feat(dbus): rewrite some dbus rules (1).

2023-12-01 20:58:21 +00:00 · 2023-12-01 20:58:21 +00:00 · 6d1ff256af
commit 6d1ff256af
parent d6888a65c4
32 changed files with 248 additions and 383 deletions
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@ -11,44 +11,22 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus/polkit>
  include <abstractions/consoles>
-  include <abstractions/dri-enumerate>
  include <abstractions/dbus-strict>
  include <abstractions/devices-usb>
+  include <abstractions/dri-enumerate>

  network qipcrtr dgram,
  network netlink raw,

-  dbus send bus=system path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
-
-  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll,
-
-  dbus send bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.login1.Manager
-       member=Inhibit,
-
-  dbus receive bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.login1.Manager
-       member={UserNew,SessionNew,PrepareForShutdown,SeatNew,UserRemoved,SessionRemoved,PrepareForSleep}
-       peer=(name=:*, label=systemd-logind),
-
-  dbus receive bus=system path=/org/freedesktop/ModemManager1
-       interface=org.freedesktop.DBus.ObjectManager
-       member=GetManagedObjects,
-
-  dbus receive bus=system path=/org/freedesktop/ModemManager1
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll,
-
-  dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
-       interface=org.freedesktop.PolicyKit1.Authority
-       member=Changed,
-
  dbus bind bus=system name=org.freedesktop.ModemManager1,
+  dbus receive bus=system path=/org/freedesktop/ModemManager1
+       interface=org.freedesktop.DBus.Properties
+       member=GetManagedObjects,
+       peer=(name=:*),
+
+  dbus (send, receive) bus=system path=/org/freedesktop/login1
+       interface=org.freedesktop.login1.Manager
+       peer=(name=:*, label=systemd-logind),

  @{exec_path} mr,

--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/NetworkManager
 profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/bus/network-manager>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
@ -43,10 +43,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,NetworkManager*}
       peer=(name=:*),

-  dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/Authority
-       interface=org.freedesktop.PolicyKit1.Authority
-       member={Changed,CheckAuthorization,CancelCheckAuthorization},
-
  dbus (send,receive) bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown,UserRemoved,PrepareForSleep}
@ -54,7 +50,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
-       member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID},
+       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
+       peer=(name=org.freedesktop.DBus, label=dbus-daemon),

  dbus send bus=system path=/org/freedesktop
       interface=org.freedesktop.DBus.ObjectManager