From 643a84997ecf12f87f700b024e533f8ccd4cb60d Mon Sep 17 00:00:00 2001 From: nobodysu Date: Fri, 14 Oct 2022 21:21:56 +0000 Subject: [PATCH] Unbreak Debian 11 and partially Ubuntu 22.04 (Wayland+GDM+Gnome) (#81) * Unbreaking Debian 11 and partially Ubuntu 22.04 * pre-cleanup * pre-cleanup2 * Update im-launch * Update gnome-extension-ding * polishing * not yet * Update ubuntu.flags Allow GDM to boot. `No new privs` fix. * Update debian.flags Allow GDM to boot. `No new privs` fix. * Update CONTRIBUTING.md * fixes * reverting w * move setpriv to main.flags --- CONTRIBUTING.md | 7 + apparmor.d/groups/apt/apt | 3 +- apparmor.d/groups/avahi/avahi-daemon | 13 + apparmor.d/groups/bus/dbus-daemon | 2 + .../groups/bus/dbus-daemon-launch-helper | 5 +- apparmor.d/groups/bus/dbus-run-session | 1 + apparmor.d/groups/bus/ibus-daemon | 30 +- apparmor.d/groups/bus/ibus-dconf | 14 +- apparmor.d/groups/bus/ibus-engine-simple | 2 + apparmor.d/groups/bus/ibus-extension-gtk3 | 45 +- apparmor.d/groups/bus/ibus-portal | 13 +- apparmor.d/groups/bus/ibus-x11 | 29 +- apparmor.d/groups/freedesktop/accounts-daemon | 29 +- .../groups/freedesktop/at-spi-bus-launcher | 3 + .../groups/freedesktop/at-spi2-registryd | 67 ++- apparmor.d/groups/freedesktop/colord | 28 +- apparmor.d/groups/freedesktop/dconf | 8 +- apparmor.d/groups/freedesktop/dconf-service | 23 + apparmor.d/groups/freedesktop/geoclue | 9 +- apparmor.d/groups/freedesktop/pipewire | 10 + .../groups/freedesktop/pipewire-media-session | 5 + apparmor.d/groups/freedesktop/pulseaudio | 6 +- apparmor.d/groups/freedesktop/upowerd | 13 +- .../groups/freedesktop/xdg-desktop-portal | 60 ++- .../freedesktop/xdg-desktop-portal-gnome | 80 +++- .../groups/freedesktop/xdg-desktop-portal-gtk | 109 ++++- .../groups/freedesktop/xdg-document-portal | 47 +- .../groups/freedesktop/xdg-permission-store | 33 +- apparmor.d/groups/freedesktop/xhost | 4 + apparmor.d/groups/freedesktop/xkbcomp | 1 + apparmor.d/groups/freedesktop/xorg | 11 +- apparmor.d/groups/freedesktop/xwayland | 3 + .../groups/gnome/evolution-calendar-factory | 3 +- apparmor.d/groups/gnome/gdm | 17 +- apparmor.d/groups/gnome/gdm-session-worker | 8 + apparmor.d/groups/gnome/gdm-wayland-session | 12 + apparmor.d/groups/gnome/gdm-x-session | 16 + apparmor.d/groups/gnome/gdm-xsession | 35 +- apparmor.d/groups/gnome/gjs-console | 52 +++ apparmor.d/groups/gnome/gnome-control-center | 46 +- .../gnome/gnome-control-center-print-renderer | 6 + apparmor.d/groups/gnome/gnome-extension-ding | 119 ++++- apparmor.d/groups/gnome/gnome-keyring-daemon | 47 +- .../groups/gnome/gnome-remote-desktop-daemon | 5 +- apparmor.d/groups/gnome/gnome-session-binary | 126 ++++- apparmor.d/groups/gnome/gnome-session-ctl | 14 +- apparmor.d/groups/gnome/gnome-shell | 434 +++++++++++++++++- .../groups/gnome/gnome-shell-calendar-server | 3 + apparmor.d/groups/gnome/gnome-terminal-server | 5 +- apparmor.d/groups/gnome/goa-daemon | 30 ++ apparmor.d/groups/gnome/goa-identity-service | 28 ++ apparmor.d/groups/gnome/gsd-a11y-settings | 39 ++ apparmor.d/groups/gnome/gsd-color | 89 ++++ apparmor.d/groups/gnome/gsd-datetime | 38 ++ .../groups/gnome/gsd-disk-utility-notify | 8 + apparmor.d/groups/gnome/gsd-housekeeping | 44 ++ apparmor.d/groups/gnome/gsd-keyboard | 70 +++ apparmor.d/groups/gnome/gsd-media-keys | 128 +++++- apparmor.d/groups/gnome/gsd-power | 125 ++++- .../groups/gnome/gsd-print-notifications | 46 +- apparmor.d/groups/gnome/gsd-printer | 14 +- apparmor.d/groups/gnome/gsd-rfkill | 48 ++ apparmor.d/groups/gnome/gsd-screensaver-proxy | 41 ++ apparmor.d/groups/gnome/gsd-sharing | 84 +++- apparmor.d/groups/gnome/gsd-smartcard | 52 +++ apparmor.d/groups/gnome/gsd-sound | 43 ++ apparmor.d/groups/gnome/gsd-wacom | 76 +++ apparmor.d/groups/gnome/gsd-xsettings | 81 +++- apparmor.d/groups/gnome/nautilus | 3 +- apparmor.d/groups/gnome/tracker-extract | 47 ++ apparmor.d/groups/gnome/tracker-miner | 59 ++- apparmor.d/groups/gpg/gpg-agent | 5 +- .../groups/gvfs/gvfs-afc-volume-monitor | 18 + .../groups/gvfs/gvfs-goa-volume-monitor | 23 + .../groups/gvfs/gvfs-gphoto2-volume-monitor | 18 + .../groups/gvfs/gvfs-mtp-volume-monitor | 18 + .../groups/gvfs/gvfs-udisks2-volume-monitor | 25 + apparmor.d/groups/gvfs/gvfsd | 37 ++ apparmor.d/groups/gvfs/gvfsd-dnssd | 28 ++ apparmor.d/groups/gvfs/gvfsd-fuse | 14 + apparmor.d/groups/gvfs/gvfsd-metadata | 24 + apparmor.d/groups/gvfs/gvfsd-network | 33 ++ apparmor.d/groups/gvfs/gvfsd-smb-browse | 31 ++ apparmor.d/groups/gvfs/gvfsd-trash | 23 + apparmor.d/groups/network/ModemManager | 24 +- apparmor.d/groups/network/NetworkManager | 9 +- apparmor.d/groups/network/nm-dispatcher | 2 + apparmor.d/groups/systemd/systemd-hostnamed | 7 +- apparmor.d/groups/systemd/systemd-resolved | 5 + apparmor.d/groups/systemd/systemd-sleep | 5 +- apparmor.d/groups/systemd/systemd-timesyncd | 4 +- .../groups/ubuntu/check-new-release-gtk | 10 +- apparmor.d/groups/ubuntu/packagekitd | 5 +- apparmor.d/groups/ubuntu/release-upgrade-motd | 1 + apparmor.d/profiles-a-f/appstreamcli | 2 + .../profiles-a-f/cc-remote-login-helper | 17 + apparmor.d/profiles-a-f/fprintd | 3 +- apparmor.d/profiles-g-l/im-launch | 13 +- apparmor.d/profiles-g-l/logrotate | 0 apparmor.d/profiles-m-r/man | 10 +- apparmor.d/profiles-m-r/pass | 4 +- apparmor.d/profiles-m-r/passwd | 2 + apparmor.d/profiles-m-r/pkexec | 1 + apparmor.d/profiles-s-z/scrcpy | 4 +- apparmor.d/profiles-s-z/snap | 14 +- apparmor.d/profiles-s-z/spice-vdagent | 32 +- apparmor.d/profiles-s-z/switcheroo-control | 4 +- apparmor.d/profiles-s-z/udisksd | 5 + apparmor.d/profiles-s-z/useradd | 3 +- dists/flags/main.flags | 2 + 110 files changed, 3157 insertions(+), 182 deletions(-) create mode 100644 apparmor.d/profiles-a-f/cc-remote-login-helper mode change 100755 => 100644 apparmor.d/profiles-g-l/logrotate diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e00b0fb8a..2767e9229 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -138,6 +138,13 @@ The rules in the profile should be sorted as follow: /etc/machine-id r, /var/lib/dbus/machine-id r, ``` +* For DBus, try to determine peer's label when possible. If there's no predictable label - it can be omited. E.g.: + ``` + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + ``` The included tool `aa-log` can be useful to explore the apparmor log diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 7fc6a53a7..a4b243205 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -32,7 +32,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, - unix (receive, send) type=stream peer=(label=apt-esm-json-hook), + unix (send, receive) type=stream peer=(label=apt-esm-json-hook), + unix (send, receive) type=stream peer=(label=snapd), dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/@{hex}} interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}}, diff --git a/apparmor.d/groups/avahi/avahi-daemon b/apparmor.d/groups/avahi/avahi-daemon index e3db92e1a..89703b5ab 100644 --- a/apparmor.d/groups/avahi/avahi-daemon +++ b/apparmor.d/groups/avahi/avahi-daemon @@ -14,6 +14,19 @@ profile avahi-daemon @{exec_path} { network inet dgram, network inet6 dgram, + dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + peer=(name=:*, label="{colord-sane,gsd-print-notifications}"), # all members + + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=:*, label="{colord-sane,gsd-print-notifications}"), + + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + peer=(name=:*, label="{colord-sane,gsd-print-notifications}"), # all members + @{exec_path} mr, /etc/avahi/** r, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index dd48a3f17..595dd7854 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -25,6 +25,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup kill) peer=dbus-run-session, signal (receive) set=(term hup kill) peer=gdm*, signal (send) set=(term hup kill) peer=at-spi-bus-launcher, + signal (send) set=(term hup kill) peer=at-spi2-registryd, signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-permission-store, @@ -47,6 +48,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx, /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, + /usr/share/gnome-documents/org.gnome.Documents rPx, /etc/dbus-1/{,**} r, diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper index 504f9bea4..76979b7c4 100644 --- a/apparmor.d/groups/bus/dbus-daemon-launch-helper +++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper @@ -22,8 +22,11 @@ profile dbus-daemon-launch-helper @{exec_path} { /{usr/,}lib/cups-pk-helper-mechanism rPx, /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx, /{usr/,}lib/software-properties/software-properties-dbus rPx, + @{libexec}/language-selector/ls-dbus-backend rPx, /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, + /usr/share/usb-creator/usb-creator-helper rPx, + /usr/share/hplip/pkservice.py rPx, /usr/share/dbus-1/{,**} r, @@ -32,4 +35,4 @@ profile dbus-daemon-launch-helper @{exec_path} { owner @{PROC}/@{pid}/oom_score_adj rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session index b344e912f..c353e9575 100644 --- a/apparmor.d/groups/bus/dbus-run-session +++ b/apparmor.d/groups/bus/dbus-run-session @@ -28,6 +28,7 @@ profile dbus-run-session @{exec_path} { /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.cache/dconf/ rw, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index baa8420ce..e95977c8d 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -16,6 +16,33 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(usr1) peer=gnome-shell, signal (send) set=(term) peer=ibus*, + unix (bind, listen) type=stream addr=@/var/lib/gdm{3,}/.cache/ibus/dbus-*, + unix (send, receive, accept) type=stream addr=@/var/lib/gdm{3,}/.cache/ibus/dbus-* peer=(label=ibus-*), + unix (send, receive, accept) type=stream addr=@/var/lib/gdm{3,}/.cache/ibus/dbus-* peer=(label=gnome-shell), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.DBus.Peer + peer=(name=org.freedesktop.portal.IBus), # all members, all peer's labels + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session name=org.freedesktop.portal.IBus, + + dbus bind bus=session name=org.freedesktop.IBus, + @{exec_path} mr, /{usr/,}lib/ibus/ibus-* rPx, @@ -28,6 +55,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, owner @{user_cache_dirs}/ibus/{,**} rw, + /var/lib/gdm{3,}/.config/ibus/{,**} rw, /var/lib/gdm{3,}/.cache/ibus/{,**} rw, /var/lib/gdm{3,}/.config/ibus/bus/ r, @@ -37,4 +65,4 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { owner /dev/tty[0-9]* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 049df8485..f01866351 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -11,10 +11,20 @@ include profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include + include + include include signal (receive) set=term peer=ibus-daemon, + unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*", label=ibus-daemon), + unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /usr/share/gdm/greeter-dconf-defaults r, @@ -22,16 +32,16 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /etc/dconf/profile/ibus r, /etc/dconf/db/ibus r, - /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r, + /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r, - /var/lib/gdm{3,}/.cache/dconf/ w, /var/lib/gdm{3,}/.cache/dconf/user rw, /var/lib/gdm{3,}/.config/dconf/user rw, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 160a02b0e..e34cce534 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -14,6 +14,8 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=ibus-daemon, + unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon), + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 6f57deef4..ffa33add8 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -8,9 +8,10 @@ include @{exec_path} = /{usr/,}lib/ibus/ibus-extension-gtk3 @{exec_path} += @{libexec}/ibus-extension-gtk3 -profile ibus-extension-gtk3 @{exec_path} { +profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -26,6 +27,43 @@ profile ibus-extension-gtk3 @{exec_path} { network inet6 stream, network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session name=org.freedesktop.IBus.Panel.Extension.Gtk3, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -38,7 +76,12 @@ profile ibus-extension-gtk3 @{exec_path} { owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, + /var/lib/gdm{3,}/.config/ibus/bus/*-unix{,-wayland}-[0-9]* r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, + + # file inherit + /dev/tty[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 7c31da158..40c874914 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -15,6 +15,18 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session name=org.freedesktop.portal.IBus, + @{exec_path} mr, /{usr/,}lib/gio/modules/{,*} r, @@ -29,7 +41,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r, owner /dev/tty[0-9]* rw, - /dev/null rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 7cef8bf1f..f3f8064d4 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -11,6 +11,7 @@ include profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -21,12 +22,34 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { unix (connect, receive, send) type=stream peer=(label=ibus-daemon), + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + @{exec_path} mr, - /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, + /var/lib/gdm{3,}/.config/ibus/bus/ r, + /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix{,-wayland}-[0-9] r, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9] r, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{hex}-unix{,-wayland}-[0-9] r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 6c761146e..ec5d2cfca 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -44,15 +44,22 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/language-tools/language-validate rPx, + /{usr/,}bin/cat rix, + + /{usr/,}{s,}bin/adduser rPx, + /{usr/,}{s,}bin/usermod rPx, + /{usr/,}{s,}bin/userdel rPx, + /{usr/,}bin/passwd rPx, + /{usr/,}bin/chage rPx, + /usr/share/language-tools/language-validate rPx, /usr/share/accountsservice/{,**} r, /usr/share/dbus-1/interfaces/*.xml r, /etc/default/locale r, /etc/gdm{3,}/ r, - /etc/gdm{3,}/custom.conf rw, - /etc/gdm{3,}/custom.conf.* rw, + /etc/gdm{3,}/daemon.conf{,.??????} rw, + /etc/gdm{3,}/custom.conf{,.??????} rw, /etc/machine-id r, /etc/shadow r, /etc/shells r, @@ -62,10 +69,18 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { @{HOME}/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pids}/loginuid r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + # wtmp.d ? + /var/log/wtmp r, + + owner /tmp/gnome-control-center-user-icon-?????? rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 62e8f12e8..7c246a07f 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -20,6 +20,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup kill) peer=gnome-session-binary, signal (send) set=(term hup kill) peer=dbus-daemon, + unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg), + network inet stream, network inet6 stream, @@ -39,6 +41,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { /var/lib/lightdm/.Xauthority r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/log/lightdm/seat[0-9]*-greeter.log w, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 8fa2940bd..89700f1cd 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -12,9 +12,74 @@ include profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include + include include - signal (receive) set=(term hup) peer=gdm*, + signal (receive) set=(term hup) peer=gdm*, + signal (receive) set=(term hup kill) peer=dbus-daemon, + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,ClientRemoved,SessionRunning} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label="{gnome-extension-ding,gnome-control-center}"), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=:*, label="{gnome-extension-ding,gnome-control-center,spice-vdagent}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=org.freedesktop.DBus), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=:*, label=gnome-control-center), + + dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=:*, label="{gnome-control-center,xdg-desktop-portal-*}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=accessibility + name=org.a11y.atspi.Registry, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index f1cd38b75..c6177d794 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -17,20 +17,32 @@ profile colord @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.{DBus.Properties,ColorManager*}, - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.ColorManager*, - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority - member=CheckAuthorization, + member=CheckAuthorization + peer=(name=:*, label=polkitd), + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed + peer=(name=:*, label=polkitd), + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label="{gsd-color,polkitd}"), + + dbus receive bus=system path=/org/freedesktop/ColorManager{,/devices/*} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label="{gsd-color,colord-sane,gnome-control-center}"), dbus bind bus=system name=org.freedesktop.ColorManager, diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index 536080dfd..19c76c3b1 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -12,13 +12,19 @@ profile dconf @{exec_path} flags=(attach_disconnected) { include capability sys_nice, + capability dac_override, @{exec_path} mr, /etc/dconf/db/** rw, + /usr/share/gdm/dconf/{,**} r, + + /var/lib/gdm{3,}/ r, + /var/lib/gdm{3,}/greeter-dconf-defaults{,.??????} rw, + owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/user{,.*} rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index ebcf010d4..d18de36ca 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -15,6 +15,29 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term kill hup) peer=dbus-daemon, signal (receive) set=(term hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Notify + peer=(name=org.freedesktop.DBus), # all peer's labels + + dbus receive bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Change + peer=(name=:*, label=gnome-control-center), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=ca.desrt.dconf, + @{exec_path} mr, owner @{user_config_dirs}/dconf/ rw, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 378710753..2d2c5956e 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/geoclue profile geoclue @{exec_path} flags=(attach_disconnected) { include + include + include include network netlink raw, @@ -45,9 +47,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.Avahi.Server member=StateChanged, - dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* interface=org.freedesktop.Avahi.ServiceBrowser - member={AllForNow,CacheExhausted}, + member={AllForNow,CacheExhausted} + peer=(name=:*, label=avahi-daemon), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager @@ -69,4 +72,4 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 0e91917e9..5b41316a3 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -19,6 +19,11 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { ptrace (read), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixProcessID + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] interface=org.freedesktop.RealtimeKit[0-9] member=MakeThread* @@ -29,6 +34,11 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { member=Get peer=(name=org.freedesktop.RealtimeKit[0-9]), + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /{usr/,}bin/pactl rPx, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index d70f8362e..8876c138c 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -31,6 +31,11 @@ profile pipewire-media-session @{exec_path} { member=MakeThreadRealtime peer=(name=org.freedesktop.RealtimeKit1), + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /usr/share/alsa-card-profile/{,**} r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index d84041113..bc10f4a13 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -109,7 +109,7 @@ profile pulseaudio @{exec_path} { @{exec_path} mrix, - /{usr/,}@{libexec}/pulse/gsettings-helper mrix, + @{libexec}/pulse/gsettings-helper mrix, /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, /{usr/,}lib/pulse-*/modules/*.so mr, @@ -138,7 +138,9 @@ profile pulseaudio @{exec_path} { owner @{user_config_dirs}/pulse/{,**} rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/pulse/{,*} rw, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 72a183ee1..ff05a04ff 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -16,6 +16,11 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*}, @@ -27,14 +32,10 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=RequestName - peer=(name=org.freedesktop.DBus), - dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={SessionNew,SessionRemoved,PrepareForShutdown}, + member={UserNew,UserRemoved,SessionNew,SessionRemoved,PrepareForShutdown,PrepareForSleep} + peer=(name=:*, label=systemd-logind), dbus bind bus=system name=org.freedesktop.UPower, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 6a26e66c2..0b74d954c 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -22,6 +22,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { ptrace (read), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll, @@ -42,6 +47,59 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label="{gnome-shell,xdg-desktop-portal-*,gnome-keyring-daemon}"), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Background + member=GetAppState + peer=(name=:*, label=xdg-desktop-portal-*), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Background + member=RunningApplicationsChanged + peer=(name=:*, label=xdg-desktop-portal-*), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=SettingChanged + peer=(name=org.freedesktop.DBus), # all peer's labels + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=SettingChanged + peer=(name=:*, label=xdg-desktop-portal-*), + + dbus send bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.portal.Documents + member=GetMountPoint + peer=(name=:*, label=xdg-document-portal), + + dbus (send, receive) bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=xdg-document-portal), + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-permission-store), + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=:*, label=xdg-permission-store), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.portal.Desktop, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -74,4 +132,4 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 96471bdb5..fb8071deb 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -20,6 +20,11 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.DBus.Properties member=GetAll, @@ -32,6 +37,79 @@ profile xdg-desktop-portal-gnome @{exec_path} { interface=org.freedesktop.Accounts.User member=Changed, + dbus send bus=session path=/org/gnome/Shell/Screenshot + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect + member=GetRunningApplications + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect + member={RunningApplicationsChanged,WindowsChanged} + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Background + member=RunningApplicationsChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Background + member=GetAppState + peer=(name=:*, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=SettingChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/ScreenCast + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/RemoteDesktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.impl.portal.desktop.gnome, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -48,4 +126,4 @@ profile xdg-desktop-portal-gnome @{exec_path} { owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 173a6fe68..70afe9b0e 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,8 +9,10 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} { include + include include include + include include include include @@ -20,6 +22,13 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include + unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.DBus.Properties member=GetAll, @@ -40,6 +49,104 @@ profile xdg-desktop-portal-gtk @{exec_path} { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,ClientRemoved,SessionRunning} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={EndSession,QueryEndSession,CancelEndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect + member={RunningApplicationsChanged,WindowsChanged} + peer=(name=:*, label=gnome-shell), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=ActiveChanged + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=SettingChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.impl.portal.desktop.gtk, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -58,4 +165,4 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 3a0453645..15adce726 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -7,14 +7,48 @@ abi , include @{exec_path} = @{libexec}/xdg-document-portal -profile xdg-document-portal @{exec_path} { +profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include include + capability sys_nice, + capability sys_resource, +# capability sys_admin, + ptrace (read) peer=xdg-desktop-portal, + signal (receive) set=(term) peer=gdm, + unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-permission-store), + + dbus receive bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.portal.Documents + member=GetMountPoint + peer=(name=:*, label="{snap,xdg-desktop-portal}"), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus bind bus=session + name=org.freedesktop.portal.Documents, + @{exec_path} mr, /{usr/,}bin/flatpak rCx -> flatpak, @@ -33,6 +67,9 @@ profile xdg-document-portal @{exec_path} { /dev/fuse rw, + # file inherit + owner /dev/tty[0-9]* rw, + profile flatpak { include @@ -50,6 +87,8 @@ profile xdg-document-portal @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, /dev/tty rw, + + include if exists } profile fusermount { @@ -76,8 +115,12 @@ profile xdg-document-portal @{exec_path} { @{PROC}/@{pids}/mounts r, + owner @{run}/user/@{uid}/doc/ rw, + /dev/fuse rw, + + include if exists } include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index a7113a766..f43e7e010 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -11,9 +11,39 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include include + capability sys_nice, + signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label="{gnome-shell,xdg-document-portal}"), + + dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=:*, label="{gnome-shell,xdg-desktop-portal}"), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus bind bus=session + name=org.freedesktop.impl.portal.PermissionStore, + @{exec_path} mr, @{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw, @@ -21,8 +51,9 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw, owner @{user_share_dirs}/flatpak/db/background rw, + owner @{user_share_dirs}/flatpak/db/notifications rw, /dev/tty[0-9]* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost index ca1862646..b2df7653e 100644 --- a/apparmor.d/groups/freedesktop/xhost +++ b/apparmor.d/groups/freedesktop/xhost @@ -11,11 +11,15 @@ profile xhost @{exec_path} { include include + unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg), + @{exec_path} mr, owner @{HOME}/.Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r, + /tmp/.X11-unix/* rw, + # file_inherit /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 35e3af296..fa8be9a5e 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -14,6 +14,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=xwayland), + unix (send,receive) type=stream addr=@/tmp/.X11-unix/X[0-9]* peer=(label=gsd-xsettings), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 2cd5cbcb6..c8aea29c0 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -39,12 +39,15 @@ profile xorg @{exec_path} flags=(attach_disconnected) { signal (receive) peer=xinit, signal (receive) set=term peer=gdm{,-x-session}, + unix (bind, listen) type=stream addr=@/tmp/.X11-unix/*, + unix (send, receive, accept) type=stream addr=@/tmp/.X11-unix/*, # all peers + network netlink raw, - dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*} - interface=org.freedesktop.{DBus.Properties,login1.Session} + dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*} + interface=org.freedesktop.{DBus.Properties,login[0-9].Session,login[0-9]*.Manager} member={ReleaseControl,TakeControl,TakeDevice,ReleaseDevice,GetSessionByPID} - peer=(name=org.freedesktop.login[0-9]), + peer=(name=org.freedesktop.login[0-9], label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login[0-9]/session/* interface=org.freedesktop.login1.Session @@ -79,8 +82,10 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner /var/log/Xorg.[0-9].log{,.old} rw, owner /var/log/Xorg.pid-@{pid}.log{,.old} rw, + /var/lib/gdm{3,}/.local/share/xorg/ rw, /var/lib/gdm{3,}/.local/share/xorg/Xorg.[0-9].log{,.old} rw, /var/lib/gdm{3,}/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, @{run}/nvidia-xdriver-* rw, @{run}/sddm/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 701a0de2c..09c07d662 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -31,8 +31,11 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/X11/{,**} r, /usr/share/X11/xkb/rules/evdev r, + owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, + owner /tmp/server-[0-9]*.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/xwayland-shared-?????? rw, @{sys}/bus/pci/devices/ r, @{sys}/devices/system/cpu/possible r, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 1d4ac9913..2de9c0370 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -34,8 +34,7 @@ profile evolution-calendar-factory @{exec_path} { dbus (send,receive) bus=session path=/org/gnome/evolution/dataserver{,/**} interface={org.freedesktop.DBus.{Introspectable,ObjectManager,Properties},org.gnome.evolution.dataserver.*}, - dbus bind bus=session - name=org.gnome.evolution.dataserver.Calendar[0-9], + dbus bind bus=session name=org.gnome.evolution.dataserver.Calendar[0-9]*, @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 776e10df0..721afb844 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -30,10 +30,20 @@ profile gdm @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.{DBus.Properties,Accounts.User} member={Changed,GetAll,PropertiesChanged}, - dbus send bus=system path=/org/freedesktop/Accounts + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.{DBus.Properties,Accounts} member={GetAll,ListCachedUsers,FindUserByName}, + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=accounts-daemon), + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=UserAdded + peer=(name=:*, label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login1.Manager member={ListSeats,ActivateSessionOnSeat,UnlockSession}, @@ -48,14 +58,14 @@ profile gdm @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/gnome/DisplayManager/Manager interface={org.freedesktop.DBus.Properties,org.gnome.DisplayManager.Manager} - member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel}, + member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel,OpenSession}, dbus bind bus=system name=org.gnome.DisplayManager, @{exec_path} mr, - /{usr/,}{s,}prime-switch rPx, + /{usr/,}{s,}bin/prime-switch rPUx, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/plymouth rPx, /etc/gdm{3,}/PrimeOff/Default rix, @@ -67,6 +77,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /etc/default/locale r, /etc/gdm{3,}/custom.conf r, + /etc/gdm{3,}/daemon.conf r, /etc/locale.conf r, /var/{lib,log}/gdm{3,}/ rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 0da648cba..017ddc7da 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -37,6 +37,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (send) set=hup peer=ibus-*, signal (send) set=hup peer=xorg, signal (send) set=hup peer=xwayland, + signal (send) set=hup peer=xdg-permission-store, + signal (send) set=hup peer=tracker-miner, signal (send) set=term peer=gdm-*-session, network netlink raw, @@ -45,6 +47,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.{DBus.Properties,Accounts*} member={GetAll,FindUserByName,SetLanguage,Changed,PropertiesChanged}, + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=UserAdded + peer=(name=:*, label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member={CreateSession,ReleaseSession}, @@ -63,6 +70,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /etc/default/locale r, /etc/environment r, /etc/gdm{3,}/custom.conf r, + /etc/gdm{3,}/daemon.conf r, /etc/locale.conf r, /etc/machine-id r, /etc/motd r, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 2bcfe250d..c989c4673 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -26,6 +26,16 @@ profile gdm-wayland-session @{exec_path} { interface=org.gnome.DisplayManager.Manager member=RegisterDisplay, + dbus send bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd[0-9]*, label=unconfined), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -42,6 +52,7 @@ profile gdm-wayland-session @{exec_path} { /{usr/,}bin/sort rix, /{usr/,}bin/tty rix, /{usr/,}bin/zsh rix, + /{usr/,}bin/id rix, /{usr/,}bin/dbus-daemon rPx, /{usr/,}bin/dbus-run-session rPx, @@ -54,6 +65,7 @@ profile gdm-wayland-session @{exec_path} { /etc/default/im-config r, /etc/gdm{3,}/custom.conf r, + /etc/gdm{3,}/daemon.conf r, /etc/shells r, /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index f8f3af9a4..b48e1d79a 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -18,6 +18,21 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { signal (send) set=term peer=xorg, signal (send) set=term peer=gnome-session-binary, + dbus bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd[0-9]*), + + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.DisplayManager.Manager + member=RegisterDisplay + peer=(name=:*, label=gdm), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + @{exec_path} mr, /{usr/,}bin/Xorg rPx, @@ -26,6 +41,7 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { /etc/gdm{3,}/Prime/Default rix, /etc/gdm{3,}/custom.conf r, + /etc/gdm{3,}/daemon.conf r, /usr/share/gdm/gdm.schemas r, /var/lib/gdm{3,}/.cache/gdm/Xauthority rw, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index f3829ea6f..1f7e336eb 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -23,16 +23,35 @@ profile gdm-xsession @{exec_path} { /{usr/,}bin/id rix, /{usr/,}bin/tty rix, /{usr/,}bin/zsh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/gettext rix, + /{usr/,}bin/gettext.sh r, + /{usr/,}bin/{m,g,}awk rix, + /{usr/,}bin/truncate rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/locale-check rix, /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, /{usr/,}bin/flatpak rPUx, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/xbrlapi rPx, /{usr/,}bin/xhost rPx, + /{usr/,}bin/im-launch rPx, + /{usr/,}bin/gpgconf rPx, @{libexec}/gnome-session-binary rPx, + /{usr/,}bin/dpkg-query rpx, + + /etc/X11/{,**} r, + /etc/default/im-config r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/X11/{,**} r, + /usr/share/im-config/data/{,*} r, + /usr/share/im-config/xinputrc.common r, + + owner /tmp/gdm{3,}-config-err-?????? rw, # file_inherit /dev/tty[0-9]* rw, @@ -42,10 +61,24 @@ profile gdm-xsession @{exec_path} { /{usr/,}bin/dbus-update-activation-environment mr, + owner @{run}/user/@{uid}/bus rw, + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,UpdateActivationEnvironment} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.systemd[0-9]*.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd[0-9]*), + # file_inherit /dev/tty rw, /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + + include if exists } include if exists diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index c11907e7d..53ce4cec3 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -26,11 +26,59 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-extension-ding), + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal-*), + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=ActiveChanged + peer=(name=org.freedesktop.DBus, label="{gnome-session-binary,gsd-power,xdg-desktop-portal-gtk}"), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen,GetActive} + peer=(name=:*, label="{gnome-shell,gnome-session-binary,xdg-desktop-portal-*}"), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session name=org.gnome.ScreenSaver, + + dbus bind bus=session name=org.freedesktop.Notifications, + + dbus bind bus=session name=org.gnome.Shell.Notifications, + @{exec_path} mr, /{usr/,}bin/ r, /{usr/,}bin/[a-z0-9]* rPUx, @{libexec}/** rPUx, + /etc/openni2/OpenNI.ini r, + /usr/share/dconf/profile/gdm r, /usr/share/egl/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, @@ -38,10 +86,14 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/{,**} r, /usr/share/X11/xkb/** r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, + /tmp/ r, + /var/tmp/ r, + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c6ea079e8..a0f57025b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -11,6 +11,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -34,6 +35,33 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { signal (send) set=(kill) peer=unconfined, signal (send) set=(kill) peer=passwd, + unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*", label=ibus-daemon), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + @{exec_path} mr, /{usr/,}bin/{,b,d,rb}ash rUx, @@ -46,16 +74,21 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{libexec}/gnome-control-center-goa-helper rPx, @{libexec}/gnome-control-center-print-renderer rPx, + /{usr/,}bin/gnome-software rPUx, + /{usr/,}bin/gkbd-keyboard-display rPUx, /{usr/,}bin/bwrap rPUx, /{usr/,}bin/openvpn rPx, /{usr/,}bin/passwd rPx, /{usr/,}bin/software-properties-gtk rPx, + /{usr/,}bin/pkexec rPx, + /{usr/,}{s,}bin/usermod rPx, /{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/language-tools/language2locale rix, /snap/*/[0-9]*/**.png r, /usr/share/backgrounds/{,**} r, + /usr/share/desktop-base/**.{xml,png,svg} r, /usr/share/cups/data/testprint r, /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -65,10 +98,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-control-center/{,**} r, /usr/share/gnome-shell/search-providers/{,**} r, /usr/share/gnome/gnome-version.xml r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/mime/{,**} r, /usr/share/pipewire/client.conf r, /usr/share/thumbnailers/{,*} r, - /usr/share/ubuntu/applications/{,*} r, + /usr/share/*ubuntu/applications/{,*} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, @@ -76,21 +110,26 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /etc/pipewire/client.conf.d/ r, /etc/security/pwquality.conf r, /etc/security/pwquality.conf.d/{,**} r, + /etc/rygel.conf r, + /etc/fstab r, /etc/machine-id r, /var/lib/dbus/machine-id r, /var/lib/snapd/desktop/icons/ r, /var/cache/samba/ rw, + /var/lib/AccountsService/icons/* r, + /var/cache/cracklib/cracklib_dict.* r, owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/mimeapps.list.* rw, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, + owner @{user_config_dirs}/mimeapps.list* rw, + owner @{user_config_dirs}/rygel.conf{,.??????} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/sounds/__custom/{,*} rw, @@ -103,6 +142,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk, owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, + owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, @{run}/cups/cups.sock rw, @{run}/samba/ rw, @{run}/systemd/sessions/ r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 9fef80ddd..2221d06f5 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -10,6 +10,7 @@ include profile gnome-control-center-print-renderer @{exec_path} { include include + include include include include @@ -20,6 +21,11 @@ profile gnome-control-center-print-renderer @{exec_path} { include include + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + @{exec_path} mr, /usr/share/egl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 122ac39a2..cc9ce2756 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,9 +9,10 @@ include @{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js profile gnome-extension-ding @{exec_path} { include - include - include + include include + include + include include include include @@ -19,15 +20,31 @@ profile gnome-extension-ding @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - dbus send bus=system path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={ListNames,ListActivatableNames}, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,ListNames,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=system path=/org/freedesktop/DBus + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect, @@ -35,6 +52,91 @@ profile gnome-extension-ding @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gvfsd-metadata), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=ListMonitorImplementations + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=ClientRemoved + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={IsSupported,List} + peer=(name=:*, label=gvfs-*-monitor), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={ListMounts2,ListMountableInfo} + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=session path=/com/rastersoft/dingextension/control + interface=org.gtk.Actions + member=DescribeAll + peer=(name=com.rastersoft.dingextension, label=gnome-shell), + + dbus receive bus=session path=/com/rastersoft/ding + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/com/rastersoft/ding + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + dbus bind bus=session name=com.rastersoft.ding, @@ -61,6 +163,7 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/nautilus/scripts/ r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, @@ -68,4 +171,4 @@ profile gnome-extension-ding @{exec_path} { deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 85b6e24bd..1486f6162 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -19,25 +19,64 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=ssh-agent, - dbus send bus=system path=/org/freedesktop/login[0-9]/session/* + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/* interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.login[0-9]), - dbus send bus=system path=/org/freedesktop/login[0-9] + dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=GetSession peer=(name=org.freedesktop.login[0-9]), - dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + dbus (send, receive) bus=session path=/org/gnome/keyring/daemon + interface=org.gnome.keyring.Daemon + member=GetControlDirectory + peer=(name="{org.gnome.keyring,:*}", label=gnome-keyring-daemon), # itself + + dbus receive bus=session path=/org/freedesktop/secrets interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=SearchItems + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.keyring, + + dbus bind bus=session + name=org.freedesktop.secrets, @{exec_path} mr, /{usr/,}bin/ssh-add rix, /{usr/,}bin/ssh-agent rPx, + /var/lib/gdm{3,}/.local/share/keyrings/ r, + # Keyrings location owner @{user_share_dirs}/keyrings/ rw, owner @{user_share_dirs}/keyrings/* rwl, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index fb3abe8db..353cbab4b 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -19,5 +19,8 @@ profile gnome-remote-desktop-daemon @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index ad23994fc..4175bfd51 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -11,11 +11,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include + include include include @@ -29,43 +31,106 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=at-spi-bus-launcher, signal (send) set=(term) peer=gsd-*, - dbus send bus=system path=/org/freedesktop/login[0-9] + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,UpdateActivationEnvironment,GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={CanPowerOff,GetSession,PowerOff,Inhibit}, + member={CanPowerOff,GetSession,PowerOff,Inhibit,Reboot} + peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + dbus send bus=system path=/org/freedesktop/login[0-9]/session/* interface=org.freedesktop.login[0-9].Session - member=SetIdleHint, - - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={SessionNew,PrepareForShutdown,SessionRemoved}, + member=SetIdleHint + peer=(name=org.freedesktop.login[0-9], label=systemd-logind), dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/**} - interface={org.freedesktop.DBus.{Properties,Introspectable},org.gnome.SessionManager}, + interface={org.freedesktop.DBus.Introspectable,org.gnome.SessionManager**}, - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - peer=(name=:org.freedesktop.systemd1), + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=at-spi2-registryd), - dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=CancelEndSession + peer=(name=org.freedesktop.DBus, label=gsd-*), + + dbus send bus=session path=/org/gnome/SessionManager/Presence + interface=org.gnome.SessionManager.Presence + member=StatusChanged + peer=(name=org.freedesktop.DBus, label=gnome-shell), + + dbus send bus=session path=/org/gnome/SessionManager/EndSessionDialog + interface=org.gnome.SessionManager.EndSessionDialog + member=Open + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/SessionManager/EndSessionDialog + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus (send, receive) bus=system path=/org/freedesktop/login[0-9]* + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=systemd-logind), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/**} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name="{org.freedesktop.DBus,:*}", label="{gsd-*,gnome-*,xdg-desktop-portal-*}"), + + dbus send bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.systemd[0-9]*.Manager + peer=(name=org.freedesktop.systemd[0-9]*, label=unconfined), # all members + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor - member=AddIdleWatch - peer=(name=:*), + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member=WatchFired + peer=(name=:*, label=gnome-shell), dbus send bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member=GetActive peer=(name=:*), + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=ActiveChanged + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SessionManager, + @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rix, @@ -77,6 +142,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/gsettings-data-convert rix, /{usr/,}bin/session-migration rix, /{usr/,}bin/xdg-user-dirs-gtk-update rix, + /{usr/,}bin/gnome-session rix, @{libexec}/gnome-session-check-accelerated rix, @{libexec}/gnome-session-check-accelerated-gl-helper rix, @{libexec}/gnome-session-check-accelerated-gles-helper rix, @@ -97,7 +163,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/update-notifier rPx, /{usr/,}bin/xbrlapi rPx, /{usr/,}bin/xdg-user-dirs-update rPx, + /{usr/,}bin/parcellite rPUx, + /{usr/,}bin/baloo_file rPUx, + /{usr/,}bin/gnome-software rPUx, + /{usr/,}share/libpam-kwallet-common/pam_kwallet_init rPUx, /{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx, + /{usr/,}lib/@{multiarch}/libexec/kdeconnectd rPUx, + /{usr/,}lib/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx, + /{usr/,}lib/caribou/caribou rPUx, + @{libexec}/deja-dup/deja-dup-monitor rPUx, @{libexec}/at-spi-bus-launcher rPx, @{libexec}/evolution-data-server/evolution-alarm-notify rPx, @{libexec}/gsd-* rPx, @@ -114,8 +188,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gnome/autostart/{,*.desktop} r, /usr/share/icons/{,**} r, /usr/share/mime/mime.cache r, - /usr/share/ubuntu/applications/{,*.desktop} r, + /usr/share/*ubuntu/applications/{,*.desktop} r, + /usr/share/*ubuntu/applications/mimeinfo.cache r, /usr/share/X11/xkb/{,**} r, + /usr/share/session-migration/scripts/{,*} r, /etc/gnome/defaults.list r, /etc/xdg/autostart/{,*.desktop} r, @@ -125,11 +201,14 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/gnome-session/ rw, /var/lib/gdm{3,}/.config/gnome-session/saved-session/ rw, /var/lib/gdm{3,}/.local/share/applications/{,**} r, + /var/lib/gdm{3,}/.local/share/session_migration-* r, /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, /var/lib/flatpak/exports/share/applications/{,**} r, + owner /tmp/dirs-?????? rw, + owner @{user_config_dirs}/autostart/{,*.desktop} r, owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ rw, @@ -141,6 +220,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/applications/ r, owner @{user_share_dirs}/applications/mimeinfo.cache r, owner @{user_share_dirs}/session_migration-ubuntu r, + owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index bf073f989..221ca00e0 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -9,10 +9,22 @@ include @{exec_path} = @{libexec}/gnome-session-ctl profile gnome-session-ctl @{exec_path} { include + include + + dbus send bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.systemd[0-9]*.Manager + member={StartUnit,StopUnit} + peer=(name=org.freedesktop.systemd[0-9]*), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=Initialized + peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + + unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-*, label=dbus-daemon), @{exec_path} mr, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gnome-session-leader-fifo r, @{run}/user/@{uid}/systemd/notify rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index ef77d18bb..baf833e10 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -14,6 +14,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -44,13 +45,429 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (send), - + unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), unix (send,receive) type=stream addr=none peer=(label=xwayland), + unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,ListNames} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/ interface=org.freedesktop.DBus + member=ListNames + peer=(name=org.freedesktop.DBus label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixUser, + + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.{DBus.Properties,PolicyKit[0-9].Authority} + member={CheckAuthorization,RegisterAuthenticationAgent,Changed,GetAll}, + + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.{DBus.Properties,Accounts*} + member={GetAll,FindUserByName,Changed,PropertiesChanged,FindUserById,ListCachedUsers,UserAdded}, + + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged}, + + dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager} + interface=org.freedesktop.{DBus.Properties,GeoClue2.Manager} + member={PropertiesChanged,AddAgent,GetAll}, + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.{freedesktop.DBus.Properties,gnome.DisplayManager.Manager} + member={RegisterSession,Get,GetAll,OpenReauthenticationChannel,OpenSession}, + + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-keyring-daemon), + + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=SearchItems + peer=(name=:*, label=gnome-keyring-daemon), + + dbus send bus=system path=/net/hadess/{PackageKit,PowerProfiles,SwitcherooControl} + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/locale[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.locale[0-9]*), # all peer's labels + + dbus send bus=session path=/org/gnome/SettingsDaemon/Power + interface=org.freedesktop.DBus.Properties + member={GetAll,Set} + peer=(name=:*, label=gsd-power), + + dbus receive bus=session path=/org/gnome/SettingsDaemon/Power + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gsd-power), + + dbus send bus=system path=/net/reactivated/Fprint/Manager + interface=net.reactivated.Fprint.Manager + member=GetDefaultDevice, + + dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/[0-9]* + interface=org.freedesktop.NetworkManager.Device + member=Disconnect + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=Updated + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent + interface=org.freedesktop.NetworkManager.SecretAgent + member={SaveSecrets,DeleteSecrets} + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager{,/AgentManager} + interface=org.freedesktop.NetworkManager{,.AgentManager} + member={Unregister,RegisterWithCapabilities,GetPermissions}, + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=ActivateConnection + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions, + + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent + interface=org.freedesktop.PolicyKit[0-9].AuthenticationAgent + member=BeginAuthentication, + + dbus send bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.systemd[0-9]*.Manager + member={GetUnit,StartUnit,StartTransientUnit} + peer=(name=org.freedesktop.systemd[0-9]*), # all peer's labels + + dbus receive bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.systemd[0-9]*.Manager + member=JobRemoved + peer=(name=:*), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member={GetResources,GetCrtcGamma} + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member={GetResources,GetCrtcGamma} + peer=(name=:*, label="{gsd-power,gsd-color}"), + + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState + peer=(name=:*, label=xdg-desktop-portal-*), + + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState + peer=(name=:*, label="{spice-vdagent,gsd-xsettings}"), + + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member={GetAll,GetResources,Set} + peer=(name=:*, label="{gsd-power,gsd-color,xdg-desktop-portal-*}"), + + dbus receive bus=session path={/org/gnome/Shell/Screenshot,/org/gnome/Shell/Introspect,/org/gtk/Notifications,/org/gnome/Mutter/RemoteDesktop,/org/gnome/Mutter/ScreenCast} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:* label=xdg-desktop-portal-*), + + dbus receive bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=:*, label=gsd-xsettings), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=org.freedesktop.DBus, label=gjs-console), + + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-media-keys), + + dbus send bus=session path=/org/gnome/Shell + interface=org.gnome.Shell + member=AcceleratorActivated + peer=(name=:*, label=gsd-media-keys), + + dbus receive bus=session path=/org/gnome/Shell + interface=org.gnome.Shell + member={GrabAccelerators,UngrabAccelerators} + peer=(name=:*, label=gsd-media-keys), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect + member={RunningApplicationsChanged,WindowsChanged} + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal-*), + + dbus receive bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect + member=GetRunningApplications + peer=(name=:*, label=xdg-desktop-portal-*), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-permission-store), + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=:*, label=xdg-permission-store), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/**} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Presence + interface=org.gnome.SessionManager.Presence + member=StatusChanged + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/EndSessionDialog + interface=org.gnome.SessionManager.EndSessionDialog + member={Canceled,Closed,ConfirmedLogout,ConfirmedReboot,ConfirmedShutdown} + peer=(name=org.freedesktop.DBus, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/EndSessionDialog + interface=org.gnome.SessionManager.EndSessionDialog + member={Open,Close} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=Setenv + peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={CanShutdown,Shutdown,Reboot,Logout} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Inhibitor[0-9]* + interface=org.gnome.SessionManager.Inhibitor + member=GetAppId + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*), # all paths and peer's labels + + dbus receive bus=session path={/,/org,/StatusNotifierWatcher} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), # itself + + dbus (send, receive) bus=session path=/org/gnome/SettingsDaemon/Rfkill + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gsd-rfkill), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Color + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-color), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Wacom + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-wacom), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Smartcard + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-smartcard), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Smartcard + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=gsd-smartcard), + + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label="{gnome-session-binary,gsd-power}"), + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member=WatchFired + peer=(name=:*, label="{gnome-session-binary,gsd-power}"), + + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} + peer=(name=:*, label="{gnome-session-binary,gsd-power}"), + + dbus receive bus=session path=/com/rastersoft/dingextension/control + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*, label=gnome-extension-ding), + + dbus send bus=session path=/com/rastersoft/ding + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*, label=gnome-extension-ding), + + dbus send bus=session path=/com/rastersoft/ding + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-extension-ding), + + dbus send bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Change + peer=(name=ca.desrt.dconf), # no peer's labels + + dbus receive bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Notify + peer=(name=:*, label=dconf-service), + + dbus send bus=session path=/org/gnome/ControlCenter + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*, label=gnome-control-center), + + dbus send bus=session path=/org/gnome/ControlCenter + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-control-center), + + dbus receive bus=session path=/org/gnome/ControlCenter + interface=org.gtk.Actions + member=Changed + peer=(name=:*, label=gnome-control-center), + + dbus send bus=session path=/org/gnome/ControlCenter/window/[0-9]* + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*, label=gnome-control-center), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member={Remove,GetTreeFromDevice} + peer=(name=:*, label=gvfsd-metadata), + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label=gvfs-*-volume-monitor), + + dbus bind bus=session name=com.rastersoft.dingextension, + + dbus bind bus=session name=com.canonical.Unity, + + dbus bind bus=session name=org.kde.StatusNotifierWatcher, + + dbus bind bus=session name=org.gtk.MountOperationHandler, + + dbus bind bus=session name=org.gtk.Notifications, - dbus (send,receive) bus=system, - dbus (send,receive) bus=session, dbus bind bus=session name=org.gnome.*, @{exec_path} mr, @@ -69,8 +486,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/desktop-directories/{,*.directory} r, /usr/share/egl/{,**} r, /usr/share/evolution-data-server/icons/{,**} r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, + /usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/libgweather/Locations.xml r, @@ -78,9 +497,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/libinput/[0-9][0-9]-*.quirks r, /usr/share/libwacom/{,*.stylus,*.tablet} r, /usr/share/plymouth/*.png r, - /usr/share/ubuntu/applications/{,*.desktop} r, + /usr/share/*ubuntu/applications/{,*.desktop} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, + /usr/share/desktop-base/** r, /.flatpak-info r, /etc/fstab r, @@ -92,6 +512,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, + /var/lib/gdm{3,}/.cache/libgweather/ r, + /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/ibus/ rw, /var/lib/gdm{3,}/.config/ibus/bus/ rw, @@ -103,6 +525,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.local/share/gnome-shell/ rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/lib/AccountsService/icons/* r, + /var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/appstream/**/icons/** r, /var/lib/flatpak/exports/share/gnome-shell/{,**} r, @@ -124,11 +548,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{user_share_dirs}/sounds/__custom/index.theme r, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, + owner @{user_cache_dirs}/libgweather/ w, owner @{user_cache_dirs}/libgweather/{,**} r, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 560fbeb9e..fa814152c 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -13,6 +13,9 @@ profile gnome-shell-calendar-server @{exec_path} { include include + dbus bind bus=session + name=org.gnome.Shell.CalendarServer, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 10efb895c..806d0e33e 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -19,6 +19,9 @@ profile gnome-terminal-server @{exec_path} { signal (send) set=(term hup kill) peer=unconfined, ptrace (read) peer=unconfined, + dbus bind bus=session + name=org.gnome.Terminal, + @{exec_path} mr, # The shell is not confined on purpose. @@ -47,4 +50,4 @@ profile gnome-terminal-server @{exec_path} { /dev/ptmx rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 602cee7ad..e7eed0bd5 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -25,6 +25,11 @@ profile goa-daemon @{exec_path} { network inet6 dgram, network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member={PropertiesChanged,GetAll}, @@ -33,10 +38,35 @@ profile goa-daemon @{exec_path} { interface=org.freedesktop.NetworkManager member={CheckPermissions,StateChanged}, + dbus send bus=session path=/org/gnome/Identity + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=goa-identity-service), + + dbus receive bus=session path=/org/gnome/OnlineAccounts + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label="{gvfs-goa-volume-monitor,goa-daemon,goa-identity-service,unconfined}"), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Identity/Manager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=goa-identity-service), + + dbus bind bus=session + name=org.gnome.OnlineAccounts, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /var/lib/gdm{3,}/.config/dconf/user r, + owner @{user_config_dirs}/goa-1.0/ rw, owner @{user_config_dirs}/goa-1.0/accounts.conf* rw, diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index c7b98a84a..a92b86859 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -12,6 +12,34 @@ profile goa-identity-service @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gnome/Identity + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=goa-daemon), + + dbus send bus=session path=/org/gnome/OnlineAccounts + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=goa-daemon), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Identity/Manager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=goa-daemon), + + dbus bind bus=session + name=org.gnome.Identity, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 2c7c85504..196177821 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -14,6 +14,44 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.A11ySettings, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -21,6 +59,7 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 3f14d3eaf..db2fbd336 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -11,6 +11,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -18,6 +19,11 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (send, receive) bus=system path=/org/freedesktop/ColorManager{,/devices/*} interface=org.freedesktop.ColorManager*, @@ -25,6 +31,89 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus receive bus=session path=/org/gnome/SettingsDaemon/Color + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member={GetResources,GetCrtcGamma} + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Color, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 119998b77..f92f53554 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -14,6 +14,44 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Datetime, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 28175182b..9943fdfd0 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -12,6 +12,11 @@ profile gsd-disk-utility-notify @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} interface=org.freedesktop.DBus.{Properties,ObjectManager}, @@ -19,6 +24,9 @@ profile gsd-disk-utility-notify @{exec_path} { interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects, + dbus bind bus=session + name=org.gnome.Disks.NotificationMonitor, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 9e0146319..ba966ed9c 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -17,6 +17,49 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gnome*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Housekeeping, + @{exec_path} mr, /etc/fstab r, @@ -29,6 +72,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/applications/ rw, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index a278f2b3f..21dbae623 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -11,6 +11,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -18,10 +19,78 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/locale[0-9] interface=org.freedesktop.DBus.Properties member=GetAll, + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Keyboard, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -31,6 +100,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { /usr/share/X11/xkb/** r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/.config/.gsd-keyboard.settings-ported* rw, owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 051d2653f..81b73a7ea 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,8 +10,9 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include - include include + include + include include include include @@ -21,17 +22,27 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.DBus.Properties member=GetAll, - dbus send bus=system path=/org/freedesktop/login[0-9] + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=Inhibit, - dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=PowerOff, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,SessionRemoved,PrepareForShutdown,UserNew,UserRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.DBus.Properties @@ -41,13 +52,107 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=Get, - dbus send bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member=PowerOff, + dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={SessionNew,SessionRemoved,PrepareForShutdown}, + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Shell + interface=org.gnome.Shell + member={GrabAccelerators,UngrabAccelerators} + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Shell + interface=org.gnome.Shell + member=AcceleratorActivated + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-rfkill), + + dbus send bus=session path=/ + interface=org.freedesktop.DBus + member=ListNames + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Power + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-power), + + dbus receive bus=session path=/org/gnome/SettingsDaemon/Power + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gsd-power), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member=WatchFired + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.MediaKeys, @{exec_path} mr, @@ -66,6 +171,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/recently-used.xbel{,.*} rw, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/cookie rk, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 1cf7670f9..f0b796caf 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -12,6 +12,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -21,6 +22,11 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.{DBus.Properties,UPower*}, @@ -44,17 +50,121 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,SessionRemoved,PrepareForShutdown,UserNew,UserRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.DBus.Properties member=PropertiesChanged, - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={SessionNew,SessionRemoved,PrepareForShutdown}, + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorAdded,InhibitorRemoved} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member={GetAll,GetResources,Set} + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label=gsd-power), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetResources + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus (send, receive) bus=session path=/org/gnome/SettingsDaemon/Power + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged,Set} + peer=(name="{org.freedesktop.DBus,:*}", label="{gsd-media-keys,gnome-shell}"), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member=WatchFired + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=ActiveChanged + peer=(name=:*, label=gjs-console), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Power, @{exec_path} mr, @@ -64,9 +174,12 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, + /var/lib/gdm{3,}/.config/pulse/ rw, + /var/lib/gdm{3,}/.config/pulse/cookie rwk, /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.* rwk, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/pulse/client.conf r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 152ef7a07..4445412e1 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -19,27 +19,59 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (send) set=(hup) peer=gsd-printer, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (send,receive) bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* interface=org.freedesktop.Avahi.ServiceBrowser member={CacheExhausted,AllForNow,CacheExhausted,AllForNow,Free}, - dbus send bus=system path=/ + dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping, - dbus send bus=system path=/ + dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,ServiceBrowserNew}, - dbus receive bus=system path=/org/cups/cupsd/Notifier - interface=org.cups.cupsd.Notifier, - dbus receive bus=system path=/ interface=org.freedesktop.Avahi.Server member=StateChanged, - dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/*} - interface={org.freedesktop.DBus.Properties,org.gnome.SessionManager}, + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier, + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), dbus bind bus=session name=org.gnome.SettingsDaemon.PrintNotifications, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 9167de2fc..6411d0100 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -30,10 +30,20 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { interface=org.gnome.SessionManager peer=(name=:*), - dbus send bus=session path=/org/gnome/SessionManager + dbus send bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*), + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={EndSession,QueryEndSession,CancelEndSession,Stop} + peer=(name=:*, label=gnome-session-binary), dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 52d98363e..11085fccd 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -16,6 +16,11 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/hostname[0-9] interface=org.freedesktop.DBus.Properties member=Get, @@ -36,6 +41,49 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label="{gsd-media-keys,gnome-shell}"), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label=gnome-shell), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Rfkill, + @{exec_path} mr, /sys/devices/virtual/misc/rfkill/uevent r, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index b0d8a5526..e92ec8f6f 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -13,6 +13,47 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.ScreenSaver, + + dbus bind bus=session + name=org.gnome.SettingsDaemon.ScreensaverProxy, + @{exec_path} mr, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 16c4c3e50..b1a529b1a 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -16,25 +16,88 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=system path=/org/freedesktop + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, + member=GetManagedObjects + peer=(name=:*, label=NetworkManager), - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=GetPermissions, + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name=:*, label=NetworkManager), - dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9] + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* interface=org.freedesktop.NetworkManager.Settings.Connection - member=GetSettings, + member=GetSettings + peer=(name=:*, label=NetworkManager), - dbus receive bus=system path=/org/freedesktop/NetworkManager{,/{Devices,DHCP{4,6}Config,IP{4,6}Config}/[0-9]*} + dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=Updated + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + member=PropertiesChanged + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=GetPermissions + peer=(name=:*, label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member=CheckPermissions, + member=CheckPermissions + peer=(name=:*, label=NetworkManager), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/**} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.systemd[0-9]*.Manager + member=StopUnit + peer=(name=org.freedesktop.systemd[0-9]*), # all peer's labels + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Sharing, dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* interface=org.freedesktop.NetworkManager.Connection.Active @@ -47,6 +110,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 09a91c681..857f2cdcb 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,12 +9,61 @@ include @{exec_path} = @{libexec}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include + include include include include signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Smartcard, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -24,6 +73,9 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/tmp/ r, + /tmp/ r, + owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 9d6045458..c84b8338e 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -15,6 +15,49 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Sound, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 43c58791e..ee545b608 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,7 +9,9 @@ include @{exec_path} = @{libexec}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include + include include + include include include include @@ -17,6 +19,79 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=session path=/org/gnome/SettingsDaemon/Wacom + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Wacom, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -33,6 +108,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/wayland-[0-9] rw, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 56a5614ed..c196b33cd 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,8 +9,9 @@ include @{exec_path} = @{libexec}/gsd-xsettings profile gsd-xsettings @{exec_path} { include - include include + include + include include include include @@ -26,6 +27,11 @@ profile gsd-xsettings @{exec_path} { network inet6 dgram, network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,GetId} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.Accounts.User member={SetInputSources,Changed,GetAll}, @@ -34,10 +40,81 @@ profile gsd-xsettings @{exec_path} { interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged}, - dbus send bus=system path=/org/freedesktop/Accounts + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=FindUserByName, + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member={UserAdded,UserRemoved} + peer=(name=:*, label=accounts-daemon), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,ClientRemoved,SessionRunning} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={EndSession,QueryEndSession,CancelEndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), # many peer's labels + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState + peer=(name=org.gnome.Mutter.DisplayConfig, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.gnome.Shell.Introspect, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.Settings, + + dbus bind bus=session + name=org.gnome.SettingsDaemon.XSettings, + @{exec_path} mr, /{usr/,}bin/cat rix, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index dead8dab8..5fdefc648 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -44,7 +44,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/thumbnailers/{,**} r, /usr/share/tracker3/{,**} r, - /usr/share/ubuntu/applications/{,**} r, + /usr/share/*ubuntu/applications/{,**} r, + /usr/share/tracker/domain-ontologies/*.rule r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index a8ce89742..8881030d6 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -21,6 +21,46 @@ profile tracker-extract @{exec_path} { network netlink raw, + signal (receive) set=(term) peer=gdm, + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Tracker3.Miner.Files), + + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=Query + peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=GraphUpdated + peer=(name=:*, label=tracker-miner), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label=gvfs-*-volume-monitor), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.Tracker3.Miner.Extract, + @{exec_path} mr, /usr/share/applications/*.desktop r, @@ -34,11 +74,15 @@ profile tracker-extract @{exec_path} { /usr/share/poppler/{,**} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, + /usr/share/gvfs/remote-volume-monitors/{,*} r, + /etc/fstab r, /etc/libva.conf r, /var/lib/gdm{3,}/.cache/ rw, /var/lib/gdm{3,}/.cache/tracker3/{,**} rw, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/flatpak/exports/share/applications/mimeinfo.cache r, @@ -72,6 +116,9 @@ profile tracker-extract @{exec_path} { /dev/video[0-9]* rw, deny owner @{user_share_dirs}/gvfs-metadata/** r, + + # file_inherit + owner /dev/tty[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 53c8e1085..0c90c4da6 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3 -profile tracker-miner @{exec_path} { +profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include @@ -19,10 +19,61 @@ profile tracker-miner @{exec_path} { include include + signal (receive) set=(term, kill) peer=gdm, + signal (receive) set=(hup) peer=gdm-session-worker, + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} interface=org.freedesktop.DBus.Properties member=GetAll, + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member={ListMonitorImplementations,ListMountableInfo} + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label=gvfs-*-volume-monitor), + + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=:*, label=tracker-extract), + + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=GraphUpdated + peer=(name=org.freedesktop.DBus, label=tracker-extract), + + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=Query + peer=(name=:*, label=tracker-extract), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.Tracker3.Miner.*, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -39,7 +90,8 @@ profile tracker-miner @{exec_path} { /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, /var/lib/gdm{3,}/ r, - /var/lib/gdm{3,}/.cache/tracker3/tracker3/files/{,**} rwk, + /var/lib/gdm{3,}/.cache/tracker3/{,tracker3/}files/{,**} rwk, + /var/lib/gdm{3,}/.local/share/applications/ r, /var/lib/gdm{3,}/greeter-dconf-defaults r, owner /var/tmp/etilqs_@{hex} rw, @@ -60,5 +112,8 @@ profile tracker-miner @{exec_path} { @{run}/mount/utab r, + # file_inherit + owner /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 31a90ffc9..81b0ab217 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -75,10 +75,13 @@ profile gpg-agent @{exec_path} { owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, owner /tmp/tmp.*/gnupg/sshcontrol r, - owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fd/ r, # Silencer deny /{usr/,}bin/.gnupg/ w, + # file inherit + owner /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 1baa4eda1..2ec862700 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -12,6 +12,24 @@ profile gvfs-afc-volume-monitor @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + + dbus receive bus=session path={/,/org/gtk/Private/RemoteVolumeMonitor} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.AfcVolumeMonitor, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index d55fa7de2..67c24489f 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -12,6 +12,29 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + + dbus receive bus=session path={/,/org/gtk/Private/RemoteVolumeMonitor} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/OnlineAccounts + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=goa-daemon), + + dbus bind bus=session + name=org.gtk.vfs.GoaVolumeMonitor, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index b5844365d..044464378 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -16,6 +16,24 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + + dbus receive bus=session path={/,/org,/org/gtk/Private/RemoteVolumeMonitor} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.GPhoto2VolumeMonitor, + @{exec_path} mr, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 1163dd549..cc6ba3de4 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -15,6 +15,24 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + + dbus receive bus=session path={/,/org,/org/gtk/Private/RemoteVolumeMonitor} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.MTPVolumeMonitor, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 19f28dcb1..08d959c0c 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -31,6 +31,29 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { interface=org.freedesktop.{DBus.*,UDisks2.*} peer=(label=udisksd), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.UDisks2VolumeMonitor, + @{exec_path} mr, /{usr/,}bin/lsof rix, @@ -40,6 +63,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, + /var/lib/gdm{3,}/.config/dconf/user r, + / r, /etc/fstab r, /etc/machine-id r, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 01da7aa17..55f5cb9a5 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -14,6 +14,43 @@ profile gvfsd @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=org.freedesktop.DBus, label="{gvfsd-*,gnome-*,tracker-miner}"), + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + peer=(name=:*), # all members + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=ListMonitorImplementations + peer=(name=:*), # all peer's labels + + dbus send bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd-*), + + dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd-*), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.Daemon, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 0c83581b4..b1b98d214 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -14,6 +14,11 @@ profile gvfsd-dnssd @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={Ping,GetAPIVersion,GetState,ServiceBrowserNew}, @@ -27,6 +32,29 @@ profile gvfsd-dnssd @{exec_path} { interface=org.freedesktop.Avahi.ServiceBrowser member={CacheExhausted,AllForNow}, + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gvfsd-network), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus bind bus=session + name=org.gtk.vfs.mountpoint_dnssd, + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 9ea20cfa9..f55f42a48 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -18,6 +18,20 @@ profile gvfsd-fuse @{exec_path} { mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + peer=(name=:*, label=gvfsd), # all members + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /{usr/,}bin/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 3d0c16962..e864b3835 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -17,8 +17,32 @@ profile gvfsd-metadata @{exec_path} { network netlink raw, + dbus bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gtk/vfs/metadata + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-extension-ding), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=AttributeChanged + peer=(name=org.freedesktop.DBus, label=gnome-extension-ding), + + dbus receive bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member={GetTreeFromDevice,Remove} + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session name=org.gtk.vfs.Metadata, + @{exec_path} mr, + /var/lib/gdm{3,}/.local/share/gvfs-metadata/{,*} rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} rw, owner @{HOME}/.var/app/*/data/gvfs-metadata/{,*} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 5b6c9ab77..9a29d0197 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -14,6 +14,39 @@ profile gvfsd-network @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount,ListMountableInfo} + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gvfsd-dnssd), + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gnome-control-center), + + dbus bind bus=session + name=org.gtk.vfs.mountpoint_[0-9]*, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index d9488b3dd..a3f586013 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -21,6 +21,34 @@ profile gvfsd-smb-browse @{exec_path} { network inet dgram, network inet6 dgram, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMounts2 + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus bind bus=session + name=org.gtk.vfs.mountpoint_smb_browse, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -28,7 +56,10 @@ profile gvfsd-smb-browse @{exec_path} { /etc/samba/smb.conf r, owner @{run}/samba/ rw, + owner @{run}/samba/gencache.tdb rwk, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{user_cache_dirs}/samba/gencache.tdb rwk, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 7cc4cab82..2085eca05 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -21,6 +21,29 @@ profile gvfsd-trash @{exec_path} { network inet stream, network inet6 stream, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gnome-control-center), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.mountpoint_[0-9]*, + @{exec_path} mr, # Can restore all user files diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 6e56b5372..faf588a2a 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -14,18 +14,23 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll, - dbus send bus=system path=/org/freedesktop/login[0-9] + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=Inhibit, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus), + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={UserNew,SessionNew,PrepareForShutdown,SeatNew,UserRemoved,SessionRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), dbus receive bus=system path=/org/freedesktop/ModemManager[0-9] interface=org.freedesktop.DBus.ObjectManager @@ -39,10 +44,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.PolicyKit[0-9].Authority member=Changed, - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={UserNew,SessionNew,PrepareForShutdown,SeatNew,UserRemoved,SessionRemoved}, - dbus bind bus=system name=org.freedesktop.ModemManager[0-9], @@ -50,6 +51,8 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, @{run}/udev/data/+platform* r, + @{run}/udev/data/+usb:* r, + @{run}/udev/data/c189:[0-9]* r, @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/n[0-9]* r, @@ -57,6 +60,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/*.ref rw, @{sys}/bus/ r, + @{sys}/bus/usb/devices/ r, @{sys}/class/ r, @{sys}/class/net/ r, @{sys}/class/tty/ r, @@ -68,4 +72,4 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/tty/*/ r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 9f6ea6df3..1f881e3e7 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -44,7 +44,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown,UserRemoved}, + member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown,UserRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -52,7 +53,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded, + member={InterfacesAdded,InterfacesRemoved} + peer=(name=org.freedesktop.DBus), # label="{gnome-shell,...}" dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher @@ -105,6 +107,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /etc/resolv.conf rw, /etc/resolv.conf.[0-9A-Z]* rw, + /etc/network/interfaces r, + /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, @@ -118,6 +122,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/net/ r, @{sys}/class/net/rfkill/ r, + @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 15f077331..3ce1aa004 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -34,5 +34,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify rw, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index d282b0a80..8e2625c42 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed -profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { +profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { include include include @@ -30,7 +30,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { member={Get,GetAll,SetHostname} peer=(name=:*), - dbus bind bus=system + dbus bind bus=system name=org.freedesktop.hostname[0-9], @{exec_path} mr, @@ -50,8 +50,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/dmi/entries/*/raw r, /etc/.#hostname* rw, + /etc/.#machine-info?????? rw, /etc/hostname rw, - /etc/machine-info r, + /etc/machine-info rw, @{run}/udev/data/+dmi:id r, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index c410568f5..6a56b59ea 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -37,6 +37,11 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/resolve[0-9] interface=org.freedesktop.resolve[0-9].Manager, + dbus receive bus=system path=/org/freedesktop/login[0-9]* + interface=org.freedesktop.login[0-9]*.Manager + member={PrepareForSleep,PrepareForShutdown} + peer=(name=:*, label=systemd-logind), + dbus bind bus=system name=org.freedesktop.resolve[0-9], diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index f23379653..f32b0a908 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -10,6 +10,7 @@ include profile systemd-sleep @{exec_path} { include include + include include capability net_admin, @@ -21,6 +22,8 @@ profile systemd-sleep @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/nvidia-sleep.sh rix, /{usr/,}lib/systemd/system-sleep/nvidia rix, + /{usr/,}lib/systemd/system-sleep/hdparm rix, + /{usr/,}lib/systemd/system-sleep/unattended-upgrades rix, /etc/systemd/sleep.conf r, /etc/systemd/sleep.conf.d/{,*} r, @@ -32,4 +35,4 @@ profile systemd-sleep @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index df4dd41ce..2f60b0ab2 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -23,8 +23,8 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=RequestName - peer=(name=org.freedesktop.DBus), + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus bind bus=system name=org.freedesktop.timesync1, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index fb5607311..62d30d46a 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -25,6 +25,11 @@ profile check-new-release-gtk @{exec_path} { network inet6 stream, network netlink raw, + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + @{exec_path} mr, /{usr/,}bin/dpkg rPx, @@ -38,10 +43,13 @@ profile check-new-release-gtk @{exec_path} { /usr/share/ubuntu-release-upgrader/{,**} r, /usr/share/update-manager/{,**} r, /usr/share/X11/xkb/{,**} r, + /usr/share/dconf/profile/gdm r, /etc/update-manager/{,**} r, /var/lib/update-manager/{,**} rw, + /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/lib/gdm{3,}/.cache/update-manager-core/meta-release-lts rw, owner @{user_cache_dirs}/update-manager-core/{,**} rw, @@ -52,4 +60,4 @@ profile check-new-release-gtk @{exec_path} { @{PROC}/@{pids}/mounts r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index ef3d6a6ea..1ee639fb4 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -67,7 +67,8 @@ profile packagekitd @{exec_path} { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved}, + member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), dbus bind bus=system name=org.freedesktop.PackageKit, @@ -112,4 +113,4 @@ profile packagekitd @{exec_path} { @{PROC}/@{pids}/mountinfo r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index ef5eb9bc0..6a113965a 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -17,6 +17,7 @@ profile release-upgrade-motd @{exec_path} { /{usr/,}bin/expr rix, /{usr/,}bin/id rPx, /{usr/,}bin/stat rix, + /{usr/,}bin/cat rix, /{usr/,}bin/do-release-upgrade rPx, /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 74f634449..ccd571e3b 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -40,6 +40,7 @@ profile appstreamcli @{exec_path} flags=(complain) { /var/lib/app-info/ w, /var/lib/app-info/yaml/ r, /var/lib/app-info/yaml/*.yml.gz w, + /var/lib/app-info/icons/ r, /var/lib/apt/lists/ r, /var/lib/apt/lists/*.gz r, /var/lib/flatpak/appstream/{,**} r, @@ -67,6 +68,7 @@ profile appstreamcli @{exec_path} flags=(complain) { /{usr/,}bin/curl mr, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/cc-remote-login-helper b/apparmor.d/profiles-a-f/cc-remote-login-helper new file mode 100644 index 000000000..1c70969f9 --- /dev/null +++ b/apparmor.d/profiles-a-f/cc-remote-login-helper @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/cc-remote-login-helper +profile cc-remote-login-helper @{exec_path} { + include + + capability sys_nice, + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index c2c9a6ffa..5c2975c74 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -41,8 +41,9 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/journal/socket rw, @{run}/systemd/inhibit/*.ref w, + @{run}/udev/data/c239:[0-9]* r, @{sys}/class/hidraw/ r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index 98d10349f..adb5713a5 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -13,13 +13,13 @@ profile im-launch @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gnome-session rix, /{usr/,}bin/env rix, /{usr/,}bin/locale rix, - /{usr/,}bin/gettext rix, + /{usr/,}bin/gettext{,.sh} rix, /{usr/,}bin/true rix, - /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/sed rix, - /{usr/,}bin/gettext.sh r, + /{usr/,}bin/dpkg-query rpx, /usr/share/im-config/{,**} r, @@ -27,5 +27,10 @@ profile im-launch @{exec_path} { /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/70im-config_launch r, + owner @{HOME}/.xinputrc r, + + # file inherit + owner /dev/tty[0-9]* rw, + include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate old mode 100755 new mode 100644 diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index 392735390..6318a569b 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/man profile man @{exec_path} { include + include signal peer=man//man_groff, signal peer=man//man_filter, @@ -41,11 +42,12 @@ profile man @{exec_path} { /{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager, - /usr/**/man/** r, - /var/**/man/** r, + /usr/**/man/{,**} r, + /var/**/man/{,**} r, /var/cache/man/index.db rk, /etc/man_db.conf r, + /etc/manpath.config r, /dev/tty r, @@ -75,6 +77,8 @@ profile man_groff { /tmp/groff* rw, owner /tmp/* rw, + + include if exists } profile man_filter { @@ -102,4 +106,6 @@ profile man_filter { owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r, /var/cache/man/** w, + + include if exists } diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index c85eac182..2226bb04e 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -106,8 +106,8 @@ profile pass @{exec_path} { network inet6 stream, network netlink raw, - /{usr/,}bin/git* mrix, - /{usr/,}@{libexec}/git-core/git* mrix, + /{usr/,}bin/git* mrix, + @{libexec}/git-core/git* mrix, /{usr/,}bin/gpg{2,} rUx, diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd index 9b9663e3e..ddf0118ee 100644 --- a/apparmor.d/profiles-m-r/passwd +++ b/apparmor.d/profiles-m-r/passwd @@ -20,6 +20,8 @@ profile passwd @{exec_path} { capability fsetid, capability setuid, + signal (receive) set=(term, kill) peer=gnome-control-center, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 9136dc223..e64ccd297 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -58,6 +58,7 @@ profile pkexec @{exec_path} flags=(complain) { /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, /{usr/,}lib/update-notifier/package-system-locked rPx, /usr/share/apport/apport-gtk rPx, + @{libexec}/cc-remote-login-helper rPx, /etc/shells r, /etc/environment r, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 6b055f718..8d065f4f1 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -29,7 +29,7 @@ profile scrcpy @{exec_path} { /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 1d5637212..151332d99 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -14,6 +14,13 @@ profile snap @{exec_path} { include include + unix (send, receive) type=stream peer=(label=apt), + + dbus send bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.portal.Documents + member=GetMountPoint + peer=(name=org.freedesktop.portal.Documents), + @{exec_path} mrix, /snap/{,**} rw, @@ -23,11 +30,14 @@ profile snap @{exec_path} { /etc/fstab r, - /var/lib/snapd/{,**} rwk,# + /var/lib/snapd/{,**} rwk, + /var/cache/snapd/commands.db rwk, owner @{HOME}/snap/{,**} rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/systemd/notify rw, @{run}/snapd.socket rw, @@ -46,4 +56,4 @@ profile snap @{exec_path} { deny @{user_share_dirs}/gvfs-metadata/* r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index b3e3d27bf..0402b79c3 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -11,18 +11,40 @@ profile spice-vdagent @{exec_path} { include include include + include include include include + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState + peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=GetAddress - peer=(name=org.a11y.Bus), + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.gnome.Mutter.DisplayConfig - member=GetCurrentState, + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels @{exec_path} mr, @@ -37,4 +59,4 @@ profile spice-vdagent @{exec_path} { /dev/dri/card[0-9]* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index bb1cfc9e0..e736fd7d4 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -37,7 +37,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/devices/pci[0-9]*/**/boot_vga r, - @{sys}/devices/pci[0-9]*/**/uevent r, + @{sys}/devices/{pci[0-9]*,virtual}/**/uevent r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index c89a78e60..207a6fb21 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -64,6 +64,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, + dbus receive bus=system path=/org/freedesktop/login[0-9]* + interface=org.freedesktop.login[0-9]*.Manager + member={PrepareForSleep,PrepareForShutdown} + peer=(name=:*, label=systemd-logind), + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 38db74ade..6c464b77e 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -36,7 +36,7 @@ profile useradd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/usermod rPx, + /{usr/,}{s,}bin/usermod rPx, /{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2, @@ -81,6 +81,7 @@ profile useradd @{exec_path} { /var/log/tallylog rw, + include if exists } include if exists diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 352c12a5b..d2d583aae 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -15,6 +15,7 @@ avahi-publish complain avahi-resolve complain avahi-set-host-name complain busctl complain +cc-remote-login-helper complain cfdisk complain cgdisk complain child-open complain @@ -136,6 +137,7 @@ repo complain resolvconf complain run-parts complain runuser complain +setpriv complain s3fs complain sbctl complain scrcpy complain