diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 3a63d95dc..e23092429 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow for color managed applications to communicate with colord + abi , #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" @@ -21,6 +23,11 @@ member={DeviceAdded,DeviceRemoved} peer=(name="@{busname}", label="@{p_colord}"), + dbus (receive, send) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=FindDeviceByProperty + peer=(name="@{busname}", label="@{p_colord}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index 76095edaf..a08c98b26 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -6,6 +6,11 @@ #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus + dbus send bus=session path=/org/freedesktop/FileManager1 + interface=org.freedesktop.FileManager1 + member=ShowItems + peer=(name=org.freedesktop.FileManager1, label=nautilus), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index d82fbdef0..64b400a3e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -2,10 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Can query UPower for power devices, history and statistics. + abi , #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + # Find all devices monitored by UPower dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices @@ -13,7 +16,12 @@ dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties - member=GetDisplayDevice + member={GetDisplayDevice,GetCriticalAction} + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), + + dbus send bus=system path=/org/freedesktop/UPower/devices/** + interface=org.freedesktop.UPower.Device + member={GetHistory,Refresh} peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), dbus receive bus=system path=/org/freedesktop/UPower diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 0a8d86be1..165e3ae6e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -5,6 +5,7 @@ abi , #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 4d4faf688..4778dd6dc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -11,6 +11,11 @@ member=Read peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} @@ -41,6 +46,16 @@ member=Response peer=(name=@{busname}, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Inhibit + member={StateChanged,CreateMonitor} + peer=(name=@{busname}, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop/session/** + interface=org.freedesktop.impl.portal.Session + member=Close + peer=(name=@{busname}, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index e2c4b3886..fe6d52dc6 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager - member={SetLink*,ResolveHostname} - peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"), + member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService} + peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 8eb573f7e..d1ff350fc 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -14,7 +14,7 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} - peer=(name="@{busname},org.gnome.Mutter.IdleMonitor", label=gnome-shell), + peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 index baa96cc78..ae8b68448 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 @@ -6,6 +6,16 @@ #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas} + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member=*Cancel + peer=(name=@{busname}, label=gnome-shell), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon index 66910007b..93ad35fe5 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -7,7 +7,7 @@ dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member={GetConnection,ListMonitorImplementations,ListMountableInfo} - peer=(name="@{busname}", label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem index 43947d52a..87fd06727 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -4,6 +4,30 @@ abi , + include + + dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}, + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} + interface=org.kde.StatusNotifierItem + member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index d9ca82881..90a78d2ed 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,14 +2,52 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow to display Status Notifier Items in the KDE Plasma systray + abi , - #aa:dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell + #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(label="@{pp_app_indicator}"), + + + dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu} + interface=com.canonical.dbusmenu + member={LayoutUpdated,ItemsPropertiesUpdated} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**} + interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} + member={Get*,AboutTo*,Event*} + peer=(label="@{pp_app_indicator}"), dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem - peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={ProvideXdgActivationToken,Activate} + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={AboutToShow,GetLayout,Event} + peer=(label="@{pp_app_indicator}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player index d8581be07..d71b7ac1e 100644 --- a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player @@ -4,27 +4,34 @@ abi , - #aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + # DBus.Properties: read all properties from the interface + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}), + # DBus.Properties: receive property changed events dbus receive bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name=@{busname}), + # DBus.Introspectable: allow clients to introspect the service + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}), + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member={Seeked,Next,PlayPause} + peer=(name=@{busname}), + + # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked + dbus send bus=session path=/org/mpris/MediaPlayer2 interface=org.mpris.MediaPlayer2.Player member=Seeked - peer=(name=@{busname}), - - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=@{busname}), - - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}), + peer=(name=org.freedesktop.DBus), include if exists