feat(profiles): dbus abstactions and related rules.

2022-06-05 22:57:29 +01:00 · 2022-06-05 22:57:29 +01:00 · e949654614
commit e949654614
parent 63e5980d8d
62 changed files with 101 additions and 66 deletions
--- a/apparmor.d/groups/gnome/evolution-addressbook-factory
+++ b/apparmor.d/groups/gnome/evolution-addressbook-factory
@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = @{libexec}/evolution-addressbook-factory
 profile evolution-addressbook-factory @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/evolution-alarm-notify
+++ b/apparmor.d/groups/gnome/evolution-alarm-notify
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/evolution-data-server/evolution-alarm-notify
 profile evolution-alarm-notify @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session>
  include <abstractions/dconf>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/gnome>
@ -23,6 +24,7 @@ profile evolution-alarm-notify @{exec_path} {
  /usr/share/ubuntu/applications/ r,
  /usr/share/zoneinfo-icu/{,**} r,

+  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

--- a/apparmor.d/groups/gnome/evolution-calendar-factory
+++ b/apparmor.d/groups/gnome/evolution-calendar-factory
@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = @{libexec}/evolution-calendar-factory
 profile evolution-calendar-factory @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/evolution-source-registry
+++ b/apparmor.d/groups/gnome/evolution-source-registry
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/evolution-source-registry
 profile evolution-source-registry @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
  include <abstractions/zsh>
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path}  = /{usr/,}bin/gjs-console
 profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js
 profile gnome-extension-ding @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fonts>
@ -36,7 +37,6 @@ profile gnome-extension-ding @{exec_path} {
  owner @{user_share_dirs}/gvfs-metadata/home r,
  owner @{user_share_dirs}/gvfs-metadata/home-*.log r,

-  owner @{run}/user/@{uid}/bus rw,
  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-keyring-daemon
 profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/openssl>

--- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
+++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-remote-desktop-daemon
 profile gnome-remote-desktop-daemon @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/vulkan>
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-session-binary
 profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/dri-common>
--- a/apparmor.d/groups/gnome/gnome-shell-calendar-server
+++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-shell-calendar-server
 profile gnome-shell-calendar-server @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf>
  include <abstractions/nameservice-strict>

--- a/apparmor.d/groups/gnome/goa-daemon
+++ b/apparmor.d/groups/gnome/goa-daemon
@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = @{libexec}/goa-daemon
 profile goa-daemon @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/goa-identity-service
+++ b/apparmor.d/groups/gnome/goa-identity-service
@ -10,6 +10,7 @@ include <tunables/global>
 profile goa-identity-service @{exec_path} {
  include <abstractions/base>
  include <abstractions/authentication>
+  include <abstractions/dbus-session-strict>

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/gsd-a11y-settings
+++ b/apparmor.d/groups/gnome/gsd-a11y-settings
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-a11y-settings
 profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf>

  signal (receive) set=(term, hup) peer=gdm*,
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-color
 profile gsd-color @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fontconfig-cache-read>
@ -35,9 +36,11 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/icc/ r,
  owner @{user_share_dirs}/icc/edid-*.icc rw,

+  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9] rw,

  owner /dev/tty[0-9]* rw,

--- a/apparmor.d/groups/gnome/gsd-datetime
+++ b/apparmor.d/groups/gnome/gsd-datetime
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-datetime
 profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf>

  signal (receive) set=(term, hup) peer=gdm*,
--- a/apparmor.d/groups/gnome/gsd-disk-utility-notify
+++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-disk-utility-notify
 profile gsd-disk-utility-notify @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>

  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@ -10,6 +10,7 @@ include <tunables/global>
 profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf>
  include <abstractions/thumbnails-cache-read>

--- a/apparmor.d/groups/gnome/gsd-keyboard
+++ b/apparmor.d/groups/gnome/gsd-keyboard
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-keyboard
 profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fontconfig-cache-read>
@ -31,9 +32,11 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw,
  owner @{user_share_dirs}/gnome-settings-daemon/ rw,

+  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9] rw,

  owner /dev/tty[0-9]* rw,

--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -10,6 +10,7 @@ include <tunables/global>
 profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fonts>
@ -30,9 +31,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  /usr/share/sounds/freedesktop/stereo/*.oga r,
  /usr/share/X11/xkb/** r,

-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
-
  owner @{user_config_dirs}/pulse/ rw,

  owner @{user_share_dirs}/ r,
@ -43,9 +41,11 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm/.config/pulse/client.conf r,
  /var/lib/gdm/.config/pulse/cookie rk,

+  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
        @{run}/systemd/inhibit/[0-9]*.ref rw,

  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@ -10,6 +10,7 @@ include <tunables/global>
 profile gsd-power @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/fonts>
@ -28,15 +29,15 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
  /usr/share/icons/{,**} r,
  /usr/share/X11/xkb/** r,

-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
  /var/lib/gdm/.cache/event-sound-cache.tdb.* rwk,
  /var/lib/gdm/.config/dconf/user r,
  /var/lib/gdm/.config/pulse/client.conf r,

+  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9] rw,

  @{run}/udev/data/+backlight:* r,
  @{run}/udev/data/+leds:*backlight* r,
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-print-notifications
 profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>

--- a/apparmor.d/groups/gnome/gsd-printer
+++ b/apparmor.d/groups/gnome/gsd-printer
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-printer
 profile gsd-printer @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>

  signal (receive) set=(term, hup) peer=gdm*,
--- a/apparmor.d/groups/gnome/gsd-rfkill
+++ b/apparmor.d/groups/gnome/gsd-rfkill
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-rfkill
 profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>

  signal (receive) set=(term, hup) peer=gdm*,
--- a/apparmor.d/groups/gnome/gsd-screensaver-proxy
+++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-screensaver-proxy
 profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>

  signal (receive) set=(term, hup) peer=gdm*,

--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-sharing
 profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>

--- a/apparmor.d/groups/gnome/gsd-smartcard
+++ b/apparmor.d/groups/gnome/gsd-smartcard
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-smartcard
 profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf>
  include <abstractions/p11-kit>

--- a/apparmor.d/groups/gnome/gsd-sound
+++ b/apparmor.d/groups/gnome/gsd-sound
@ -10,6 +10,7 @@ include <tunables/global>
 profile gsd-sound @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf>

  signal (receive) set=(term, hup) peer=gdm*,
--- a/apparmor.d/groups/gnome/gsd-wacom
+++ b/apparmor.d/groups/gnome/gsd-wacom
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-wacom
 profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
@ -28,9 +29,11 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {

  /etc/machine-id r,

+  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9] rw,

  /var/lib/gdm/.config/dconf/user r,

--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-xsettings
 profile gsd-xsettings @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/dri-common>
@ -49,13 +50,14 @@ profile gsd-xsettings @{exec_path} {

  owner @{user_cache_dirs}/mesa_shader_cache/index rw,

+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
+  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
-
-  owner @{run}/systemd/users/@{uid}/ r,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
        @{run}/systemd/sessions/* r,
+        @{run}/systemd/users/@{uid} r,

  owner @{PROC}/@{pid}/fd/ r,

--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -10,6 +10,7 @@ include <tunables/global>
 profile nautilus @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
+  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/gnome>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3
 profile tracker-miner @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf>
  include <abstractions/disks-read>