feat(abs): add bus/own-* abstactions

2025-03-20 20:13:44 +01:00 · 2025-03-20 20:13:44 +01:00 · d2c231653b
commit d2c231653b
parent ec04495c4a
3 changed files with 66 additions and 0 deletions
--- a/apparmor.d/abstractions/bus/own-accessibility
+++ b/apparmor.d/abstractions/bus/own-accessibility
@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
+
+# Do not use it manually, it is automatically included in a profile when it is required.
+
+# Allow owning a name on DBus public bus
+
+  abi <abi/4.0>,
+
+  dbus send bus=accessibility path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName}
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
+
+  dbus send bus=accessibility path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
+
+  include if exists <abstractions/bus/own-accessibility.d>
--- a/apparmor.d/abstractions/bus/own-session
+++ b/apparmor.d/abstractions/bus/own-session
@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
+
+# Do not use it manually, it is automatically included in a profile when it is required.
+
+# Allow owning a name on DBus public bus
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName}
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
+
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
+
+  include if exists <abstractions/bus/own-session.d>
--- a/apparmor.d/abstractions/bus/own-system
+++ b/apparmor.d/abstractions/bus/own-system
@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
+
+# Do not use it manually, it is automatically included in a profile when it is required.
+
+# Allow owning a name on DBus public bus
+
+  abi <abi/4.0>,
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName}
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
+
+  include if exists <abstractions/bus/own-system.d>