felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): improve some dbus rules.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-06 22:04:18 +02:00
parent 4f2abda92f
commit 705eb11510
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
8 changed files with 28 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/bluetooth/bluetoothd
View file

@ -32,7 +32,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/ dbus send bus=system path=/
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member=InterfacesRemoved member={InterfacesRemoved,InterfacesAdded}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
@{exec_path} mr, @{exec_path} mr,

5
apparmor.d/groups/gvfs/gvfsd-dnssd
View file

@ -33,6 +33,11 @@ profile gvfsd-dnssd @{exec_path} {
member={MountLocation,LookupMount,RegisterMount} member={MountLocation,LookupMount,RegisterMount}
peer=(name="@{busname}", label=gvfsd), peer=(name="@{busname}", label=gvfsd),
dbus receive bus=session path=/
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=@{busname}, label=gnome-shell),
@{exec_path} mr, @{exec_path} mr,
owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/ rw,

4
apparmor.d/groups/gvfs/gvfsd-http
View file

@ -24,6 +24,10 @@ profile gvfsd-http @{exec_path} {
network netlink raw, network netlink raw,
#aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*, label=gnome-shell),
dbus receive bus=session path=/org/gtk/vfs/mountable dbus receive bus=session path=/org/gtk/vfs/mountable
interface=org.gtk.vfs.Mountable interface=org.gtk.vfs.Mountable

6
apparmor.d/groups/gvfs/gvfsd-trash
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile gvfsd-trash @{exec_path} { profile gvfsd-trash @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.gtk.vfs.Daemon>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/trash-strict> include <abstractions/trash-strict>
@ -21,11 +22,6 @@ profile gvfsd-trash @{exec_path} {
#aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int}
dbus receive bus=session path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member=GetConnection
peer=(name="@{busname}", label="{gnome-shell,nautilus}"),
dbus receive bus=session path=/org/gtk/vfs/mountable dbus receive bus=session path=/org/gtk/vfs/mountable
interface=org.gtk.vfs.Mountable interface=org.gtk.vfs.Mountable
member=Mount member=Mount

3
apparmor.d/groups/network/mullvad-gui
View file

@ -14,6 +14,9 @@ include <tunables/global>
@{exec_path} = @{lib_dirs}/mullvad-gui @{exec_path} = @{lib_dirs}/mullvad-gui
profile mullvad-gui @{exec_path} flags=(attach_disconnected) { profile mullvad-gui @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
include <abstractions/common/electron> include <abstractions/common/electron>
network inet stream, network inet stream,

5
apparmor.d/groups/ssh/sshd
View file

@ -61,6 +61,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}
peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
dbus send bus=system path=/org/freedesktop/home1
interface=org.freedesktop.home1.Manager
member=GetUserRecordByName
peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"),
@{exec_path} mrix, @{exec_path} mrix,
@{bin}/@{shells} Ux, #aa:exclude RBAC @{bin}/@{shells} Ux, #aa:exclude RBAC

3
apparmor.d/groups/virt/cockpit-wsinstance-factory
View file

@ -9,6 +9,9 @@ include <tunables/global>
@{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory @{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory
profile cockpit-wsinstance-factory @{exec_path} { profile cockpit-wsinstance-factory @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system>
unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system,
capability net_admin, capability net_admin,

6
apparmor.d/profiles-s-z/virt-manager
View file

@ -12,6 +12,10 @@ include <tunables/global>
profile virt-manager @{exec_path} flags=(attach_disconnected) { profile virt-manager @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.a11y>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/desktop> include <abstractions/desktop>
include <abstractions/devices-usb> include <abstractions/devices-usb>
@ -28,6 +32,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
#aa:dbus own bus=session name=org.virt-manager.virt-manager
@{exec_path} rix, @{exec_path} rix,
@{sh_path} rix, @{sh_path} rix,