feat(profile): dbus: Dbus can receive any user files

apparmor.d/groups/bus/dbus-session

@@ -18,6 +18,7 @@ profile dbus-session flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/consoles>
+  include <abstractions/deny-sensitive-home>
   include <abstractions/nameservice-strict>
 
   network unix stream,
@@ -29,7 +30,7 @@ profile dbus-session flags=(attach_disconnected) {
   signal (send)    set=(term hup kill) peer=dconf-service,
   signal (send)    set=(term hup kill) peer=xdg-*,
 
-  #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/DBus}
+  #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus}
 
   @{exec_path} mrix,
 
@@ -49,6 +50,9 @@ profile dbus-session flags=(attach_disconnected) {
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
+  # Dbus can receive any user files
+  owner @{HOME}/** r,
+
   owner @{HOME}/.var/app/*/**/.ref rw,
   owner @{HOME}/.var/app/*/**/logs/* rw,
 

apparmor.d/groups/bus/dbus-system

@@ -15,8 +15,9 @@ include <tunables/global>
 @{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper
 profile dbus-system flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/bus-system>
+  include <abstractions/consoles>
+  include <abstractions/deny-sensitive-home>
   include <abstractions/nameservice-strict>
 
   capability audit_write,
@@ -53,6 +54,9 @@ profile dbus-system flags=(attach_disconnected) {
   @{user_share_dirs}/icc/ r,
   @{user_share_dirs}/icc/edid-@{hex32}.icc r,
 
+  # Dbus can receive any user files
+  @{HOME}/** r,
+
   @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/systemd/notify w,
   @{run}/systemd/sessions/*.ref rw,