refractor(profile): add notification abs, move bus notifications.

2025-08-31 18:14:32 +02:00 · 2025-08-31 18:14:32 +02:00 · 458126e7d7
commit 458126e7d7
parent 5cc5a019d4
16 changed files with 47 additions and 39 deletions
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -25,7 +25,6 @@
  include <abstractions/bus/org.bluez>
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.FileManager1>
-  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
@ -38,6 +37,7 @@
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
  include <abstractions/screensaver>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
--- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications
@ -1,26 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  #aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console
-
-  dbus send bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member={GetCapabilities,GetServerInformation,Notify}
-       peer=(name="@{busname}", label=gjs-console),
-
-  dbus receive bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member={NotificationClosed,CloseNotification}
-       peer=(name="@{busname}", label=gjs-console),
-
-  dbus receive bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member=Notify
-       peer=(name=org.freedesktop.DBus, label=gjs-console),
-
-  include if exists <abstractions/bus/org.freedesktop.Notifications.d>
-
-# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications
+++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications
@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}"
+
+  dbus send bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       member={GetCapabilities,GetServerInformation,Notify,CloseNotification}
+       peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
+
+  dbus receive bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       member={ActionInvoked,NotificationClosed,NotificationReplied}
+       peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
+
+  include if exists <abstractions/bus/org.freedesktop.Notifications.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/session/org.gtk.Notifications
+++ b/apparmor.d/abstractions/bus/session/org.gtk.Notifications
--- a/apparmor.d/abstractions/notifications
+++ b/apparmor.d/abstractions/notifications
@ -0,0 +1,12 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus/org.freedesktop.Notifications>
+  include <abstractions/bus/org.gtk.Notifications>
+
+  include if exists <abstractions/notifications.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -19,7 +19,6 @@ profile gnome-extension-ding @{exec_path} {
  include <abstractions/bus/net.hadess.SwitcherooControl>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.FileManager1>
-  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.gnome.ArchiveManager1>
  include <abstractions/bus/org.gnome.Nautilus.FileOperations2>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
@ -29,6 +28,7 @@ profile gnome-extension-ding @{exec_path} {
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
+  include <abstractions/notifications>

  unix (send,receive) type=stream addr=none peer=(label=gnome-shell),

--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -25,9 +25,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
  include <abstractions/bus/org.freedesktop.locale1>
  include <abstractions/bus/org.freedesktop.login1.Session>
-  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.freedesktop.PackageKit>
-  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/org.freedesktop.secrets>
@ -41,6 +39,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/gstreamer>
  include <abstractions/ibus>
  include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -13,11 +13,11 @@ profile gnome-software @{exec_path} {
  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.gnome.Shell.SearchProvider2>
-  include <abstractions/bus/org.gtk.Notifications>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/common/gnome>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>

--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@ -18,7 +18,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.hostname1>
  include <abstractions/bus/org.freedesktop.login1.Session>
  include <abstractions/bus/org.freedesktop.login1>
-  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.freedesktop.systemd1>
  include <abstractions/bus/org.freedesktop.UPower.PowerProfiles>
  include <abstractions/bus/org.freedesktop.UPower>
@ -30,6 +29,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
  include <abstractions/screensaver>

  network inet stream,
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -14,13 +14,13 @@ profile update-notifier @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/common/apt>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
  include <abstractions/python>

  unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user,
--- a/apparmor.d/profiles-a-f/dropbox
+++ b/apparmor.d/profiles-a-f/dropbox
@ -16,11 +16,11 @@ include <tunables/global>
 profile dropbox @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
-  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
  include <abstractions/python>
  include <abstractions/qt5-settings-write>
  include <abstractions/sqlite>
--- a/apparmor.d/profiles-a-f/filezilla
+++ b/apparmor.d/profiles-a-f/filezilla
@ -11,12 +11,12 @@ include <tunables/global>
 profile filezilla @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
-  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
--- a/apparmor.d/profiles-m-r/remmina
+++ b/apparmor.d/profiles-m-r/remmina
@ -16,7 +16,6 @@ profile remmina @{exec_path} {
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.hostname1>
-  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
@ -25,6 +24,7 @@ profile remmina @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/ibus>
  include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download-strict>
--- a/apparmor.d/profiles-s-z/session-desktop
+++ b/apparmor.d/profiles-s-z/session-desktop
@ -17,9 +17,9 @@ profile session-desktop @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
-  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/common/electron>
+  include <abstractions/notifications>
  include <abstractions/user-download-strict>

  network inet dgram,
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@ -19,8 +19,9 @@ profile spotify @{exec_path} flags=(attach_disconnected) {
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
+  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.freedesktop.Notifications>
+  include <abstractions/bus/org.bluez>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/bus/org.gnome.SettingsDaemon.MediaKeys>
@ -30,6 +31,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/session/org.freedesktop.systemd1>
  include <abstractions/common/electron>
  include <abstractions/devices-usb-read>
+  include <abstractions/notifications>
  include <abstractions/screensaver>

  network inet dgram,
--- a/apparmor.d/profiles-s-z/transmission
+++ b/apparmor.d/profiles-s-z/transmission
@ -12,12 +12,12 @@ profile transmission @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
  include <abstractions/ssl_certs>
  include <abstractions/trash-strict>
  include <abstractions/user-download-strict>