diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 3ec36976d..861132887 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,6 +10,10 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include + include + include + include + include include include include @@ -23,6 +27,10 @@ profile DiscoverNotifier @{exec_path} { network netlink dgram, network netlink raw, + #aa:dbus own bus=session name=org.kde.discover.notifier + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd + @{exec_path} mr, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index d9879941b..b30e39cdc 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 42c1400ef..65582d1ba 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,10 +10,15 @@ include profile kaccess @{exec_path} { include include + include + include + include include include include + #aa:dbus own bus=session name=org.kde.kaccess + @{exec_path} mr, @{bin}/gsettings rPx, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1ee022dc6..1cc6b41d1 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kactivitymanagerd profile kactivitymanagerd @{exec_path} { include + include include include include @@ -18,6 +19,9 @@ profile kactivitymanagerd @{exec_path} { include include + #aa:dbus own bus=session name=org.kde.ActivityManager path=/ActivityManager + #aa:dbus own bus=session name=org.kde.runners.activities + @{exec_path} mr, /etc/xdg/menus/{,*/} r, diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index 61308e83b..cc844ce17 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -16,6 +16,8 @@ profile kauth-backlighthelper @{exec_path} { capability net_admin, + #aa:dbus own bus=system name=org.kde.powerdevil.backlighthelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 8ed8bf82e..119b5508d 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -9,7 +9,12 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}chargethresholdhelper profile kauth-chargethresholdhelper @{exec_path} { include + include include + include + + #aa:dbus own bus=system name=org.kde.powerdevil.chargethresholdhelper + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index f03dfb007..8fcec5a2c 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -9,8 +9,12 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}discretegpuhelper profile kauth-discretegpuhelper @{exec_path} { include + include + include include + #aa:dbus own bus=system name=org.kde.powerdevil.discretegpuhelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index cf0caffeb..2e60e6a0a 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -15,10 +15,14 @@ profile kauth-kded-smart-helper @{exec_path} { #aa:dbus own bus=system name=org.kde.kded.smart + dbus receive bus=system path=/ + interface=org.kde.kf5auth + member=performAction + peer=(name=@{busname}, label=kded), dbus send bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=org.freedesktop.DBus, label=kded5), + peer=(name=org.freedesktop.DBus, label=kded), @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index e11de6a48..bd01bf3c8 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -10,9 +10,12 @@ include profile kcminit @{exec_path} { include include + include include include + #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit + @{exec_path} mr, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 45c382855..c961ed7a3 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,6 +11,13 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include + include + include + include + include + include + include + include include include include @@ -20,6 +27,14 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) network netlink raw, + #aa:dbus own bus=system name=org.freedesktop.Policy.Power + + #aa:dbus own bus=session name=local.org_kde_powerdevil + #aa:dbus own bus=session name=org.freedesktop.PowerManagement + #aa:dbus own bus=session name=org.kde.Solid.PowerManagement + + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index ef81b95d1..e729ec78b 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -10,9 +10,14 @@ include profile kded @{exec_path} { include include + include + include include + include include + include include + include include include include @@ -35,19 +40,41 @@ profile kded @{exec_path} { signal send set=hup peer=xsettingsd, signal send set=term peer=kioworker, + # Owned by KDE + #aa:dbus own bus=system name=com.redhat.NewPrinterNotification + + #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus own bus=session name=org.kde.DistroReleaseNotifier + #aa:dbus own bus=session name=org.kde.GtkConfig + #aa:dbus own bus=session name=org.kde.kappmenu + #aa:dbus own bus=session name=org.kde.kcookiejar5 + #aa:dbus own bus=session name=org.kde.kded5 + #aa:dbus own bus=session name=org.kde.keyboard + #aa:dbus own bus=session name=org.kde.KeyboardLayouts + #aa:dbus own bus=session name=org.kde.plasmanetworkmanagement + #aa:dbus own bus=session name=org.kde.plasmashell.accentColor + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher + #aa:dbus own bus=session name=org.kde.Wacom + #aa:dbus own bus=session name=org.kubuntu.NotificationHelper + #aa:dbus own bus=session name=org.kubuntu.restrictedInstall + + # Talk with KDE + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" + dbus receive bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=:*, label=kauth-kded-smart-helper), + peer=(name=@{busname}, label=kauth-kded-smart-helper), dbus send bus=system path=/ interface=org.kde.kf5auth member=performAction - peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), + peer=(name="{@{busname},org.kde.kded.smart}", label=kauth-kded-smart-helper), @{exec_path} mrix, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 0e8ba3395..156bdf928 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,8 +9,11 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include + include include + #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel + @{exec_path} mr, @{bin}/kstart rPx, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index a5f867378..69b735310 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/kf5/kioslave5 @{lib}/@{multiarch}/{,libexec/}kf5/kioslave5 profile kioworker @{exec_path} { include + include include include include @@ -32,6 +33,8 @@ profile kioworker @{exec_path} { signal receive set=term peer=plasmashell, signal receive set=term peer=xdg-desktop-portal-kde, + #aa:dbus talk bus=session name=org.kde.kded5 path=/kded label=kded + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 8f9ff48dd..057a23d70 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -13,6 +13,7 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -22,6 +23,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(hup), + #aa:dbus own bus=session name=org.kde.konsole-@{int} + @{exec_path} mr, @{bin}/@{shells} rUx, @{browsers_path} rPx, diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index d4b547c7c..7df07f64b 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,8 +10,14 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include + include + include + include include + include + + #aa:dbus own bus=session name=org.kde.KScreen + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 6d515fb18..f4d54c295 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,6 +11,9 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include + include + include include include include @@ -20,6 +23,14 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (read) peer=kbuildsycoca5, + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.ksmserver path=/KSMServer + #aa:dbus own bus=session name=org.kde.KSMServerInterface path=/KSMServer + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label=kglobalacceld + #aa:dbus talk bus=session name=org.kde.KWin.Session path=/Session label=kwin_wayland + @{exec_path} mr, @{bin}/rm rix, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 13f1216a5..e1d5d7394 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include + include + include include include include @@ -16,6 +18,8 @@ profile ksplashqml @{exec_path} { ptrace read peer=startplasma, + #aa:dbus own bus=session name=org.kde.KSplash path=/KSplash + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index c4e25e9ff..23737f14e 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,6 +11,9 @@ include profile kwalletd @{exec_path} { include include + include + include + include include include include @@ -19,6 +22,9 @@ profile kwalletd @{exec_path} { include include + #aa:dbus own bus=session name=org.freedesktop.secrets + #aa:dbus own bus=session name=org.kde.kwalletd5 + @{exec_path} mr, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index afaac3bd0..a8dc97d53 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -10,6 +10,10 @@ include profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include include + include + include + include + include include include include @@ -27,6 +31,14 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { network netlink raw, + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.kglobalaccel + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.ActivityManager path=/ActivityManager label=kactivitymanagerd + @{exec_path} mr, /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index 1a7573d77..a7ce4c2fe 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -9,11 +9,14 @@ include @{exec_path} = @{bin}/kwin_wayland_wrapper profile kwin_wayland_wrapper @{exec_path} { include + include include include signal (send) set=(term, kill) peer=kwin_wayland, + #aa:dbus own bus=session name=org.kde.KWinWrapper + @{exec_path} mr, @{bin}/kwin_wayland rPx, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 8400c8cb6..f4f955a4f 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include + include + include include include include @@ -22,6 +24,12 @@ profile kwin_x11 @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + + #aa:dbus talk bus=session name=org.kde.ActivityManager label=kactivitymanagerd + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label=kglobalacceld + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index a509135af..d32122a8a 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/plasma_waitforname profile plasma_waitforname @{exec_path} { include + include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 07fbc8e14..19106cfa9 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -11,9 +11,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include include + include + include include + include include include include @@ -43,6 +47,23 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { signal send, + #aa:dbus own bus=session name=com.canonical.Unity + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.kde.JobViewServer + #aa:dbus own bus=session name=org.kde.klipper + #aa:dbus own bus=session name=org.kde.kuiserver + #aa:dbus own bus=session name=org.kde.plasmashell path=/PlasmaShell + #aa:dbus own bus=session name=org.kde.StatusNotifierHost-@{int} + + #aa:dbus talk bus=session name=org.kde.kdeconnect path=/ label=kdeconnectd + #aa:dbus talk bus=session name=org.kde.KeyboardLayouts path=/Layouts label=kded + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label="{kglobalacceld,kwin_wayland}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.Solid.PowerManagement label=kde-powerdevil + #aa:dbus talk bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher label=kded + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 143df5c9e..9884e2145 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -50,20 +50,11 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(term) peer=startplasma-wayland, signal (send) set=(term) peer=startlxqtwayland, - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=kscreenlocker-greet), + unix type=stream addr=@@{udbus}/bus/sddm-helper/system, - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label="@{p_systemd_logind}"), + #aa:dbus own bus=system name=org.freedesktop.DisplayManager - dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet), + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f2c133cec..c9aca546a 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -23,6 +23,11 @@ profile sddm-greeter @{exec_path} { network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListActivatableNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index f27f3dc3c..f4256d3d4 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -90,6 +90,16 @@ profile sddm-xsession @{exec_path} { profile dbus { include + include + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 004b89d57..651061aa9 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,12 +11,17 @@ profile startplasma @{exec_path} { include include include + include + include include include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index b41dac08a..aab520a72 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -10,7 +10,9 @@ include profile systemsettings @{exec_path} { include include + include include + include include include include @@ -23,6 +25,9 @@ profile systemsettings @{exec_path} { signal send set=term peer=kioworker, + #aa:dbus own bus=session name=org.kde.internal.KSettingsWidget_kcm_networkmanagement + #aa:dbus own bus=session name=org.kde.systemsettings + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 6cb93163c..b768e2630 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 6b444093c..f27449e77 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -50,8 +50,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher - member=Action + member=Action2 peer=(name=org.freedesktop.nm_dispatcher), + dbus send bus=system path=/uk/org/thekelleys/dnsmasq interface=org.freedesktop.NetworkManager.dnsmasq member=SetServersEx diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 189afd74d..710d3115b 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -16,12 +16,12 @@ profile nm-online @{exec_path} { dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 4dc1380c0..c2de7f8b6 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -24,6 +24,11 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 + dbus send bus=system path=/org/kde/PolicyKit1/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication + peer=(name=@{busname}, label=polkit-kde-authentication-agent), + @{exec_path} mr, @{bin}/pkla-check-authorization rPx, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 9de9cadf9..19f6a515e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -38,7 +38,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { signal send set=int peer=apt-methods-*, signal send set=term peer=systemd-inhibit, - #aa:dbus own bus=system name=org.freedesktop.PackageKit + #aa:dbus own bus=system name=org.freedesktop.PackageKit path=/** @{exec_path} mr,