felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): remove now automatically added internal dbus rules.

Browse source
This commit is contained in:
Alexandre Pujol 2025-03-23 13:40:45 +01:00
parent 85be9316e1
commit 41757ec4e4
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
20 changed files with 7 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

9
apparmor.d/groups/_full/systemd
View file

@ -145,10 +145,11 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
#aa:dbus own bus=system name=org.freedesktop.systemd1 #aa:dbus own bus=system name=org.freedesktop.systemd1
dbus send bus=system path=/org/freedesktop/DBus # For stacked profiles
interface=org.freedesktop.DBus #aa:dbus own bus=system name=org.freedesktop.network1
member=GetConnectionUnixUser #aa:dbus own bus=system name=org.freedesktop.oom1
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), #aa:dbus own bus=system name=org.freedesktop.resolve1
#aa:dbus own bus=system name=org.freedesktop.timesync1
@{bin}/** Px, @{bin}/** Px,
@{lib}/** Px, @{lib}/** Px,

5
apparmor.d/groups/apt/apt
View file

@ -52,11 +52,6 @@ profile apt @{exec_path} flags=(attach_disconnected) {
member=StateHasChanged member=StateHasChanged
peer=(name=org.freedesktop.PackageKit), peer=(name=org.freedesktop.PackageKit),
dbus send bus=system path=/org/freedesktop/DBus/Bus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
dbus send bus=system dbus send bus=system
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect

5
apparmor.d/groups/filesystem/udisksd
View file

@ -67,11 +67,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,

5
apparmor.d/groups/freedesktop/accounts-daemon
View file

@ -25,11 +25,6 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=system name=org.freedesktop.Accounts #aa:dbus own bus=system name=org.freedesktop.Accounts
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr, @{exec_path} mr,
@{bin}/adduser rPx, @{bin}/adduser rPx,

5
apparmor.d/groups/freedesktop/colord
View file

@ -22,11 +22,6 @@ profile colord @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=system name=org.freedesktop.ColorManager #aa:dbus own bus=system name=org.freedesktop.ColorManager
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mrix, @{exec_path} mrix,
/etc/machine-id r, /etc/machine-id r,

5
apparmor.d/groups/freedesktop/geoclue
View file

@ -27,11 +27,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=system name=org.freedesktop.GeoClue2 #aa:dbus own bus=system name=org.freedesktop.GeoClue2
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,

5
apparmor.d/groups/freedesktop/pipewire
View file

@ -25,11 +25,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=session name=org.pulseaudio.Server #aa:dbus own bus=session name=org.pulseaudio.Server
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect

5
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -23,11 +23,6 @@ profile pipewire-media-session @{exec_path} {
network bluetooth stream, network bluetooth stream,
network netlink raw, network netlink raw,
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetConnectionUnixProcessID
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect

5
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -44,11 +44,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
#aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect

5
apparmor.d/groups/gnome/gdm
View file

@ -37,11 +37,6 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
#aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,

2
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -36,7 +36,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
dbus send bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} member=UpdateActivationEnvironment
peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"), peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"),
dbus send bus=session path=/org/freedesktop/systemd1 dbus send bus=session path=/org/freedesktop/systemd1

11
apparmor.d/groups/gnome/gnome-shell
View file

@ -111,24 +111,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
member={RegisterWithCapabilities,Unregister} member={RegisterWithCapabilities,Unregister}
peer=(name=:*, label=NetworkManager), peer=(name=:*, label=NetworkManager),
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
# Session bus # Session bus
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
dbus send bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
dbus send bus=session path=/ dbus send bus=session path=/
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetNameOwner,ListNames} member={GetNameOwner,ListNames}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root dbus send bus=accessibility path=/org/a11y/atspi/accessible/root

5
apparmor.d/groups/network/NetworkManager
View file

@ -72,11 +72,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
member=InterfacesAdded member=InterfacesAdded
peer=(name=org.freedesktop.DBus, label=nm-online), peer=(name=org.freedesktop.DBus, label=nm-online),
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,

5
apparmor.d/groups/polkit/polkitd
View file

@ -23,11 +23,6 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=system name=org.freedesktop.PolicyKit1 #aa:dbus own bus=system name=org.freedesktop.PolicyKit1
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr, @{exec_path} mr,
@{bin}/pkla-check-authorization rPUx, @{bin}/pkla-check-authorization rPUx,

5
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -22,11 +22,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=system name=org.freedesktop.hostname1 #aa:dbus own bus=system name=org.freedesktop.hostname1
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetConnectionUnixUser
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr, @{exec_path} mr,
@{etc_rw}/.#hostname* rw, @{etc_rw}/.#hostname* rw,

5
apparmor.d/groups/systemd/systemd-logind
View file

@ -41,11 +41,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
member=Introspect member=Introspect
peer=(label=ksmserver-logout-greeter), peer=(label=ksmserver-logout-greeter),
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr, @{exec_path} mr,
/etc/machine-id r, /etc/machine-id r,

5
apparmor.d/groups/systemd/systemd-resolved
View file

@ -31,11 +31,6 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=system name=org.freedesktop.resolve1 #aa:dbus own bus=system name=org.freedesktop.resolve1
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr, @{exec_path} mr,
/etc/systemd/resolved.conf r, /etc/systemd/resolved.conf r,

5
apparmor.d/profiles-a-f/fwupd
View file

@ -40,11 +40,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
#aa:dbus own bus=system name=org.freedesktop.fwupd path=/ #aa:dbus own bus=system name=org.freedesktop.fwupd path=/
#aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr, @{exec_path} mr,
@{lib}/fwupd/fwupd-detect-cet rix, @{lib}/fwupd/fwupd-detect-cet rix,

5
apparmor.d/profiles-m-r/packagekitd
View file

@ -40,11 +40,6 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=system name=org.freedesktop.PackageKit #aa:dbus own bus=system name=org.freedesktop.PackageKit
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr, @{exec_path} mr,
@{bin}/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,

5
apparmor.d/profiles-m-r/rtkit-daemon
View file

@ -23,11 +23,6 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=system name=org.freedesktop.RealtimeKit1 #aa:dbus own bus=system name=org.freedesktop.RealtimeKit1
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
@{exec_path} mr, @{exec_path} mr,
# When applying policies to processes # When applying policies to processes