feat(profiles): dbus abstactions and related rules.

2022-06-05 22:57:29 +01:00 · 2022-06-05 22:57:29 +01:00 · e949654614
commit e949654614
parent 63e5980d8d
62 changed files with 101 additions and 66 deletions
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/at-spi2-registryd
 profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/nameservice-strict>

  signal (receive) set=(term hup) peer=gdm*,
--- a/apparmor.d/groups/freedesktop/colord-sane
+++ b/apparmor.d/groups/freedesktop/colord-sane
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/colord-sane
 profile colord-sane @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
  include <abstractions/devices-usb>

  network netlink raw,
--- a/apparmor.d/groups/freedesktop/dconf-service
+++ b/apparmor.d/groups/freedesktop/dconf-service
@ -9,9 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service
 profile dconf-service @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-
-  # Needed?
-  deny capability sys_nice,
+  include <abstractions/dbus-session-strict>

  signal (receive) set=(term kill hup) peer=dbus-daemon,
  signal (receive) set=(term hup) peer=gdm*,
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -11,6 +11,7 @@ include <tunables/global>
 profile pipewire @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>

--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/polkit-agent-helper-[0-9]
 profile polkit-agent-helper @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
  include <abstractions/authentication>
  include <abstractions/nameservice-strict>
  include <abstractions/consoles>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal
 profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/freedesktop.org>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gnome
 profile xdg-desktop-portal-gnome @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fontconfig-cache-write>
@ -31,6 +32,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
  owner @{user_share_dirs}/ r,

  owner @{run}/user/@{uid}/dconf/user rw,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,

  include if exists <local/xdg-desktop-portal-gnome>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gtk
 profile xdg-desktop-portal-gtk @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fontconfig-cache-write>
@ -31,7 +32,9 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  owner @{HOME}/@{XDG_DATA_HOME}/ r,

  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/dconf/user rw,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
        @{run}/mount/utab r,

  owner @{PROC}/@{uid}/mountinfo r,
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-permission-store
 profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>

  signal (receive) set=(term hup kill) peer=dbus-daemon,
  signal (receive) set=(term hup kill) peer=gdm*,