feat(profiles): dbus abstactions and related rules.

2022-06-05 22:57:29 +01:00 · 2022-06-05 22:57:29 +01:00 · e949654614
commit e949654614
parent 63e5980d8d
62 changed files with 101 additions and 66 deletions
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -10,6 +10,7 @@ include <tunables/global>
 profile spice-vdagent @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
+  include <abstractions/dbus-session-strict>
  include <abstractions/gtk>

  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
@ -21,6 +22,7 @@ profile spice-vdagent @{exec_path} {

  owner @{user_config_dirs}/user-dirs.dirs r,

+  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
        @{run}/spice-vdagentd/spice-vdagent-sock rw,

--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@ -11,6 +11,7 @@ profile su @{exec_path} {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>
 # include <pam/mappings>
@ -54,28 +55,7 @@ profile su @{exec_path} {
  @{PROC}/cmdline r,
  @{sys}/devices/virtual/tty/console/active r,

-  # pseudo-terminal
-  capability chown,
-
  /dev/{,pts/}ptmx rw,
-
-  @{run}/dbus/system_bus_socket rw,
-
-  dbus (send)
-     bus=system
-     path=/org/freedesktop/DBus
-     interface=org.freedesktop.DBus
-     member=Hello
-     peer=(name=org.freedesktop.DBus),
-
-  dbus (send)
-    bus=system
-    path=/org/freedesktop/login[0-9]
-    interface=org.freedesktop.login[0-9].Manager
-    member={CreateSession,ReleaseSession},
-
-  unix (bind) type=dgram,
-
  /dev/tty[0-9]* rw,

  include if exists <local/su>