felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): add some missing dbus own definition.

Browse source
This commit is contained in:
Alexandre Pujol 2024-03-15 15:03:42 +00:00
parent a6d263d304
commit bdeb62d17d
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
23 changed files with 49 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/freedesktop/colord-session
View file

@ -10,6 +10,9 @@ include <tunables/global>
@{exec_path} = @{lib}/{,colord/}colord-session @{exec_path} = @{lib}/{,colord/}colord-session
profile colord-session @{exec_path} { profile colord-session @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session>
# dbus: own bus=session name=org.freedesktop.ColorHelper
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/freedesktop/iio-sensor-proxy
View file

@ -14,6 +14,8 @@ profile iio-sensor-proxy @{exec_path} {
network netlink raw, network netlink raw,
# dbus: own bus=system name=net.hadess.SensorProxy
@{exec_path} mr, @{exec_path} mr,
@{run}/udev/data/+platform:* r, @{run}/udev/data/+platform:* r,

2
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -28,7 +28,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
signal (receive) set=term peer=gdm, signal (receive) set=term peer=gdm,
dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome, # dbus: own bus=session name=org.freedesktop.impl.portal.desktop.gnome
dbus send bus=session path=/org/gnome/Shell/Screenshot dbus send bus=session path=/org/gnome/Shell/Screenshot
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties

3
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View file

@ -31,7 +31,8 @@ profile xdg-desktop-portal-gtk @{exec_path} {
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk, # dbus: own bus=session name=org.freedesktop.impl.portal.desktop.gtk
dbus receive bus=session path=/org/freedesktop/portal/desktop dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.impl.portal.Settings interface=org.freedesktop.impl.portal.Settings
peer=(name=:*), peer=(name=:*),

2
apparmor.d/groups/gnome/evolution-addressbook-factory
View file

@ -25,7 +25,7 @@ profile evolution-addressbook-factory @{exec_path} {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
dbus bind bus=session name=org.gnome.evolution.dataserver.AddressBook@{int}, # dbus: own bus=session name=org.gnome.evolution.dataserver.AddressBook10
dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/**
interface=org.gnome.evolution.dataserver.* interface=org.gnome.evolution.dataserver.*

2
apparmor.d/groups/gnome/evolution-calendar-factory
View file

@ -24,7 +24,7 @@ profile evolution-calendar-factory @{exec_path} {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
dbus bind bus=session name=org.gnome.evolution.dataserver.Calendar@{int}, # dbus: own bus=session name=org.gnome.evolution.dataserver.Calendar8
dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/**
interface=org.gnome.evolution.dataserver.* interface=org.gnome.evolution.dataserver.*

1
apparmor.d/groups/gnome/evolution-source-registry
View file

@ -22,6 +22,7 @@ profile evolution-source-registry @{exec_path} {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
# dbus: own bus=session name=org.gnome.evolution.dataserver.Sources5
dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties} interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties}

7
apparmor.d/groups/gnome/gnome-remote-desktop-daemon
View file

@ -11,16 +11,15 @@ profile gnome-remote-desktop-daemon @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome-strict>
include <abstractions/graphics> include <abstractions/graphics>
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
# dbus: own bus=session name=org.gnome.RemoteDesktop.User
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{run}/user/@{uid}/wayland-@{int} rw,
include if exists <local/gnome-remote-desktop-daemon> include if exists <local/gnome-remote-desktop-daemon>
} }

3
apparmor.d/groups/gnome/gsd-usb-protection
View file

@ -9,8 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-usb-protection @{exec_path} = @{lib}/gsd-usb-protection
profile gsd-usb-protection @{exec_path} { profile gsd-usb-protection @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/dconf-write> include <abstractions/dconf-write>
# dbus: own bus=session name=org.gnome.SettingsDaemon.UsbProtection
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,

6
apparmor.d/groups/gnome/tracker-miner
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/tracker-miner-fs-{,control-}3 @{exec_path} = @{lib}/tracker-miner-fs-{,control-,rss-}3
profile tracker-miner @{exec_path} flags=(attach_disconnected) { profile tracker-miner @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
@ -28,7 +28,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term, kill) peer=gdm, signal (receive) set=(term, kill) peer=gdm,
signal (receive) set=(hup) peer=gdm-session-worker, signal (receive) set=(hup) peer=gdm-session-worker,
# dbus: own bus=session name=org.freedesktop.Tracker3 interface=org.freedesktop.DBus.{Properties,Peer} # dbus: own bus=session name=org.freedesktop.Tracker3.Miner.Files interface=org.freedesktop.DBus.{Properties,Peer}
# dbus: own bus=session name=org.freedesktop.Tracker3.Miner.Files.Control
# dbus: own bus=session name=org.freedesktop.Tracker3.Miner.RSS
@{exec_path} mr, @{exec_path} mr,

5
apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
View file

@ -12,10 +12,7 @@ profile gvfs-goa-volume-monitor @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
dbus bind bus=session name=org.gtk.vfs.GoaVolumeMonitor, # dbus: own bus=session name=org.gtk.vfs.GoaVolumeMonitor
dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
peer=(name="{:*,org.freedesktop.DBus}"),
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable

5
apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
View file

@ -16,10 +16,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} {
network netlink raw, network netlink raw,
dbus bind bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor, # dbus: own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor
dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
peer=(name="{:*,org.freedesktop.DBus}"),
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable

5
apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor
View file

@ -15,10 +15,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} {
network netlink raw, network netlink raw,
dbus bind bus=session name=org.gtk.vfs.MTPVolumeMonitor, # dbus: own bus=session name=org.gtk.vfs.MTPVolumeMonitor
dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
peer=(name="{:*,org.freedesktop.DBus}"),
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable

17
apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
View file

@ -30,22 +30,9 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
ptrace (read), ptrace (read),
dbus bind bus=session name=org.gtk.vfs.UDisks2VolumeMonitor, # dbus: own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor
dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
peer=(name="{:*,org.freedesktop.DBus}"),
dbus send bus=system path=/org/freedesktop/UDisks2/** # dbus: talk bus=system name=org.freedesktop.UDisks2 label=udisksd
interface=org.freedesktop.UDisks2.Filesystem
peer=(name=:*, label=udisksd),
dbus receive bus=system path=/org/freedesktop/UDisks2
interface=org.freedesktop.DBus.ObjectManager
member=InterfacesRemoved
peer=(name=:*, label=udisksd),
dbus receive bus=system path=/org/freedesktop/UDisks2/**
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=udisksd),
dbus receive bus=session dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable

7
apparmor.d/groups/gvfs/gvfsd
View file

@ -12,7 +12,7 @@ profile gvfsd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
dbus bind bus=session name=org.gtk.vfs.Daemon, # dbus: own bus=session name=org.gtk.vfs.Daemon
dbus send bus=session path=/org/gtk/vfs/mounttracker dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker interface=org.gtk.vfs.MountTracker
@ -22,11 +22,6 @@ profile gvfsd @{exec_path} {
interface=org.gtk.vfs.MountTracker interface=org.gtk.vfs.MountTracker
peer=(name=:*), # all members peer=(name=:*), # all members
dbus receive bus=session path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member=ListMonitorImplementations
peer=(name=:*), # all peer's labels
dbus send bus=session path=/org/gtk/vfs/mountable dbus send bus=session path=/org/gtk/vfs/mountable
interface=org.gtk.vfs.Mountable interface=org.gtk.vfs.Mountable
member=Mount member=Mount

5
apparmor.d/groups/virt/libvirt-dbus
View file

@ -9,8 +9,13 @@ include <tunables/global>
@{exec_path} = @{bin}/libvirt-dbus @{exec_path} = @{bin}/libvirt-dbus
profile libvirt-dbus @{exec_path} { profile libvirt-dbus @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# dbus: own bus=session name=org.libvirt
# dbus: own bus=system name=org.libvirt
@{exec_path} mr, @{exec_path} mr,
@{bin}/libvirtd rPx, @{bin}/libvirtd rPx,

2
apparmor.d/profiles-a-f/blueman-mechanism
View file

@ -21,6 +21,8 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
# dbus: own bus=system name=org.blueman.Mechanism
@{exec_path} mr, @{exec_path} mr,
@{lib}/ r, @{lib}/ r,

2
apparmor.d/profiles-a-f/firewalld
View file

@ -39,6 +39,8 @@ profile firewalld @{exec_path} {
member={changeZoneOfInterface,removeInterface} member={changeZoneOfInterface,removeInterface}
peer=(name=:*, label=libvirtd), peer=(name=:*, label=libvirtd),
# dbus: own bus=system name=org.fedoraproject.FirewallD1
@{exec_path} mr, @{exec_path} mr,
@{bin}/ r, @{bin}/ r,

3
apparmor.d/profiles-a-f/flatpak-oci-authenticator
View file

@ -9,6 +9,9 @@ include <tunables/global>
@{exec_path} = @{lib}/flatpak-oci-authenticator @{exec_path} = @{lib}/flatpak-oci-authenticator
profile flatpak-oci-authenticator @{exec_path} { profile flatpak-oci-authenticator @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session>
# dbus: own bus=session name=org.flatpak.Authenticator.Oci
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/profiles-a-f/flatpak-portal
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/flatpak-portal @{exec_path} = @{lib}/flatpak-portal
profile flatpak-portal @{exec_path} flags=(attach_disconnected) { profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability sys_ptrace, capability sys_ptrace,
@ -19,6 +20,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
signal send, signal send,
# dbus: own bus=session name=org.freedesktop.portal.Flatpak
@{exec_path} mr, @{exec_path} mr,
@{bin}/flatpak rPx, @{bin}/flatpak rPx,

3
apparmor.d/profiles-a-f/flatpak-session-helper
View file

@ -9,12 +9,15 @@ include <tunables/global>
@{exec_path} = @{lib}/flatpak-session-helper @{exec_path} = @{lib}/flatpak-session-helper
profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
signal (send) set=(int) peer=@{systemd}, signal (send) set=(int) peer=@{systemd},
# dbus: own bus=session name=org.freedesktop.Flatpak
@{exec_path} mr, @{exec_path} mr,
@{bin}/dbus-monitor rPUx, @{bin}/dbus-monitor rPUx,

2
apparmor.d/profiles-a-f/flatpak-system-helper
View file

@ -24,6 +24,8 @@ profile flatpak-system-helper @{exec_path} {
ptrace (read), ptrace (read),
# dbus: own bus=system name=org.freedesktop.Flatpak.SystemHelper
@{exec_path} mr, @{exec_path} mr,
@{bin}/bwrap rPUx, @{bin}/bwrap rPUx,

2
apparmor.d/profiles-g-l/glib-pacrunner
View file

@ -19,6 +19,8 @@ profile glib-pacrunner @{exec_path} {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
# dbus: own bus=session name=org.gtk.GLib.PACRunner
@{exec_path} mr, @{exec_path} mr,
@{PROC}/cmdline r, @{PROC}/cmdline r,