager       |  1 +
 apparmor.d/groups/ubuntu/update-notifier      | 19 +------------------
 apparmor.d/profiles-a-f/atril                 |  8 +-------
 10 files changed, 14 insertions(+), 50 deletions(-)

diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
index 128f07fe5..61f27fca5 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
@@ -7,9 +7,9 @@
        member=GetManagedObjects
        peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
-  dbus send bus=system path=/org/freedesktop/NetworkManager
+  dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
        interface=org.freedesktop.DBus.Properties
-       member=GetAll
+       member={Get,GetAll}
        peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus send bus=system path=/org/freedesktop/NetworkManager
@@ -27,16 +27,6 @@
        member=GetSettings
        peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
-  dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
-
-  dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/@{int}
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
-
   dbus send bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower
index 247e2ddda..148db02d7 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.UPower
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower
@@ -26,7 +26,7 @@
        member={Get,GetAll}
        peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
 
-  dbus send bus=system path=/org/freedesktop/UPower/devices/*
+  dbus send bus=system path=/org/freedesktop/UPower{,/**}
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
        peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session
index 99467d9f5..af961be6d 100644
--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@@ -29,7 +29,7 @@ profile dbus-session flags=(attach_disconnected) {
   signal (send)    set=(term hup kill) peer=dconf-service,
   signal (send)    set=(term hup kill) peer=xdg-*,
 
-  #aa:dbus own bus=session name=org.freedesktop.DBus
+  #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/DBus}
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index db004062c..04f90e33a 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -73,8 +73,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   #aa:dbus own bus=session name=org.gnome.Mutter
   #aa:dbus own bus=session name=org.gnome.Shell
 
-  #aa:dbus own bus=session name=com.canonical.Unity path=/com/canonical/{U,u}nity
+  #aa:dbus own bus=session name=com.canonical.{U,u}nity
   #aa:dbus own bus=session name=com.rastersoft.dingextension
+  #aa:dbus own bus=session name=org.ayatana.NotificationItem
   #aa:dbus own bus=session name=org.gtk.Actions path=/**
   #aa:dbus own bus=session name=org.gtk.MountOperationHandler
   #aa:dbus own bus=session name=org.gtk.Notifications
@@ -133,11 +134,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
        member=Embed
        peer=(name=org.a11y.atspi.Registry),
 
-  dbus send bus=session path=/org/ayatana/NotificationItem/*
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name=:*, label=update-notifier),
-
   dbus receive bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager
        member=JobRemoved
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index f9be02d9d..5704fa866 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -35,11 +35,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
   #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell
 
-  dbus send bus=session path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus.Properties
-       member={GetAll,ListActivatableNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
-
   dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine
        interface=org.gtk.private.CommandLine
        member=Print
diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp
index 4da1fe736..fe9123e5b 100644
--- a/apparmor.d/groups/gnome/yelp
+++ b/apparmor.d/groups/gnome/yelp
@@ -9,10 +9,14 @@ include <tunables/global>
 @{exec_path} = @{bin}/yelp @{bin}/gnome-help
 profile yelp @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus/org.a11y>
   include <abstractions/common/gnome>
 
   network netlink raw,
 
+  #aa:dbus own bus=session name=org.gnome.Yelp
+
   @{exec_path} mr,
 
   @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd
index b07cd070b..1bad8c349 100644
--- a/apparmor.d/groups/gvfs/gvfsd-dnssd
+++ b/apparmor.d/groups/gvfs/gvfsd-dnssd
@@ -16,6 +16,7 @@ profile gvfsd-dnssd @{exec_path} {
   include <abstractions/bus/org.gtk.vfs.MountTracker>
 
   #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd
+  #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd
 
   dbus receive bus=session path=/org/gtk/vfs/Daemon
        interface=org.gtk.vfs.Daemon
diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager
index 2811b16e3..4a05ad8d7 100644
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@@ -19,6 +19,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.freedesktop.UPower>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index 0487399fa..cb33f6046 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -25,24 +25,7 @@ profile update-notifier @{exec_path} {
   unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user,
 
   #aa:dbus talk bus=system name=org.debian.apt label=apt
-
-  dbus receive bus=session path=/org/ayatana/NotificationItem/software_update_available
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name=:*, label=gnome-shell),
-
-  dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch{,/Menu}
-       interface=org.freedesktop.DBus.Properties
-       member=={Get,GetAll}
-       peer=(name=:*, label=gnome-shell),
-  dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch/Menu
-       interface=com.canonical.dbusmenu
-       member={AboutToShow,GetGroupProperties,GetLayout}
-       peer=(name=:*, label=gnome-shell),
-
-  dbus send bus=session path=/org/ayatana/NotificationItem/*
-       interface=org.kde.StatusNotifierItem
-       peer=(name=org.freedesktop.DBus, label=gnome-shell),
+  #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril
index 2163346cc..3b78d9c02 100644
--- a/apparmor.d/profiles-a-f/atril
+++ b/apparmor.d/profiles-a-f/atril
@@ -26,13 +26,7 @@ profile atril @{exec_path} {
 
   network netlink raw,
 
-  dbus send bus=session path=/org/mate/atril/{,**}
-       peer=(name=org.freedesktop.DBus, label=atrild),  # all interfaces and members
-
-  dbus send bus=session path=/org/mate/atril/Daemon
-       interface=org.mate.atril.Daemon
-       member={RegisterDocument,UnregisterDocument}
-       peer=(name=org.mate.atril.Daemon),  # no peer's labels
+  #aa:dbus talk bus=session name=org.mate.atril.Daemon label=atrild
 
   @{exec_path} mr,