fear(abs): update dbus core abs.

2025-08-24 21:32:51 +02:00 · 2025-08-24 21:32:51 +02:00 · d6885803cb
commit d6885803cb
parent e9f0b77f2d
12 changed files with 135 additions and 20 deletions
--- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+# Allow for color managed applications to communicate with colord
+
  abi <abi/4.0>,

  #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
@ -21,6 +23,11 @@
       member={DeviceAdded,DeviceRemoved}
       peer=(name="@{busname}", label="@{p_colord}"),

+  dbus (receive, send) bus=system path=/org/freedesktop/ColorManager
+       interface=org.freedesktop.ColorManager
+       member=FindDeviceByProperty
+       peer=(name="@{busname}", label="@{p_colord}"),
+
  include if exists <abstractions/bus/org.freedesktop.ColorManager.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1
@ -6,6 +6,11 @@

  #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus

+  dbus send bus=session path=/org/freedesktop/FileManager1
+       interface=org.freedesktop.FileManager1
+       member=ShowItems
+       peer=(name=org.freedesktop.FileManager1, label=nautilus),
+
  include if exists <abstractions/bus/org.freedesktop.FileManager1.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.UPower
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower
@ -2,10 +2,13 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+# Can query UPower for power devices, history and statistics.
+
  abi <abi/4.0>,

  #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}"

+  # Find all devices monitored by UPower
  dbus send bus=system path=/org/freedesktop/UPower
       interface=org.freedesktop.UPower
       member=EnumerateDevices
@ -13,7 +16,12 @@

  dbus send bus=system path=/org/freedesktop/UPower
       interface=org.freedesktop.DBus.Properties
-       member=GetDisplayDevice
+       member={GetDisplayDevice,GetCriticalAction}
+       peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"),
+
+  dbus send bus=system path=/org/freedesktop/UPower/devices/**
+       interface=org.freedesktop.UPower.Device
+       member={GetHistory,Refresh}
       peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"),

  dbus receive bus=system path=/org/freedesktop/UPower
--- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1
@ -5,6 +5,7 @@
  abi <abi/4.0>,

  #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
+
  dbus send bus=system path=/org/freedesktop/hostname1
       interface=org.freedesktop.DBus.Properties
       member=Get
--- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
+++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
@ -11,6 +11,11 @@
       member=Read
       peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),

+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
  dbus send bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.portal.Settings
       member={Read,ReadAll}
@ -41,6 +46,16 @@
       member=Response
       peer=(name=@{busname}, label=xdg-desktop-portal),

+  dbus receive bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.portal.Inhibit
+       member={StateChanged,CreateMonitor}
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
+  dbus receive bus=session path=/org/freedesktop/portal/desktop/session/**
+       interface=org.freedesktop.impl.portal.Session
+       member=Close
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
  include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1
@ -4,12 +4,12 @@

  abi <abi/4.0>,

-  #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
+  #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"

  dbus send bus=system path=/org/freedesktop/resolve1
       interface=org.freedesktop.resolve1.Manager
-       member={SetLink*,ResolveHostname}
-       peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"),
+       member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService}
+       peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"),

  include if exists <abstractions/bus/org.freedesktop.resolve1.d>

--- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
+++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
@ -14,7 +14,7 @@
  dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
       interface=org.gnome.Mutter.IdleMonitor
       member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime}
-       peer=(name="@{busname},org.gnome.Mutter.IdleMonitor", label=gnome-shell),
+       peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell),

  dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
       interface=org.gnome.Mutter.IdleMonitor
--- a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2
+++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2
@ -6,6 +6,16 @@

  #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell

+  dbus receive bus=session path=/org/gnome/Characters/SearchProvider
+       interface=org.gnome.Shell.SearchProvider2
+       member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas}
+       peer=(name=@{busname}, label=gnome-shell),
+
+    dbus receive bus=session path=/org/gnome/Characters/SearchProvider
+       interface=org.gnome.Shell.SearchProvider2
+       member=*Cancel
+       peer=(name=@{busname}, label=gnome-shell),
+
  include if exists <abstractions/bus/org.gnome.Shell.SearchProvider2.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
@ -7,7 +7,7 @@
  dbus send bus=session path=/org/gtk/vfs/Daemon
       interface=org.gtk.vfs.Daemon
       member={GetConnection,ListMonitorImplementations,ListMountableInfo}
-       peer=(name="@{busname}", label=gvfsd),
+       peer=(name=@{busname}, label=gvfsd),

  dbus receive bus=session path=/org/gtk/vfs/Daemon
       interface=org.gtk.vfs.Daemon
--- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
+++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
@ -4,6 +4,30 @@

  abi <abi/4.0>,

+  include <abstractions/bus/session/own>
+
+  dbus bind bus=session name=org.kde.StatusNotifierItem-@{int},
+
+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.kde.StatusNotifierWatcher
+       member=RegisterStatusNotifierItem
+       peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
+
+  dbus send bus=session path=/StatusNotifierItem
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
+
+  dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*}
+       interface=org.kde.StatusNotifierItem
+       member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip}
+       peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
+
+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
+
  include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
+++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
@ -2,14 +2,52 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+# Allow to display Status Notifier Items in the KDE Plasma systray
+
  abi <abi/4.0>,

-  #aa:dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell
+  #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell
+
+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
+
+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
+
+  dbus receive bus=session path=/StatusNotifierItem
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(label="@{pp_app_indicator}"),
+
+
+  dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu}
+       interface=com.canonical.dbusmenu
+       member={LayoutUpdated,ItemsPropertiesUpdated}
+       peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
+
+  dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**}
+       interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu}
+       member={Get*,AboutTo*,Event*}
+       peer=(label="@{pp_app_indicator}"),

  dbus send bus=session path=/StatusNotifierWatcher
       interface=org.kde.StatusNotifierWatcher
       member=RegisterStatusNotifierItem
-       peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell),
+       peer=(label="@{pp_app_indicator}"),
+
+  dbus receive bus=session path=/StatusNotifierItem
+       interface=org.kde.StatusNotifierItem
+       member={ProvideXdgActivationToken,Activate}
+       peer=(label="@{pp_app_indicator}"),
+
+  dbus receive bus=session  path=/MenuBar
+       interface=com.canonical.dbusmenu
+       member={AboutToShow,GetLayout,Event}
+       peer=(label="@{pp_app_indicator}"),

  include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>

--- a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player
+++ b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player
@ -4,27 +4,34 @@

  abi <abi/4.0>,

-  #aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined
+  # DBus.Properties: read all properties from the interface
+  dbus send bus=system path=/org/mpris/MediaPlayer2
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll}
+       peer=(name=@{busname}),

+  # DBus.Properties: receive property changed events
  dbus receive bus=session path=/org/mpris/MediaPlayer2
       interface=org.freedesktop.DBus.Properties
       member=PropertiesChanged
       peer=(name=@{busname}),

+  # DBus.Introspectable: allow clients to introspect the service
+  dbus send bus=system path=/org/mpris/MediaPlayer2
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}),
+
  dbus receive bus=session path=/org/mpris/MediaPlayer2
+       interface=org.mpris.MediaPlayer2.Player
+       member={Seeked,Next,PlayPause}
+       peer=(name=@{busname}),
+
+  # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked
+  dbus send bus=session path=/org/mpris/MediaPlayer2
       interface=org.mpris.MediaPlayer2.Player
       member=Seeked
-       peer=(name=@{busname}),
-
-  dbus send bus=session path=/org/mpris/MediaPlayer2
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=@{busname}),
-
-  dbus send bus=session path=/org/mpris/MediaPlayer2
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=@{busname}),
+       peer=(name=org.freedesktop.DBus),

  include if exists <abstractions/bus/org.mpris.MediaPlayer2.Player.d>