From ceb4c582e16672383bf6796c538c98512a6c1014 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 16 Dec 2023 21:30:47 +0000 Subject: [PATCH] feat(dbus): update dbus rules. --- apparmor.d/groups/bus/ibus-extension-gtk3 | 5 ++++ .../groups/gnome/evolution-calendar-factory | 5 ++++ apparmor.d/groups/gnome/gnome-calendar | 22 +++++------------- apparmor.d/groups/gnome/gnome-shell | 23 +++---------------- apparmor.d/groups/gnome/gsd-media-keys | 5 ++++ apparmor.d/groups/gnome/gsd-wacom | 5 ---- apparmor.d/groups/gnome/tracker-miner | 2 +- .../groups/ubuntu/software-properties-dbus | 4 ++++ .../groups/ubuntu/software-properties-gtk | 3 +++ apparmor.d/groups/ubuntu/update-manager | 7 +++--- apparmor.d/groups/ubuntu/update-notifier | 9 ++++++++ apparmor.d/profiles-a-f/cups-notifier-dbus | 1 + apparmor.d/profiles-m-r/packagekitd | 5 +--- 13 files changed, 47 insertions(+), 49 deletions(-) diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index fb7a5d806..e0e3d2251 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -30,6 +30,11 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { dbus bind bus=session name=org.freedesktop.IBus.Panel.Extension.Gtk3, + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gsd-xsettings), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 85b79b1dd..b2ccdf061 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -52,6 +52,11 @@ profile evolution-calendar-factory @{exec_path} { member=PropertiesChanged peer=(name=org.freedesktop.DBus, label=gnome-shell-calendar-server), + dbus send bus=session path=/org/gnome/evolution/dataserver/CalendarView/** + interface=org.gnome.evolution.dataserver.CalendarView + member=Complete + peer=(name=org.freedesktop.DBus, label=gnome-calendar), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 68c33a28f..62ccd0b3f 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -12,7 +12,6 @@ profile gnome-calendar @{exec_path} { include include include - include include include include @@ -30,25 +29,16 @@ profile gnome-calendar @{exec_path} { network netlink raw, - dbus bind bus=session name=org.gnome.Calendar, - dbus (send, receive) bus=session path=/org/gnome/Calendar - interface=org.freedesktop.{Actions,Application} - peer=(name="{:*,org.freedesktop.DBus}"), + # dbus: own bus=session name=org.gnome.Calendar interface={org.freedesktop.Application,org.gtk.Actions} - dbus receive bus=session path=/org/gnome/Calendar/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - peer=(name=:*, label=gnome-shell), + # dbus: talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory + # dbus: talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry + # dbus: talk bus=system name=org.freedesktop.GeoClue2 label=geoclue - dbus send bus=session path=/org/gnome/evolution/dataserver/** - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=evolution-*), - dbus send bus=session path=/org/gnome/evolution/dataserver/** - interface=org.gnome.evolution.dataserver.* - peer=(name=:*, label=evolution-*), - dbus send bus=session path=/org/gnome/evolution/dataserver/** + dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=evolution-*), + peer=(name=:*, label=evolution-source-registry), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1649d0183..7a0a6dc6a 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -84,27 +84,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface={org.gnome.*,org.freedesktop.{Application,DBus.Properties,DBus.ObjectManager},org.gtk.{Actions,Application}} peer=(name="{:*,org.gnome.*,org.freedesktop.DBus}"), + # dbus: own bus=session name=com.canonical.Unity path=/com/canonical/unity # dbus: own bus=session name=org.gtk.MountOperationHandler - - dbus bind bus=session name=com.canonical.Unity, - dbus receive bus=session path=/com/canonical/unity/** - interface=com.canonical.Unity{,.*} - peer=(name=:*), - - dbus bind bus=session name=org.kde.StatusNotifierWatcher, - dbus receive bus=session path=/StatusNotifierWatcher - interface=org.kde.StatusNotifierWatcher - peer=(name=:*), - - dbus bind bus=session name=org.gtk.Notifications, - dbus receive bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), + # dbus: own bus=session name=org.gtk.Notifications + # dbus: own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher dbus bind bus=session name=com.rastersoft.dingextension, dbus (send, receive) bus=session path=/com/rastersoft/ding diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index b3e206a1e..2086e1d28 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -81,6 +81,11 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { member=PropertiesChanged peer=(name=:*, label=gsd-power), + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + @{exec_path} mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 6e326407e..3303d78f6 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -26,11 +26,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=:*), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index aed01c712..832bede98 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -36,7 +36,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { # Talk from tracker-extract dbus receive bus=session path=/org/freedesktop/Tracker3/{Files,Endpoint,Miner/Extract} interface={org.freedesktop.Tracker3.{Miner,Endpoint,Files},org.freedesktop.DBus.{Peer,Properties}} - peer=(name=:*, label=tracker-extract), + peer=(name="{:*,org.freedesktop.DBus}", label=tracker-extract), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index b877a3e46..89e98ba09 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -24,6 +24,10 @@ profile software-properties-dbus @{exec_path} { interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=software-properties-gtk), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 8b1decab9..bbf2ef746 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -25,6 +25,9 @@ profile software-properties-gtk @{exec_path} { dbus (send, receive) bus=system path=/com/ubuntu/SoftwareProperties interface={com.ubuntu.SoftwareProperties,org.gtk.{Application,Actions}} peer=(name="{:*,com.ubuntu.SoftwareProperties}", label=software-properties-gtk), + dbus send bus=system path=/ + interface=com.ubuntu.SoftwareProperties + peer=(name=:*, label=software-properties-dbus), dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index fba77e55b..8331e350c 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -16,6 +16,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -33,9 +34,9 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-http, - dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*} - interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}} - member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll,UpdateCache}, + # dbus: own bus=session name=org.freedesktop.UpdateManager + + # dbus: talk bus=system name=org.debian.apt @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 56e1c1534..50b1b77eb 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -30,6 +30,15 @@ profile update-notifier @{exec_path} { member=RegisterStatusNotifierItem peer=(name=:*, label=gnome-shell), + dbus send bus=system path=/org/debian/apt + interface=org.debian.apt + member=GetActiveTransactions + peer=(name=:*, label=apt), + dbus send bus=system path=/org/debian/apt + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=apt), + @{exec_path} mr, @{bin}/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus index b17771239..6acfa4e3e 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/cups/notifier/dbus profile cups-notifier-dbus @{exec_path} { include + include signal (receive) set=(term) peer=cupsd, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index ac585befe..b1a3d2ae5 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -38,10 +38,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { signal send set=int peer=apt-methods-*, - dbus bind bus=system name=org.freedesktop.PackageKit, - dbus receive bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=gnome-shell), + # dbus: own bus=system name=org.freedesktop.PackageKit dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus