diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 04be8d6f9..774169647 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -33,12 +33,17 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.Accounts.User - member={Changed,SetLanguage}, + member={Changed,SetLanguage,SetInputSources}, dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus), + dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserByName,ListCachedUsers}, diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index 9223002a7..465b88a1d 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -17,11 +17,12 @@ profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, dbus (send,receive) bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager, + interface=org.freedesktop.{DBus.Properties,ColorManager}, dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={GetAPIVersion,GetState,ServiceBrowserNew}, + interface=org.freedesktop.{DBus.Peer,Avahi.Server} + member={GetAPIVersion,GetState,ServiceBrowserNew,Ping} + peer=(name=org.freedesktop.Avahi), dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] interface=org.freedesktop.Avahi.ServiceBrowser diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index af5198d5b..dd4bc64f3 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -7,15 +7,57 @@ abi , include @{exec_path} = @{libexec}/geoclue -profile geoclue @{exec_path} { +profile geoclue @{exec_path} flags=(attach_disconnected) { include + include network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager} + interface=org.freedesktop.{DBus.Properties,GeoClue2*}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,ReleaseName,RequestName} + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew}, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping, + + dbus send bus=system path=/fi/w[0-9]/wpa_supplicant[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged}, + + dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] + interface=org.freedesktop.Avahi.ServiceBrowser + member={AllForNow,CacheExhausted}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, + + dbus bind bus=system + name=org.freedesktop.GeoClue2, + @{exec_path} mr, /etc/geoclue/{,**} r, + @{run}/systemd/journal/socket rw, + @{PROC}/@{pids}/cgroup r, include if exists diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 76220f9f4..09d3cb55b 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -17,8 +17,20 @@ profile pipewire @{exec_path} { ptrace (read), + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit[0-9] + member=MakeThread* + peer=(name=org.freedesktop.RealtimeKit[0-9]), + + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.RealtimeKit[0-9]), + @{exec_path} mr, + /{usr/,}bin/pipewire-media-session rPx, + /usr/share/pipewire/pipewire.conf r, /etc/machine-id r, diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index e04c0259e..16547bd46 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -29,6 +29,14 @@ profile polkit-agent-helper @{exec_path} { signal (receive) set=(term, kill) peer=gnome-shell, signal (receive) set=(term, kill) peer=pkexec, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=AuthenticationAgentResponse2, + @{exec_path} mr, # file_inherit diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 323ac40f2..5847fcffd 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -22,35 +22,18 @@ profile polkitd @{exec_path} { ptrace (read), + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/* + interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName}, - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member={Changed,BeginAuthentication}, - - dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member={GetAll,CheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2,EnumerateActions,CancelCheckAuthorization}, - - dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, - dbus bind bus=system name=org.freedesktop.PolicyKit[0-9], @{exec_path} mr, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - /etc/machine-id r, # System rules @@ -74,6 +57,14 @@ profile polkitd @{exec_path} { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + # Silencer deny /.cache/ rw, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index d977b692f..b2ac5d656 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -27,6 +27,15 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=SessionNew, + dbus bind bus=system name=org.freedesktop.UPower, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index f83f6ea0f..fd3deefa2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -35,7 +35,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member=StateChanged, + member={StateChanged,CheckPermissions}, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 3b1e4a555..611f2e2b2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -23,6 +23,10 @@ profile xdg-desktop-portal-gnome @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.Accounts.User member=Changed, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 7576ba235..ef99ad71f 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -23,9 +23,13 @@ profile evolution-calendar-factory @{exec_path} { network inet6 dgram, network netlink raw, - dbus receive bus=system path=/org/freedesktop/NetworkManager + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + member={PropertiesChanged,GetAll}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 1358ba233..776e10df0 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -27,7 +27,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term), dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User@{uid} - interface=org.freedesktop.Accounts.User + interface=org.freedesktop.{DBus.Properties,Accounts.User} member={Changed,GetAll,PropertiesChanged}, dbus send bus=system path=/org/freedesktop/Accounts @@ -40,7 +40,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser}, + member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, dbus receive bus=system path=/org/freedesktop/login[0-9]/seat/seat[0-9] interface=org.freedesktop.DBus.Properties @@ -50,6 +50,9 @@ profile gdm @{exec_path} flags=(attach_disconnected) { interface={org.freedesktop.DBus.Properties,org.gnome.DisplayManager.Manager} member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel}, + dbus bind bus=system + name=org.gnome.DisplayManager, + @{exec_path} mr, /{usr/,}{s,}prime-switch rPx, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index a3bf855e8..e4120665a 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -41,22 +41,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus send bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} - interface={org.freedesktop.DBus.Properties,org.freedesktop.Accounts} + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.{DBus.Properties,Accounts*} member={GetAll,FindUserByName,SetLanguage,Changed,PropertiesChanged}, dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=CreateSession, - dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.Accounts.User - member=Changed, - @{exec_path} mrix, /{usr/,}bin/gnome-keyring-daemon rPx, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 2b498d8bd..a97fdf76a 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,6 +10,9 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include + include + include + include include include include @@ -32,6 +35,54 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { signal (send) set=(kill) peer=unconfined, signal (send) set=(kill) peer=passwd, + dbus send bus=system path=/org/freedesktop{,ModemManager[0-9],UDisks2} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/net/reactivated/Fprint/Manager + interface=net.reactivated.Fprint.Manager + member=GetDevices, + + dbus send bus=system path=/net/reactivated/Fprint/Manager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=ListCachedUsers, + + dbus send bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=GetPermissions, + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings, + + dbus send bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, + @{exec_path} mr, /{usr/,}bin/bash rUx, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 71431b3a3..fb129e7f9 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -26,7 +26,7 @@ profile gnome-extension-ding @{exec_path} { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable - member=Introspec, + member=Introspect, dbus send bus=system path=/net/hadess/SwitcherooControl interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 3f499354e..14ba09f87 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -19,6 +19,15 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=ssh-agent, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=GetSession + peer=(name=org.freedesktop.login[0-9]), + + dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /{usr/,}bin/ssh-add rix, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 40a7fce96..50ae01f26 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -30,7 +30,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={CanPowerOff,GetSession}, + member={CanPowerOff,GetSession,PowerOff,Inhibit}, dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.DBus.Properties @@ -44,6 +44,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,PrepareForShutdown,SessionRemoved}, + @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 70e85dbf8..b0808666a 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -11,6 +11,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -18,6 +19,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -43,36 +45,39 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), - dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* - interface=org.freedesktop.login[0-9].Session - member={ReleaseDevice,TakeControl,TakeDevice,PauseDevice}, + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} + interface=org.freedesktop.{DBus.Properties,login[0-9].*}, dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member={CheckAuthorization,RegisterAuthenticationAgent,Changed}, + interface=org.freedesktop.{DBus.Properties,PolicyKit[0-9].Authority} + member={CheckAuthorization,RegisterAuthenticationAgent,Changed,GetAll}, - dbus send bus=system path=/org/gnome/DisplayManager/Manager - interface=org.gnome.DisplayManager.Manager - member=RegisterSession - peer=(name=org.gnome.DisplayManager), + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.{DBus.Properties,Accounts*} + member={GetAll,FindUserByName,Changed,PropertiesChanged}, + + dbus (send,receive) bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged}, + + dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager} + interface=org.freedesktop.{DBus.Properties,GeoClue2.Manager} + member={PropertiesChanged,AddAgent,GetAll}, dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects, - dbus send bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={CanSuspend,CanRebootToBootLoaderMenu,GetSession,Inhibit}, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixUser, - dbus send bus=system path=/net/hadess/SwitcherooControl - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.{DBus.Properties,DisplayManager.Manager} + member={RegisterSession,Get,GetAll,OpenReauthenticationChannel} + peer=(name=org.gnome.DisplayManager), - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + dbus send bus=system path=/net/hadess/{PackageKit,PowerProfiles,SwitcherooControl} interface=org.freedesktop.DBus.Properties member=GetAll, @@ -80,16 +85,20 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface=net.reactivated.Fprint.Manager member=GetDefaultDevice, + dbus send bus=system path=/org/freedesktop/NetworkManager{,/AgentManager} + interface=org.freedesktop.NetworkManager{,.AgentManager} + member={Unregister,RegisterWithCapabilities,GetPermissions}, + dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions, - dbus receive bus=system path=/org/freedesktop/NetworkManager + dbus receive bus=system path=/org/freedesktop/NetworkManager/{Devices,DHCP{4,6}Config,IP{4,6}Config}/[0-9]* interface=org.freedesktop.DBus.Properties member=PropertiesChanged, - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties member=PropertiesChanged, @{exec_path} mr, @@ -150,9 +159,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/.goutputstream{,*} rw, - owner @{user_config_dirs}/ibus/ rw, - owner @{user_config_dirs}/ibus/bus/ rw, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_share_dirs}/backgrounds/{,**} rw, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 6236a78cc..2fb705b0a 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -25,9 +25,13 @@ profile goa-daemon @{exec_path} { network inet6 dgram, network netlink raw, - dbus receive bus=system path=/org/freedesktop/NetworkManager + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + member={PropertiesChanged,GetAll}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 0bc910456..18f0eec62 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -18,7 +18,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=system path=/org/freedesktop/ColorManager/devices/xrandr_* + dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/xrandr_*} interface=org.freedesktop.DBus.Properties member=GetAll, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index b26382492..28175182b 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -12,14 +12,13 @@ profile gsd-disk-utility-notify @{exec_path} { include include + dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.DBus.{Properties,ObjectManager}, + dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects, - dbus receive bus=system path=/org/freedesktop/UDisks2/** - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 31280ae7b..a278f2b3f 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -18,6 +18,10 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=system path=/org/freedesktop/locale[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 6f2b77f23..23ae38987 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -37,6 +37,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=Get, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,SessionRemoved,PrepareForShutdown}, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index bb4ec7d0d..6a09314b2 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -24,6 +24,10 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.{DBus.Properties,UPower*}, + dbus send bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.DBus.Properties + member=Get, + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.DBus.Properties member=GetAll, @@ -48,6 +52,10 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,SessionRemoved,PrepareForShutdown}, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 6f8d0db37..c4614b70d 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -17,7 +17,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=ReleaseName, + member={ReleaseName,RequestName}, dbus bind bus=system name=com.redhat.NewPrinterNotification, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 9ccb637ff..2268b138e 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -15,11 +15,27 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term, hup) peer=gdm*, - - dbus receive bus=system path=/org/freedesktop/NetworkManager + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=GetPermissions, + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9] + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings, + + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/{Devices,DHCP{4,6}Config,IP{4,6}Config}/[0-9]*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 16aeb9ab4..2192ebaef 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -30,6 +30,10 @@ profile gsd-xsettings @{exec_path} { interface=org.freedesktop.Accounts.User member={SetInputSources,Changed,GetAll}, + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged}, + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=FindUserByName, @@ -59,7 +63,6 @@ profile gsd-xsettings @{exec_path} { owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, - owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index fe296d94d..397e03ead 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -18,7 +18,7 @@ profile tracker-miner @{exec_path} { include include - dbus send bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} interface=org.freedesktop.DBus.Properties member=GetAll, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 7ff48ff57..795061b9a 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -14,6 +14,34 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={UserNew,SessionNew}, + + dbus bind bus=system + name=org.freedesktop.ModemManager[0-9], + @{exec_path} mr, @{run}/udev/data/+pci:* r, @@ -22,6 +50,8 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/n[0-9]* r, + @{run}/systemd/inhibit/*.ref rw, + @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/net/ r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 6dd5d1958..3d4cc7580 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -40,7 +40,15 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority - member={Changed,CheckAuthorization}, + member={Changed,CheckAuthorization,CancelCheckAuthorization}, + + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID}, dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager @@ -57,7 +65,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/resolve[0-9] interface=org.freedesktop.resolve[0-9].Manager - member=SetLink*, + member={SetLink*,ResolveHostname}, + # org.freedesktop.resolve1 dbus send bus=system path=/org/freedesktop/hostname[0-9] interface=org.freedesktop.DBus.Properties @@ -71,10 +80,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects, - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={SessionRemoved,UserNew,SessionNew,Inhibit}, - dbus bind bus=system name=org.freedesktop.NetworkManager, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index a1937b016..fb036f2e1 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -50,6 +50,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CreateSession,ReleaseSession} + peer=(name=org.freedesktop.login[0-9]), + @{exec_path} mrix, /{usr/,}{s,}bin/nologin rPx, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 378c89c1e..698fd2f3c 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -24,6 +24,11 @@ profile networkctl @{exec_path} flags=(complain) { network inet6 dgram, network netlink raw, + dbus send bus=system path=/org/freedesktop/network[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.network[0-9]), + @{exec_path} mr, /{usr/,}bin/pager rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 2ebf2685e..c2a6be9ec 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -19,7 +19,8 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=ReleaseName, + member={ReleaseName,RequestName} + peer=(name=org.freedesktop.DBus), dbus receive bus=system path=/org/freedesktop/locale[0-9] interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 3224e803b..cebfc7c38 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -27,14 +27,14 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,login[0-9].*}, - dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/job/** + dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.systemd[0-9].Manager + member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading,Subscribe}, + + dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/{unit,job}/** interface=org.freedesktop.DBus.Properties member={Get,PropertiesChanged}, - dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/unit/** - interface=org.freedesktop.DBus.Properties - member={PropertiesChanged,Get}, - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, @@ -47,10 +47,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { interface=org.freedesktop.systemd[0-9].Scope member=Abandon, - dbus receive bus=system path=/org/freedesktop/systemd[0-9] - interface=org.freedesktop.systemd[0-9].Manager - member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading}, - dbus receive bus=system path=/org/freedesktop/systemd[0-9] interface=org.freedesktop.DBus.Properties member=PropertiesChanged, @@ -68,8 +64,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { /var/lib/systemd/linger/ r, + @{run}/.#nologin* rw, @{run}/host/container-manager r, - + @{run}/nologin rw, @{run}/utmp rk, @{run}/udev/tags/master-of-seat/ r, @@ -96,18 +93,19 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, @{run}/systemd/inhibit/[0-9]*{,.ref} rw, + @{run}/systemd/journal/socket rw, + @{run}/systemd/notify rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat[0-9]* rw, @{run}/systemd/sessions/{,*} rw, @{run}/systemd/sessions/*.ref rw, + @{run}/systemd/shutdown/.#scheduled* rw, + @{run}/systemd/shutdown/scheduled rw, @{run}/systemd/users/ rw, @{run}/systemd/users/.#* rw, @{run}/systemd/users/@{uid} rw, - @{run}/systemd/journal/socket rw, - @{run}/systemd/notify rw, - @{sys}/class/drm/ r, @{sys}/devices/**/{uevent,enabled,status} r, @{sys}/devices/**/brightness rw, diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index dfe1983b0..c0dc9ffc6 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -38,12 +38,16 @@ profile packagekitd @{exec_path} { dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member=CheckPermissions, + member={CheckPermissions,StateChanged}, dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=SessionNew, + dbus bind bus=system name=org.freedesktop.PackageKit, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index f6ab963ee..82302316e 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -21,17 +21,17 @@ profile rtkit-daemon @{exec_path} { capability sys_nice, capability sys_ptrace, + dbus (send,receive) bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit[0-9], + dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9] interface=org.freedesktop.DBus.Properties member={Get,GetAll}, - dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9] - interface=org.freedesktop.RealtimeKit[0-9] - member=MakeThreadRealtimeWithPID, - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=GetConnectionUnixUser, + member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus), dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index eb79c593e..93e75bf29 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -29,6 +29,10 @@ profile wpa-supplicant @{exec_path} { interface=org.freedesktop.DBus member=RequestName, + dbus receive bus=system path=/fi/w[0-9]/wpa_supplicant[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + dbus bind bus=system name=fi.w1.wpa_supplicant[0-9],