feat(dbus): rewrite some dbus rules (5).

2023-12-04 21:54:45 +00:00 · 2023-12-04 21:54:45 +00:00 · da3b5103e4
commit da3b5103e4
parent f5862c9862
40 changed files with 119 additions and 400 deletions
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -25,17 +25,15 @@ profile snap @{exec_path} {

  mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/,

-  dbus (send, receive) bus=session path=/org/freedesktop/
-         interface=org.freedesktop.systemd1.Manager
-         member={StartTransientUnit,JobRemoved}
-         peer=(name=:*, label=unconfined),
+  dbus send bus=session path=/org/freedesktop/systemd1
+       interface=org.freedesktop.systemd1.Manager
+       member=StartTransientUnit
+       peer=(name=org.freedesktop.systemd1, label="@{systemd}"),

-  dbus (send, receive) bus=system path=/org/freedesktop/
-         interface=org.freedesktop.systemd1.Manager
-         member={StartTransientUnit,JobRemoved},
-
-  dbus (send, receive) bus=system path=/org/freedesktop/systemd1
-       interface=org.freedesktop.systemd1.Manager,
+  dbus receive bus=session path=/org/freedesktop/systemd1
+       interface=org.freedesktop.systemd1.Manager
+       member=JobRemoved
+       peer=(name=:*, label="@{systemd}"),

  dbus send bus=session path=/org/freedesktop/portal/documents
       interface=org.freedesktop.portal.Documents
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -11,6 +11,7 @@ profile spice-vdagent @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/bus/atspi>
+  include <abstractions/bus/desktop>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
@ -26,11 +27,6 @@ profile spice-vdagent @{exec_path} {
       member=GetCurrentState
       peer=(name=:*, label=gnome-shell),

-  dbus send bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
-
  dbus send bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.portal.Realtime
       member=MakeThreadRealtimeWithPID
--- a/apparmor.d/profiles-s-z/spice-vdagentd
+++ b/apparmor.d/profiles-s-z/spice-vdagentd
@ -13,9 +13,10 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {

  capability sys_nice,

-  dbus receive bus=system path=/org/freedesktop/login1/session/_[0-9]*
+  dbus receive bus=system path=/org/freedesktop/login1/session/*
       interface=org.freedesktop.login1.Session
-       member=Unlock,
+       member=Unlock
+       peer=(name=:*, label=systemd-logind),

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/system-config-printer
+++ b/apparmor.d/profiles-s-z/system-config-printer
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += /usr/share/system-config-printer/system-config-printer.py
 profile system-config-printer @{exec_path} flags=(complain) {
  include <abstractions/base>
+  include <abstractions/bus/hostname>
  include <abstractions/bus/polkit>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
@ -28,10 +29,6 @@ profile system-config-printer @{exec_path} flags=(complain) {
  network inet6 stream,
  network netlink raw,

-  dbus send bus=system path=/org/freedesktop/hostname1
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll,
-
  @{exec_path} mrix,

  @{bin}/{,ba,da}sh           rix,
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@ -18,6 +18,7 @@ profile thunderbird @{exec_path} {
  include <abstractions/audio>
  include <abstractions/bus/atspi>
  include <abstractions/bus/rtkit>
+  include <abstractions/bus/desktop>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
@ -51,16 +52,6 @@ profile thunderbird @{exec_path} {

  dbus bind bus=session name=org.mozilla.thunderbird.*,

-  dbus send bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*),
-
-  dbus send bus=session path=/org/freedesktop/portal/desktops
-       interface=org.freedesktop.portal.Settings
-       member=Read
-       peer=(name=:*),
-
  dbus receive bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member={UserAdded,UserRemoved}
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -65,7 +65,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
       peer=(name="{:*,org.freedesktop.DBus}"),
  dbus receive bus=system path=/org/freedesktop/UDisks2{,/**}
       interface=org.freedesktop.DBus.{Properties,ObjectManager}
-       peer=(name=:*),
+       peer=(name="{:*,org.freedesktop.DBus}"),
  
  dbus (send,receive) bus=system path=/
       interface=org.freedesktop.DBus.Introspectable