From 705eb11510c0d692173368609b1a10f419337800 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:04:18 +0200 Subject: [PATCH] feat(profile): improve some dbus rules. --- apparmor.d/groups/bluetooth/bluetoothd | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 5 +++++ apparmor.d/groups/gvfs/gvfsd-http | 4 ++++ apparmor.d/groups/gvfs/gvfsd-trash | 6 +----- apparmor.d/groups/network/mullvad-gui | 3 +++ apparmor.d/groups/ssh/sshd | 5 +++++ apparmor.d/groups/virt/cockpit-wsinstance-factory | 3 +++ apparmor.d/profiles-s-z/virt-manager | 6 ++++++ 8 files changed, 28 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index aa84eebd9..e5443f505 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -32,7 +32,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved + member={InterfacesRemoved,InterfacesAdded} peer=(name=org.freedesktop.DBus), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 9af8be00a..6c61dbba4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -33,6 +33,11 @@ profile gvfsd-dnssd @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2fe0a1e2b..92d6fbf64 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -24,6 +24,10 @@ profile gvfsd-http @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 9acfd6c86..e13f870c7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,7 @@ include profile gvfsd-trash @{exec_path} { include include + include include include include @@ -21,11 +22,6 @@ profile gvfsd-trash @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label="{gnome-shell,nautilus}"), - dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 6075f14b2..c36d34e3f 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -14,6 +14,9 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include + include + include + include include network inet stream, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 75438c957..2494dc2c2 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -61,6 +61,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + @{exec_path} mrix, @{bin}/@{shells} Ux, #aa:exclude RBAC diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index b14a1e36f..99db4d614 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -9,6 +9,9 @@ include @{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory profile cockpit-wsinstance-factory @{exec_path} { include + include + + unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, capability net_admin, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 7c0443dae..fa17f5b1b 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,6 +12,10 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include include include include @@ -28,6 +32,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.virt-manager.virt-manager + @{exec_path} rix, @{sh_path} rix,