From d0a052b7aeb666c30a8b51da16e01efd827d89a9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 6 Feb 2024 22:37:59 +0100 Subject: [PATCH] feat(profile): add signal from systemd-user. --- apparmor.d/groups/freedesktop/at-spi-bus-launcher | 1 + apparmor.d/groups/freedesktop/pipewire | 6 ++++-- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 ++ .../groups/freedesktop/xdg-desktop-portal-gnome | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 ++ apparmor.d/groups/freedesktop/xdg-document-portal | 7 +++++-- apparmor.d/groups/freedesktop/xdg-permission-store | 1 + apparmor.d/groups/freedesktop/xwayland | 1 + .../groups/gnome/evolution-addressbook-factory | 2 ++ apparmor.d/groups/gnome/evolution-alarm-notify | 2 ++ apparmor.d/groups/gnome/evolution-calendar-factory | 2 ++ apparmor.d/groups/gnome/evolution-source-registry | 2 ++ apparmor.d/groups/gnome/gjs-console | 1 + apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + apparmor.d/groups/gnome/gnome-session-binary | 1 + apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/gnome-shell-calendar-server | 2 ++ apparmor.d/groups/gnome/gnome-software | 2 ++ apparmor.d/groups/gnome/gnome-terminal-server | 1 + apparmor.d/groups/gnome/goa-daemon | 2 ++ apparmor.d/groups/gnome/goa-identity-service | 2 ++ apparmor.d/groups/gnome/gsd-a11y-settings | 1 + apparmor.d/groups/gnome/gsd-color | 1 + apparmor.d/groups/gnome/gsd-datetime | 1 + apparmor.d/groups/gnome/gsd-disk-utility-notify | 2 ++ apparmor.d/groups/gnome/gsd-housekeeping | 1 + apparmor.d/groups/gnome/gsd-keyboard | 1 + apparmor.d/groups/gnome/gsd-media-keys | 1 + apparmor.d/groups/gnome/gsd-power | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 1 + apparmor.d/groups/gnome/gsd-printer | 1 + apparmor.d/groups/gnome/gsd-rfkill | 1 + apparmor.d/groups/gnome/gsd-screensaver-proxy | 1 + apparmor.d/groups/gnome/gsd-sharing | 1 + apparmor.d/groups/gnome/gsd-smartcard | 1 + apparmor.d/groups/gnome/gsd-sound | 1 + apparmor.d/groups/gnome/gsd-usb-protection | 2 ++ apparmor.d/groups/gnome/gsd-wacom | 1 + apparmor.d/groups/gnome/gsd-xsettings | 2 ++ apparmor.d/groups/gnome/mutter-x11-frames | 2 ++ apparmor.d/groups/gvfs/gvfs-afc-volume-monitor | 2 ++ apparmor.d/groups/gvfs/gvfs-goa-volume-monitor | 2 ++ apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor | 2 ++ apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor | 2 ++ apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor | 1 + apparmor.d/groups/gvfs/gvfsd | 2 ++ apparmor.d/groups/gvfs/gvfsd-fuse | 12 ++++++++---- apparmor.d/profiles-s-z/wireplumber | 2 ++ 48 files changed, 82 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index ad144f32a..c3169a165 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -22,6 +22,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, signal (receive) set=(term hup kill) peer=gnome-session-binary, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index bd1598da8..a35160eab 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -19,10 +19,12 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, - ptrace (read), - network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + + ptrace (read), + # dbus: own bus=session name=org.pulseaudio.Server dbus send bus=session path=/org/freedesktop/DBus diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 7bca30e2e..21dea9577 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -23,6 +23,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + ptrace (read), # dbus: own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}} diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ca0dff4f3..eb4164d0d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -29,6 +29,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { network unix stream, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=term peer=gdm, dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 1a9150e93..e43fc9309 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -29,6 +29,8 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index f19d6657c..c3aa1a5d4 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -18,10 +18,11 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { mount fstype=fuse.portal -> @{run}/user/@{uid}/doc/, - ptrace (read) peer=xdg-desktop-portal, - + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term) peer=gdm, + ptrace (read) peer=xdg-desktop-portal, + unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), # dbus: own bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents @@ -63,6 +64,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { umount @{run}/user/@{uid}/doc/, + signal (receive) set=(cont, term) peer=systemd-user, + unix (send receive) type=stream peer=(label=xdg-document-portal), @{bin}/fusermount{,3} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 719c002ad..0c1c28942 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -13,6 +13,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { capability sys_nice, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 067c6ba94..88bd5fac2 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -13,6 +13,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gnome-shell, signal (receive) set=(term hup) peer=kwin_wayland, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 5c081d176..38dfb45a1 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -25,6 +25,8 @@ profile evolution-addressbook-factory @{exec_path} { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gnome.evolution.dataserver.AddressBook@{int}, dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 10cadfeb6..25549ba05 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -21,6 +21,8 @@ profile evolution-alarm-notify @{exec_path} { network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gnome.Evolution-alarm-notify dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index df0d12bdb..cd14fa62d 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -24,6 +24,8 @@ profile evolution-calendar-factory @{exec_path} { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gnome.evolution.dataserver.Calendar@{int}, dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index d93135807..9400d4914 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -22,6 +22,8 @@ profile evolution-source-registry @{exec_path} { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gnome.evolution.dataserver.Sources@{int}, dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties} diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 925a9efe7..e6e3fc215 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -27,6 +27,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term hup) peer=gdm*, # dbus: own bus=session name=org.freedesktop.Notifications diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index c349fa994..68411a632 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -20,6 +20,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { capability ipc_lock, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=ssh-agent, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 4588b658c..be303b034 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -29,6 +29,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, signal (send) set=(term) peer=at-spi-bus-launcher, signal (send) set=(term) peer=gsd-*, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index e7d38cd7b..bee3caf2e 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -64,6 +64,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { ptrace (read), + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, signal (send), diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index dfdb37720..449092401 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -13,6 +13,8 @@ profile gnome-shell-calendar-server @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gnome.Shell.CalendarServer dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/{,**} diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 430ace3c9..77a4a2fc7 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -27,6 +27,8 @@ profile gnome-software @{exec_path} { mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + signal (receive) set=(cont, term) peer=systemd-user, + @{exec_path} mr, @{bin}/baobab rPUx, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index cc8ae7441..7498b6ac0 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -18,6 +18,7 @@ profile gnome-terminal-server @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (send) set=(hup) peer=htop, signal (send) set=(term hup kill) peer=unconfined, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index fa9afe49d..5f6591187 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -25,6 +25,8 @@ profile goa-daemon @{exec_path} { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gnome.OnlineAccounts dbus send bus=session path=/org/gnome/Identity diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index d8791cf07..332f95717 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -12,6 +12,8 @@ profile goa-identity-service @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gnome.Identity dbus send bus=session path=/org/gnome/OnlineAccounts diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index ce7787283..577413712 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -13,6 +13,7 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.A11ySettings diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 7834cee5a..c7d07996c 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -22,6 +22,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Color diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index a642b5fbe..c133aa44b 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -13,6 +13,7 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Datetime diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 504a579aa..f3ea90f65 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -13,6 +13,8 @@ profile gsd-disk-utility-notify @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gnome.Disks.NotificationMonitor dbus receive bus=session diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index bc292819d..58a3b00df 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -16,6 +16,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gnome*, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 46e6225de..17ee9d660 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -21,6 +21,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Keyboard diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 5fb5ff59b..46002755e 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -24,6 +24,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, network netlink raw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 59d3b4762..12ea7fc0a 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -31,6 +31,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Power diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index a59d078ef..2dea5b53d 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -18,6 +18,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, signal (send) set=(hup) peer=gsd-printer, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index e2aeb8099..5fe040f95 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -14,6 +14,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 2d3e1cf14..7d3fe86bc 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -16,6 +16,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, network netlink raw, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 9d5485c86..f04cba050 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -12,6 +12,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.freedesktop.ScreenSaver diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 582f664e7..a358a9974 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -15,6 +15,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Sharing diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 1587a9c2e..6af3462d6 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -15,6 +15,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Smartcard diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 53d836379..ca65fda11 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -15,6 +15,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Sound diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 8ce6b47dc..e740452c2 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -11,6 +11,8 @@ profile gsd-usb-protection @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 03b6111bd..74a4b54e0 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -19,6 +19,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Wacom diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 4079d00f4..2b5902cd4 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -30,6 +30,8 @@ profile gsd-xsettings @{exec_path} { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gnome.SettingsDaemon.XSettings # dbus: own bus=session name=org.gtk.Settings diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index ef4d2f8ef..320ac5380 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -17,6 +17,8 @@ profile mutter-x11-frames @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 29490ed2f..0471231d4 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -12,6 +12,8 @@ profile gvfs-afc-volume-monitor @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index adcc7c982..cb2e367e2 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -12,6 +12,8 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gtk.vfs.GoaVolumeMonitor, dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index d636d8c89..33a438eda 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -16,6 +16,8 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor, dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 4664b4b59..c92a0c44e 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -15,6 +15,8 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gtk.vfs.MTPVolumeMonitor, dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 46bacc069..65ee5b74e 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -26,6 +26,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, signal (send) set=(term, kill) peer=mount, ptrace (read), diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 0f93193dc..45518372d 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -12,6 +12,8 @@ profile gvfsd @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gtk.vfs.Daemon, dbus send bus=session path=/org/gtk/vfs/mounttracker diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 7ec099e4f..9a38b8b89 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -13,10 +13,12 @@ profile gvfsd-fuse @{exec_path} { include include - unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, + signal (receive) set=(cont, term) peer=systemd-user, + + unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=RegisterFuse @@ -42,11 +44,13 @@ profile gvfsd-fuse @{exec_path} { capability dac_read_search, capability sys_admin, # To mount anything - unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), - mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, umount @{run}/user/@{uid}/**/, + signal (receive) set=(cont, term) peer=systemd-user, + + unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), + @{bin}/fusermount{,3} mr, /etc/fuse{,3}.conf r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index a33053e10..113fc92c9 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -23,6 +23,8 @@ profile wireplumber @{exec_path} { network bluetooth stream, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0, dbus receive bus=session