feat(dbus): rewrite some dbus rules (5).

2023-12-04 21:54:45 +00:00 · 2023-12-04 21:54:45 +00:00 · da3b5103e4
commit da3b5103e4
parent f5862c9862
40 changed files with 119 additions and 400 deletions
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -11,6 +11,7 @@ include <tunables/global>
 profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus/atspi>
+  include <abstractions/bus/session-manager>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/nameservice-strict>
@ -57,20 +58,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
       member={RequestName,ReleaseName}
       peer=(name=org.freedesktop.DBus, label=at-spi-bus-launcher),

-  dbus send bus=session path=/org/gnome/SessionManager
-       interface=org.gnome.SessionManager
-       peer=(name=:*, label=gnome-session-binary),
-
-  dbus receive bus=session path=/org/gnome/SessionManager
-       interface=org.gnome.SessionManager
-       member={ClientAdded,ClientRemoved,SessionRunning}
-       peer=(name=:*, label=gnome-session-binary),
-
-  dbus send bus=session path=/org/gnome/SessionManager
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=gnome-session-binary),
-
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -12,6 +12,7 @@ include <tunables/global>
 profile pulseaudio @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
+  include <abstractions/bus/hostname>
  include <abstractions/bus/rtkit>
  include <abstractions/consoles>
  include <abstractions/dbus-session-strict>
@ -82,7 +83,7 @@ profile pulseaudio @{exec_path} {
  dbus send bus=system path=/
       interface=org.freedesktop.DBus.Peer
       member=Ping
-       peer=(name=org.freedesktop.Avahi),
+       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),

  dbus send bus=system path=/
       interface=org.freedesktop.Avahi.Server
@ -94,21 +95,6 @@ profile pulseaudio @{exec_path} {
       member=StateChanged
       peer=(name=org.freedesktop.Avahi),

-  dbus send bus=system path=/
-       interface=org.freedesktop.hostname1
-       member=Get
-       peer=(name=/org/freedesktop/hostname1),
-
-  dbus send bus=system path=/org/freedesktop/hostname1
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=/org/freedesktop/hostname1),
-
-  dbus send bus=system path=/org/freedesktop/hostname1
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.freedesktop.hostname1),
-
  dbus receive bus=system path=/org/bluez/hci*/**
       interface=org.freedesktop.DBus.Properties
       peer=(name=:*),
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -47,6 +47,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
       interface=org.freedesktop.DBus.Properties
       peer=(name=:*, label=xdg-permission-store),
+  dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
+       interface=org.freedesktop.impl.portal.PermissionStore
+       peer=(name=:*, label=xdg-permission-store),

  dbus send bus=session path=/org/freedesktop/portal/documents
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -10,6 +10,7 @@ include <tunables/global>
 profile xdg-desktop-portal-gnome @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus/account-daemon>
+  include <abstractions/bus/desktop>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
@ -64,16 +65,6 @@ profile xdg-desktop-portal-gnome @{exec_path} {
       member=SettingChanged
       peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),

-  dbus receive bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=xdg-desktop-portal),
-
-  dbus receive bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.impl.portal.Settings
-       member=Read
-       peer=(name=:*, label=xdg-desktop-portal),
-
  dbus (send, receive) bus=session path=/org/gnome/Mutter/*
       interface=org.gnome.Mutter.*
       peer=(name=:*, label="{gnome-shell,gsd-xsettings}"),
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -11,6 +11,9 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus/account-daemon>
  include <abstractions/bus/atspi>
+  include <abstractions/bus/desktop>
+  include <abstractions/bus/gnome-screensaver>
+  include <abstractions/bus/session-manager>
  include <abstractions/bus/vfs/mount>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
@ -33,65 +36,24 @@ profile xdg-desktop-portal-gtk @{exec_path} {

  dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk,

-  dbus send bus=session path=/org/gnome/SessionManager
-       interface=org.gnome.SessionManager
-       member=RegisterClient
-       peer=(name=:*, label=gnome-session-binary),
+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=CheckPermissions,

-  dbus receive bus=session path=/org/gnome/SessionManager
-       interface=org.gnome.SessionManager
-       member={ClientAdded,ClientRemoved,SessionRunning}
-       peer=(name=:*, label=gnome-session-binary),
-
-  dbus send bus=session path=/org/gnome/SessionManager{,/Client[0-9]*}
+  dbus receive bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=gnome-session-binary),
-
-  dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]*
-       interface=org.gnome.SessionManager.ClientPrivate
-       member=EndSessionResponse
-       peer=(name=:*, label=gnome-session-binary),
-
-  dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]*
-       interface=org.gnome.SessionManager.ClientPrivate
-       member={EndSession,QueryEndSession,CancelEndSession,Stop}
-       peer=(name=:*, label=gnome-session-binary),
+       member=PropertiesChanged,

  dbus receive bus=session path=/org/gnome/Shell/Introspect
       interface=org.gnome.Shell.Introspect
       member={RunningApplicationsChanged,WindowsChanged}
       peer=(name=:*, label=gnome-shell),

-  dbus send bus=session path=/org/gnome/ScreenSaver
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=gjs-console),
-  dbus send bus=session path=/org/gnome/ScreenSaver
-       interface=org.gnome.ScreenSaver
-       member=GetActive
-       peer=(name=:*, label=gjs-console),
-
  dbus send bus=session path=/org/gnome/Shell/Introspect
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=:*, label=gnome-shell),

-  dbus receive bus=session path=/org/gnome/ScreenSaver
-       interface=org.gnome.ScreenSaver
-       member=ActiveChanged
-       peer=(name=:*, label=gjs-console),
-
-  dbus send bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.impl.portal.Settings
-       member=SettingChanged
-       peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
-
-  dbus receive bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=xdg-desktop-portal),
-
  dbus send bus=session path=/org/gtk/Notifications
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@ -16,29 +16,19 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  signal (receive) set=(term hup kill) peer=dbus-daemon,
  signal (receive) set=(term hup kill) peer=gdm*,

+  dbus bind bus=session name=org.freedesktop.impl.portal.PermissionStore,
  dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore
       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label="{gnome-shell,xdg-document-portal}"),
-
+       peer=(name=:*),
  dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore
       interface=org.freedesktop.impl.portal.PermissionStore
-       member=Lookup
-       peer=(name=:*, label="{gnome-shell,xdg-desktop-portal,wireplumber}"),
+       peer=(name=:*),

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),

-  dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=xdg-desktop-portal),
-
-  dbus bind    bus=session
-       name=org.freedesktop.impl.portal.PermissionStore,
-
  @{exec_path} mr,

  @{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw,