felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): add some core dbus rules.

Browse source
This commit is contained in:
Alexandre Pujol 2022-06-12 23:50:58 +01:00
parent 24056c8cd1
commit 50a18aac08
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
36 changed files with 343 additions and 108 deletions
Download patch file Download diff file Expand all files Collapse all files

7
apparmor.d/groups/freedesktop/accounts-daemon
View file

@ -33,12 +33,17 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]*
interface=org.freedesktop.Accounts.User
member={Changed,SetLanguage},
member={Changed,SetLanguage,SetInputSources},
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,GetConnectionUnixUser}
peer=(name=org.freedesktop.DBus),
dbus receive bus=system path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts
member={FindUserByName,ListCachedUsers},

7
apparmor.d/groups/freedesktop/colord-sane
View file

@ -17,11 +17,12 @@ profile colord-sane @{exec_path} flags=(attach_disconnected,complain) {
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager
interface=org.freedesktop.ColorManager,
interface=org.freedesktop.{DBus.Properties,ColorManager},
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,ServiceBrowserNew},
interface=org.freedesktop.{DBus.Peer,Avahi.Server}
member={GetAPIVersion,GetState,ServiceBrowserNew,Ping}
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
interface=org.freedesktop.Avahi.ServiceBrowser

44
apparmor.d/groups/freedesktop/geoclue
View file

@ -7,15 +7,57 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/geoclue
profile geoclue @{exec_path} {
profile geoclue @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
network netlink raw,
dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager}
interface=org.freedesktop.{DBus.Properties,GeoClue2*},
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser,ReleaseName,RequestName}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,ServiceBrowserNew},
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping,
dbus send bus=system path=/fi/w[0-9]/wpa_supplicant[0-9]
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/ModemManager[0-9]
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects,
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged},
dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
interface=org.freedesktop.Avahi.ServiceBrowser
member={AllForNow,CacheExhausted},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={CheckPermissions,StateChanged},
dbus bind bus=system
name=org.freedesktop.GeoClue2,
@{exec_path} mr,
/etc/geoclue/{,**} r,
@{run}/systemd/journal/socket rw,
@{PROC}/@{pids}/cgroup r,
include if exists <local/geoclue>

12
apparmor.d/groups/freedesktop/pipewire
View file

@ -17,8 +17,20 @@ profile pipewire @{exec_path} {
ptrace (read),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.RealtimeKit[0-9]
member=MakeThread*
peer=(name=org.freedesktop.RealtimeKit[0-9]),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.RealtimeKit[0-9]),
@{exec_path} mr,
/{usr/,}bin/pipewire-media-session rPx,
/usr/share/pipewire/pipewire.conf r,
/etc/machine-id r,

8
apparmor.d/groups/freedesktop/polkit-agent-helper
View file

@ -29,6 +29,14 @@ profile polkit-agent-helper @{exec_path} {
signal (receive) set=(term, kill) peer=gnome-shell,
signal (receive) set=(term, kill) peer=pkexec,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=AuthenticationAgentResponse2,
@{exec_path} mr,
# file_inherit

31
apparmor.d/groups/freedesktop/polkitd
View file

@ -22,35 +22,18 @@ profile polkitd @{exec_path} {
ptrace (read),
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*},
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName},
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member={Changed,BeginAuthentication},
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member={GetAll,CheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2,EnumerateActions,CancelCheckAuthorization},
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus bind bus=system
name=org.freedesktop.PolicyKit[0-9],
@{exec_path} mr,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
/etc/machine-id r,
# System rules
@ -74,6 +57,14 @@ profile polkitd @{exec_path} {
@{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
# Silencer
deny /.cache/ rw,

9
apparmor.d/groups/freedesktop/upowerd
View file

@ -27,6 +27,15 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.login[0-9].Manager
member=Inhibit,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(name=org.freedesktop.DBus),
dbus receive bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=SessionNew,
dbus bind bus=system
name=org.freedesktop.UPower,

2
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -35,7 +35,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=StateChanged,
member={StateChanged,CheckPermissions},
@{exec_path} mr,

4
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -23,6 +23,10 @@ profile xdg-desktop-portal-gnome @{exec_path} {
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]*
interface=org.freedesktop.Accounts.User
member=Changed,