From 583d7a15f0af96cbe9596ab3c771dd75b3c1486e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 Jun 2022 23:06:14 +0100 Subject: [PATCH] feat(profiles): add dbus rules for some common profiles. --- apparmor.d/groups/freedesktop/accounts-daemon | 27 ++++++++++ apparmor.d/groups/freedesktop/colord | 18 +++++-- apparmor.d/groups/freedesktop/colord-sane | 11 +++++ .../groups/freedesktop/pipewire-media-session | 10 ++++ apparmor.d/groups/freedesktop/polkitd | 19 +++++++ apparmor.d/groups/freedesktop/upowerd | 14 ++++++ .../groups/freedesktop/xdg-desktop-portal | 16 ++++++ .../freedesktop/xdg-desktop-portal-gnome | 8 +++ .../groups/freedesktop/xdg-desktop-portal-gtk | 8 +++ .../gnome/evolution-addressbook-factory | 16 ++++++ .../groups/gnome/evolution-calendar-factory | 4 ++ apparmor.d/groups/gnome/gdm | 24 +++++++++ apparmor.d/groups/gnome/gdm-session-worker | 16 ++++++ apparmor.d/groups/gnome/gdm-wayland-session | 4 ++ apparmor.d/groups/gnome/gnome-extension-ding | 16 ++++++ apparmor.d/groups/gnome/gnome-session-binary | 16 ++++++ apparmor.d/groups/gnome/gnome-shell | 49 +++++++++++++++++++ apparmor.d/groups/gnome/goa-daemon | 4 ++ apparmor.d/groups/gnome/gsd-color | 12 +++++ .../groups/gnome/gsd-disk-utility-notify | 8 +++ apparmor.d/groups/gnome/gsd-media-keys | 16 ++++++ apparmor.d/groups/gnome/gsd-power | 27 ++++++++++ .../groups/gnome/gsd-print-notifications | 12 +++++ apparmor.d/groups/gnome/gsd-printer | 10 ++++ apparmor.d/groups/gnome/gsd-rfkill | 20 ++++++++ apparmor.d/groups/gnome/gsd-sharing | 4 ++ apparmor.d/groups/gnome/gsd-xsettings | 8 +++ apparmor.d/groups/gnome/nautilus | 4 ++ apparmor.d/groups/gnome/tracker-miner | 4 ++ .../groups/gvfs/gvfs-udisks2-volume-monitor | 4 ++ apparmor.d/groups/network/NetworkManager | 43 ++++++++++++++++ apparmor.d/groups/systemd/systemd-hostnamed | 3 ++ apparmor.d/groups/systemd/systemd-localed | 3 ++ apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/systemd/systemd-timedated | 3 ++ .../groups/systemd/systemd-user-runtime-dir | 5 ++ apparmor.d/groups/ubuntu/packagekitd | 30 ++++++++++++ apparmor.d/profiles-m-r/power-profiles-daemon | 19 +++++++ apparmor.d/profiles-m-r/rtkit-daemon | 19 +++++++ apparmor.d/profiles-s-z/spice-vdagentd | 6 +++ apparmor.d/profiles-s-z/switcheroo-control | 11 +++++ apparmor.d/profiles-s-z/udisksd | 26 ++++++++++ apparmor.d/profiles-s-z/wpa-supplicant | 11 ++++- 43 files changed, 584 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 04fc326bb..04be8d6f9 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -23,6 +23,33 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=unconfined, + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={CheckAuthorization,Changed}, + + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member={PropertiesChanged,GetAll}, + + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member={Changed,SetLanguage}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member={FindUserByName,ListCachedUsers}, + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus bind bus=system + name=org.freedesktop.Accounts, + @{exec_path} mr, /usr/share/accountsservice/{,**} r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 1aaf33eaf..da7c5a33a 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -17,12 +17,24 @@ profile colord @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus send - bus=system - path=/org/freedesktop/ColorManager/devices/xrandr_* + dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.{DBus.Properties,ColorManager}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus bind bus=system + name=org.freedesktop.ColorManager, + @{exec_path} mr, /{usr/,}lib/colord/colord-sane rPx, diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index 1ce827e2e..9223002a7 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -16,6 +16,17 @@ profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager, + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew}, + + dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow}, + @{exec_path} mr, /usr/share/snmp/mibs/{,*} r, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 180ee9690..eca96bdf1 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -20,6 +20,16 @@ profile pipewire-media-session @{exec_path} { network bluetooth stream, network netlink raw, + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.RealtimeKit1), + + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit1 + member=MakeThreadRealtime + peer=(name=org.freedesktop.RealtimeKit1), + @{exec_path} mr, /usr/share/alsa-card-profile/{,**} r, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 982f8f85f..323ac40f2 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -22,6 +22,25 @@ profile polkitd @{exec_path} { ptrace (read), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName}, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={Changed,BeginAuthentication}, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={GetAll,CheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2,EnumerateActions,CancelCheckAuthorization}, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus bind bus=system + name=org.freedesktop.PolicyKit[0-9], + @{exec_path} mr, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index f8f7cbfc2..d977b692f 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -16,6 +16,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.{DBus.Properties,UPower*}, + + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member={PropertiesChanged,GetAll}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus bind bus=system + name=org.freedesktop.UPower, + @{exec_path} mr, /etc/UPower/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 9fd683360..cc260c502 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -21,6 +21,22 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { ptrace (read), + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, + + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=StateChanged, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 22f60b381..cb2c7337b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -19,6 +19,14 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member=Changed, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 2e94f0fff..1d95d895e 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -20,6 +20,14 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member=Changed, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index bc3133534..a4ccf1535 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -23,6 +23,22 @@ profile evolution-addressbook-factory @{exec_path} { network inet6 dgram, network netlink raw, + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/locale[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 132540ade..4172e5138 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -23,6 +23,10 @@ profile evolution-calendar-factory @{exec_path} { network inet6 dgram, network netlink raw, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index a3cade389..1358ba233 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -26,6 +26,30 @@ profile gdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term), + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User@{uid} + interface=org.freedesktop.Accounts.User + member={Changed,GetAll,PropertiesChanged}, + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.{DBus.Properties,Accounts} + member={GetAll,ListCachedUsers,FindUserByName}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login1.Manager + member={ListSeats,ActivateSessionOnSeat,UnlockSession}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser}, + + dbus receive bus=system path=/org/freedesktop/login[0-9]/seat/seat[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/gnome/DisplayManager/Manager + interface={org.freedesktop.DBus.Properties,org.gnome.DisplayManager.Manager} + member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel}, + @{exec_path} mr, /{usr/,}{s,}prime-switch rPx, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 24b8902b2..a3bf855e8 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -41,6 +41,22 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface={org.freedesktop.DBus.Properties,org.freedesktop.Accounts} + member={GetAll,FindUserByName,SetLanguage,Changed,PropertiesChanged}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=CreateSession, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member=Changed, + @{exec_path} mrix, /{usr/,}bin/gnome-keyring-daemon rPx, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index b07fe0e9a..be6fc046c 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -21,6 +21,10 @@ profile gdm-wayland-session @{exec_path} { signal (send) set=(term) peer=dbus-daemon, signal (send) set=(term) peer=gnome-session-binary, + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.DisplayManager.Manager + member=RegisterDisplay, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 030e12140..a3ddf738c 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -16,6 +16,22 @@ profile gnome-extension-ding @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={ListNames,ListActivatableNames}, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Introspectable + member=Introspec, + + dbus send bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /{usr/,}bin/env rix, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 917436843..f9d5260e6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -27,6 +27,22 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gsd-*, signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CanPowerOff,GetSession}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.login[0-9].Session + member=SetIdleHint, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 07657a3bd..2b77f2dcb 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -43,6 +43,55 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), + dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.login[0-9].Session + member={ReleaseDevice,TakeControl,TakeDevice,PauseDevice}, + + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={CheckAuthorization,RegisterAuthenticationAgent,Changed}, + + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.DisplayManager.Manager + member=RegisterSession + peer=(name=org.gnome.DisplayManager), + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CanSuspend,CanRebootToBootLoaderMenu,GetSession,Inhibit}, + + dbus send bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/net/reactivated/Fprint/Manager + interface=net.reactivated.Fprint.Manager + member=GetDefaultDevice, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=PropertiesChanged, + @{exec_path} mr, /{usr/,}bin/Xwayland rPx, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 9a30738ff..d181eff25 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -25,6 +25,10 @@ profile goa-daemon @{exec_path} { network inet6 dgram, network netlink raw, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 3e3de47c5..f5fdbcee5 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -18,6 +18,18 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=system path=/org/freedesktop/ColorManager/devices/xrandr_* + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={FindDeviceByProperty,GetDevices,CreateDevice}, + + dbus receive bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={DeviceAdded,ProfileAdded}, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index f1c5d57bb..b26382492 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -12,6 +12,14 @@ profile gsd-disk-utility-notify @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/UDisks2 + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/UDisks2/** + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 96288a87f..654541e0e 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -21,6 +21,22 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 41f28908a..29bcd906f 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -21,6 +21,33 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.{DBus.Properties,UPower*}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/auto + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/auto + interface=org.freedesktop.login[0-9].Session + member=SetBrightness, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index aa62b6f55..98563afdf 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -19,6 +19,18 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (send) set=(hup) peer=gsd-printer, + dbus (send,receive) bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow,CacheExhausted,AllForNow,Free}, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping, + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew}, + @{exec_path} mr, @{libexec}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 15590b730..6f8d0db37 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -15,6 +15,16 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ReleaseName, + + dbus bind bus=system + name=com.redhat.NewPrinterNotification, + + dbus bind bus=system + name=com.redhat.PrinterDriversInstaller, + @{exec_path} mr, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 3bb20459f..52d98363e 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -16,6 +16,26 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=Get, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={CheckPermissions,StateChanged}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + @{exec_path} mr, /sys/devices/virtual/misc/rfkill/uevent r, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 5b20cc4f6..dc5c2d99e 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -15,6 +15,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term, hup) peer=gdm*, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index d3f6ec900..0b9f3fa82 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -26,6 +26,14 @@ profile gsd-xsettings @{exec_path} { network inet6 dgram, network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* + interface=org.freedesktop.Accounts.User + member={SetInputSources,Changed,GetAll}, + + dbus send bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=FindUserByName, + @{exec_path} mr, /{usr/,}bin/cat rix, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 6c48c596f..045b12e59 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -17,6 +17,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 7846a4640..57435eb61 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -18,6 +18,10 @@ profile tracker-miner @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/UPower/{,devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 59db2bb35..dc3aff190 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -27,6 +27,10 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { ptrace (read), + dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.{DBus.*,UDisks2.*} + peer=(label=udisksd), + @{exec_path} mr, /{usr/,}bin/lsof rix, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index e68a51fa0..6dd5d1958 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -35,6 +35,49 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { network netlink raw, network packet dgram, + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{,/**} + interface=org.freedesktop.{DBus.Properties,NetworkManager*}, + + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member={Changed,CheckAuthorization}, + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded, + + dbus send bus=system path=/org/freedesktop/nm_dispatcher + interface=org.freedesktop.nm_dispatcher + member=Action + peer=(name=org.freedesktop.nm_dispatcher), + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus send bus=system path=/org/freedesktop/resolve[0-9] + interface=org.freedesktop.resolve[0-9].Manager + member=SetLink*, + + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionRemoved,UserNew,SessionNew,Inhibit}, + + dbus bind bus=system + name=org.freedesktop.NetworkManager, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 4a8304506..8cc0dc4f6 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -23,6 +23,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member={Get,GetAll}, + dbus bind bus=system + name=org.freedesktop.hostname[0-9], + @{exec_path} mr, @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index efb53cf17..2ebf2685e 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -25,6 +25,9 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus bind bus=system + name=org.freedesktop.locale[0-9], + @{exec_path} mr, /usr/share/systemd/language-fallback-map r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 8cedc8406..3224e803b 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -44,7 +44,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { member=CheckAuthorization, dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/** - interface=org.freedesktop.systemd[0-9]/.Scope + interface=org.freedesktop.systemd[0-9].Scope member=Abandon, dbus receive bus=system path=/org/freedesktop/systemd[0-9] diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 4f28e4578..6e8985280 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -23,6 +23,9 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=Get, + dbus bind bus=system + name=org.freedesktop.timedate[0-9], + @{exec_path} mr, /dev/rtc[0-9] r, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index a4d0a7a05..c5c263a19 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -22,6 +22,11 @@ profile systemd-user-runtime-dir @{exec_path} { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.login[0-9]), + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index c8e0be363..dfe1983b0 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -17,6 +17,36 @@ profile packagekitd @{exec_path} { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.{DBus.*,PackageKit}, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged, + + dbus bind bus=system + name=org.freedesktop.PackageKit, + @{exec_path} mr, /{usr/,}bin/dpkg rPx, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index ee85a3b08..1cbe45a18 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -17,6 +17,25 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus receive bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus bind bus=system + name=net.hadess.PowerProfiles, + @{exec_path} mr, /var/lib/power-profiles-daemon/{,**} rw, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index ef92160f8..f6ab963ee 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -21,6 +21,25 @@ profile rtkit-daemon @{exec_path} { capability sys_nice, capability sys_ptrace, + dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.DBus.Properties + member={Get,GetAll}, + + dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9] + interface=org.freedesktop.RealtimeKit[0-9] + member=MakeThreadRealtimeWithPID, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixUser, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus bind bus=system + name=org.freedesktop.RealtimeKit[0-9], + @{exec_path} mr, # When applying policies to processes diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index ee7dac591..899c68c7f 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -13,6 +13,12 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { capability sys_nice, + dbus receive + bus=system + path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.login[0-9].Session + member=Unlock, + @{exec_path} mr, owner @{run}/spice-vdagentd/spice-vdagent-sock r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 2f142a088..8bd1539a4 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -15,6 +15,17 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus receive bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus bind bus=system + name=net.hadess.SwitcherooControl, + @{exec_path} mr, @{run}/udev/data/+drm:* r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index b46cd19b2..d2019666c 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -26,6 +26,32 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} + interface=org.freedesktop.{DBus*,UDisks2*}, + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={ReleaseName,GetConnectionUnixUser}, + + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=Inhibit, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus bind bus=system + name=org.freedesktop.UDisks2, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index ab75f5d58..eb79c593e 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -25,6 +25,13 @@ profile wpa-supplicant @{exec_path} { network packet raw, network packet dgram, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus bind bus=system + name=fi.w1.wpa_supplicant[0-9], + @{exec_path} mr, @{HOME}/.cat_installer/*.pem r,