diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird index 55756ea30..f138db31d 100644 --- a/apparmor.d/groups/apps/thunderbird +++ b/apparmor.d/groups/apps/thunderbird @@ -8,6 +8,9 @@ abi , include +@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox +@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox + @{MOZ_LIBDIR} = /{usr/,}lib/thunderbird @{MOZ_HOMEDIR} = @{HOME}/.thunderbird @{MOZ_CACHEDIR} = @{user_cache_dirs}/thunderbird @@ -17,12 +20,13 @@ include profile thunderbird @{exec_path} { include include - include + include + include include + include + include include include - include - include include include include @@ -30,10 +34,9 @@ profile thunderbird @{exec_path} { include include include - include include - include include + include include include include @@ -54,28 +57,30 @@ profile thunderbird @{exec_path} { owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/uid_map w, - dbus (send) bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RequestName peer=(name=org.freedesktop.DBus), - dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]* + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]* member={Get,MakeThreadHighPriority,MakeThreadRealtime} peer=(name=org.freedesktop.RealtimeKit[0-9]*), - dbus (send) bus=system path=/org/freedesktop/UPower + dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices peer=(name=org.freedesktop.UPower), - dbus (send) bus=session path=/ca/desrt/dconf/Writer/user + dbus send bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer member={Change,Notify} peer=(name=ca.desrt.dconf), - dbus (bind) bus=session + dbus bind bus=session name=org.mozilla.thunderbird.*, + deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*, + owner /tmp/dbus-[0-9a-zA-Z]* rw, @{exec_path} mrix, @@ -121,6 +126,7 @@ profile thunderbird @{exec_path} { owner @{HOME}/ r, owner @{HOME}/Mail/ rw, owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**, + owner @{user_share_dirs}/ r, # Fix error in libglib while saving files as /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -143,7 +149,6 @@ profile thunderbird @{exec_path} { /usr/share/qt5ct/** r, # gnome-tiny - /etc/gnome/defaults.list r, /usr/share/gvfs/remote-volume-monitors/{,*} r, @{run}/mount/utab r, @@ -195,13 +200,12 @@ profile thunderbird @{exec_path} { /etc/timezone r, /usr/share/sounds/freedesktop/stereo/*.oga r, - /usr/share/ubuntu/applications/{,*} r, # Silencer deny /{usr/,}lib/thunderbird/** w, /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-{open,mime} rCx -> open, /{usr/,}bin/exo-open rCx -> open, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, @@ -213,11 +217,11 @@ profile thunderbird @{exec_path} { /{usr/,}bin/gpgsm rCx -> gpg, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/qpdfview rPx, /{usr/,}bin/viewnior rPUx, /{usr/,}bin/engrampa rPx, /{usr/,}bin/geany rPx, + @{FIREFOX_BIN} rPx, # file_inherit owner /dev/tty[0-9]* rw, @@ -284,21 +288,22 @@ profile thunderbird @{exec_path} { /{usr/,}bin/exo-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,m,g}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,m,g}awk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/xfce4-mime-helper rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/qpdfview rPx, /{usr/,}bin/viewnior rPUx, /{usr/,}bin/engrampa rPx, /{usr/,}bin/geany rPx, + @{FIREFOX_BIN} rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index eb065a9bd..4696a095b 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -52,24 +52,27 @@ include @{exec_path} = /{usr/,}bin/{c,}vlc profile vlc @{exec_path} { include - include - include + include include include include include + include include - include + include include + include include include - include - include - include include include include + include + include + include + include include + include signal (receive) set=(term, kill) peer=anyremote//*, @@ -79,6 +82,115 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus), + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member={Get,RegisterStatusNotifierItem} + peer=(name=org.kde.StatusNotifierWatcher), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher), + + dbus send bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon} + peer=(name=org.freedesktop.DBus), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member=Activate + peer=(name=:*), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=:*), + + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus receive bus=session path=/MenuBar + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus send bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={LayoutUpdated,ItemsPropertiesUpdated} + peer=(name=org.freedesktop.DBus), + + dbus receive bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} + peer=(name=:*), + + dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + peer=(name="{org.freedesktop.DBus,:*}"), # all members + + dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.* + peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members + +# dbus send bus=system path=/ +# interface=org.freedesktop.DBus.Peer +# member=Ping, +# peer=(name="org.freedesktop.Avahi"), + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), + + dbus bind bus=session + name=org.kde.StatusNotifierItem-*, + + dbus bind bus=session + name=org.mpris.MediaPlayer2.vlc{,.instance*}, + @{exec_path} mrix, # Which media files VLC should be able to open @@ -94,9 +206,6 @@ profile vlc @{exec_path} { owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{vlc_ext} r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - # VLC files /usr/share/vlc/{,**} r, @@ -104,7 +213,7 @@ profile vlc @{exec_path} { owner @{HOME}/ r, owner @{user_config_dirs}/vlc/ rw, owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9], - owner @{user_share_dirs}/vlc/{,*} rw, + owner @{user_share_dirs}/vlc/{,**} rw, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/vlc/{,**} rw, @@ -114,12 +223,15 @@ profile vlc @{exec_path} { owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, + /dev/snd/ r, /dev/shm/#[0-9]*[0-9] rw, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pids}/net/if_inet6 r, deny @{PROC}/sys/kernel/random/boot_id r, # Udev enumeration @@ -136,6 +248,7 @@ profile vlc @{exec_path} { /etc/fstab r, /usr/share/hwdata/pnp.ids r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, # Be able to turn off the screensaver while playing movies /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, @@ -147,7 +260,6 @@ profile vlc @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.anyRemote/anyremote.stdout w, - profile xdg-screensaver { include include @@ -169,6 +281,8 @@ profile vlc @{exec_path} { /dev/dri/card[0-9]* rw, network inet stream, network inet6 stream, + + include if exists } include if exists diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 9faf2ba4e..0af31a95f 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -8,6 +8,7 @@ include @{exec_path} = /usr/share/command-not-found/command-not-found @{exec_path} += /{usr/,}bin/command-not-found +@{exec_path} += /{usr/,}lib/command-not-found profile command-not-found @{exec_path} { include include @@ -23,5 +24,8 @@ profile command-not-found @{exec_path} { /usr/share/command-not-found/{,**} r, + # Silencer + deny /usr/lib/ r, + include if exists } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 167265c0d..06f5f87d6 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -18,8 +18,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include include - include include + include include include include @@ -41,6 +41,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { ptrace peer=@{profile_name}, + unix (send, receive) type=stream addr=none peer=(label=xorg), + signal (send) set=(term, kill) peer=keepassxc-proxy, signal (send) set=(term, kill) peer=firefox-*, @@ -50,42 +52,42 @@ profile firefox @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - dbus (send) bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus), - dbus (send) bus=session path=/ScreenSaver + dbus send bus=session path=/ScreenSaver interface=org.freedesktop.ScreenSaver member={Inhibit,UnInhibit} peer=(name=org.freedesktop.ScreenSaver), - dbus (send) bus=session path=/org/freedesktop/portal/desktop + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=Read peer=(name=:*), - dbus (receive) bus=session path=/org/freedesktop/portal/desktop + dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=SettingChanged peer=(name=:*), - dbus (send) bus=session path=/org/freedesktop/portal/desktop + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties member={GetAll,Read} peer=(name=:*), - dbus (send) bus=system path=/org/freedesktop/UPower + dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices peer=(name=org.freedesktop.UPower), - dbus (send) bus=session path=/org/freedesktop/PowerManagement/Inhibit + dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit interface=org.freedesktop.PowerManagement.Inhibit member=Inhibit peer=(name=org.freedesktop.PowerManagement), - dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]* + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]* member={Get,MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID} peer=(name=org.freedesktop.RealtimeKit[0-9]*), @@ -94,32 +96,39 @@ profile firefox @{exec_path} flags=(attach_disconnected) { member={GetAll,PropertiesChanged} peer=(name="{org.freedesktop.DBus,:*}"), - dbus (receive) bus=session path=/org/mpris/MediaPlayer2 + dbus receive bus=session path=/org/mpris/MediaPlayer2 interface=org.mpris.MediaPlayer2.Playlists member=GetPlaylists peer=(name=:*), - dbus (receive) bus=system path=/org/freedesktop/login[0-9]* + dbus receive bus=system path=/org/freedesktop/login[0-9]* interface=org.freedesktop.login[0-9]*.Manager member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown} peer=(name=:*), - dbus (send) bus=session path=/org/gtk/vfs/metadata + dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=GetTreeFromDevice peer=(name=:*), - dbus (send) bus=session path=/org/gtk/Private/RemoteVolumeMonitor - interface=org.gtk.Private.RemoteVolumeMonitor - member={IsSupported,VolumeAdded,VolumeRemoved,VolumeChanged} - peer=(name=:*), + dbus send bus=session path=/org/mozilla/firefox/Remote + interface=org.mozilla.firefox + member=OpenURL + peer=(name=org.mozilla.firefox.* label=firefox), - dbus (bind) bus=session + dbus receive bus=session path=/org/mozilla/firefox/Remote + interface=org.mozilla.firefox + member=OpenURL + peer=(name=:* label=firefox), + + dbus bind bus=session name=org.mpris.MediaPlayer2.firefox.*, - dbus (bind) bus=session + dbus bind bus=session name=org.mozilla.firefox.*, + deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*, + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, @@ -178,11 +187,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /etc/opensc.conf r, /etc/xul-ext/kwallet5.js r, - # Ubuntu - /etc/gnome/*.list r, - /etc/xfce4/*.list r, - /usr/share/xfce4/applications/{,*.list} r, - /usr/share/*ubuntu/applications/{,*.list} r, + # gnome-tiny + @{run}/mount/utab r, owner @{HOME}/ r, @@ -196,7 +202,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, + owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix{,-wayland}-[0-9]*} r, owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_cache_dirs}/ rw, @@ -233,6 +239,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r, @{sys}/devices/pci[0-9]*/**/irq r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + @{sys}/devices/system/cpu/possible r, deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, deny @{sys}/devices/system/cpu/present r, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 500b0cf12..7f35caeb5 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -23,43 +23,56 @@ profile engrampa @{exec_path} { include include - unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetId + peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus (send) bus=session path=/ca/desrt/dconf/Writer/user + dbus send bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer member={Change,Notify} peer=(name=ca.desrt.dconf), - dbus (send) bus=session path=/org/gtk/Private/RemoteVolumeMonitor + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={IsSupported,List} peer=(name=:*), - dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed peer=(name=org.a11y.atspi.Registry), - dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set peer=(name=:*), - dbus (send) bus=session path=/org/gtk/vfs/mounttracker + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member={ListMounts2,LookupMount} peer=(name=:*), - dbus (receive) bus=session path=/org/gtk/vfs/mounttracker + dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=Mounted peer=(name=:*), - dbus (send) bus=session path=/org/gtk/vfs/Daemon + dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection peer=(name=:*), + dbus receive bus=session path=/org/gtk/Application/anonymous + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus receive bus=session path=/org/gtk/Application/anonymous{,/window/[0-9]*} + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*), + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -118,12 +131,6 @@ profile engrampa @{exec_path} { # gnome-tiny @{run}/mount/utab r, - # Ubuntu - /etc/gnome/*.list r, - /etc/xfce4/*.list r, - /usr/share/xfce4/applications/{,*.list} r, - /usr/share/xubuntu/applications/{,*.list} r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, @@ -132,10 +139,10 @@ profile engrampa @{exec_path} { /etc/fstab r, # Allowed apps to open - /{usr/,}bin/engrampa rPx, - /{usr/,}bin/geany rPx, + /{usr/,}bin/engrampa rPx, + /{usr/,}bin/geany rPx, /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/spacefm rPx, + /{usr/,}bin/spacefm rPx, /{usr/,}bin/ristretto rPUx, # file_inherit @@ -160,7 +167,7 @@ profile engrampa @{exec_path} { # Allowed apps to open /{usr/,}bin/engrampa rPx, /{usr/,}bin/geany rPx, - /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/viewnior rPUx, /{usr/,}bin/spacefm rPx, # file_inherit diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 8c51e9c96..2a37067c9 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -6,11 +6,15 @@ abi , include +@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox +@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox + @{exec_path} = /{usr/,}bin/qbittorrent profile qbittorrent @{exec_path} { include include - include + include + include include include include @@ -20,21 +24,20 @@ profile qbittorrent @{exec_path} { include include include - include include + include include include include include include - include include + include include - include include include - signal (send) set=(term, kill) peer=qbittorrent//python3, + signal send set=(term, kill) peer=qbittorrent//python3, network inet dgram, network inet6 dgram, @@ -43,67 +46,67 @@ profile qbittorrent @{exec_path} { network netlink dgram, network netlink raw, - dbus (send) bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=org.kde.StatusNotifierWatcher), - dbus (send) bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.kde.StatusNotifierWatcher), - dbus (send) bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem peer=(name=org.kde.StatusNotifierWatcher), - dbus (send) bus=session path=/StatusNotifierItem + dbus send bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member={NewToolTip,NewIcon} peer=(name=org.freedesktop.DBus), - dbus (receive) bus=session path=/StatusNotifierItem + dbus receive bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member=Activate peer=(name=:*), - dbus (receive) bus=session path=/StatusNotifierItem + dbus receive bus=session path=/StatusNotifierItem interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*), - dbus (receive) bus=session path=/MenuBar + dbus receive bus=session path=/MenuBar interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*), - dbus (send) bus=session path=/MenuBar + dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu member=ItemsPropertiesUpdated peer=(name=org.freedesktop.DBus), - dbus (receive) bus=session path=/MenuBar + dbus receive bus=session path=/MenuBar interface=com.canonical.dbusmenu member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} peer=(name=:*), - dbus (send) bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus), - dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed peer=(name=org.a11y.atspi.Registry), - dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set peer=(name=:*), - dbus (bind) bus=session + dbus bind bus=session name=org.kde.StatusNotifierItem-*, owner /tmp/dbus-[0-9a-zA-Z]* rw, @@ -167,9 +170,6 @@ profile qbittorrent @{exec_path} { # file_inherit owner /dev/tty[0-9]* rw, - # X-tiny - owner @{run}/user/@{uid}/ICEauthority r, - # gnome-tiny /usr/share/gvfs/remote-volume-monitors/{,*} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -186,18 +186,28 @@ profile qbittorrent @{exec_path} { /{usr/,}bin/viewnior rPUx, /{usr/,}bin/qpdfview rPx, /{usr/,}bin/ebook-viewer rPx, - /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/nautilus rPx, + @{FIREFOX_BIN} rPx, profile open { include include include - dbus (send) bus=session path=/org/gnome/{Nautilus,Totem,gedit} - interface=org.freedesktop.Application - member=Open - peer=(name="org.gnome.{Nautilus,Totem,gedit}"), + dbus send bus=session path=/org/gnome/{Nautilus,Totem,gedit} + interface=org.freedesktop.Application + member=Open + peer=(name="org.gnome.{Nautilus,Totem,gedit}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*), /{usr/,}bin/xdg-open mr, @@ -210,8 +220,8 @@ profile qbittorrent @{exec_path} { /{usr/,}bin/viewnior rPUx, /{usr/,}bin/qpdfview rPx, /{usr/,}bin/ebook-viewer rPx, - /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/engrampa rPx, + @{FIREFOX_BIN} rPx, /{usr/,}bin/{ba,da,}sh rix, /{usr/,}bin/{g,m,}awk rix, @@ -240,7 +250,7 @@ profile qbittorrent @{exec_path} { include include - signal (receive) set=(term, kill) peer=qbittorrent, + signal receive set=(term, kill) peer=qbittorrent, network inet dgram, network inet6 dgram,