diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 7fc6a53a7..15f8a1325 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -32,7 +32,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, - unix (receive, send) type=stream peer=(label=apt-esm-json-hook), + unix (send, receive) type=stream peer=(label=apt-esm-json-hook), + unix (send, receive) type=stream peer=(label=snapd), dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/@{hex}} interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}}, @@ -154,7 +155,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, - profile editor flags=(complain) { + profile editor { include include @@ -196,7 +197,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { } - profile dpkg-source flags=(complain) { + profile dpkg-source { include include include diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 0af31a95f..a05c549df 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -12,6 +12,7 @@ include profile command-not-found @{exec_path} { include include + include include include @@ -19,11 +20,14 @@ profile command-not-found @{exec_path} { /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/snap rPx, /var/lib/command-not-found/commands.db rwk, /usr/share/command-not-found/{,**} r, + owner @{PROC}/@{pid}/fd/ r, + # Silencer deny /usr/lib/ r, diff --git a/apparmor.d/groups/avahi/avahi-daemon b/apparmor.d/groups/avahi/avahi-daemon index 5a972463e..89703b5ab 100644 --- a/apparmor.d/groups/avahi/avahi-daemon +++ b/apparmor.d/groups/avahi/avahi-daemon @@ -7,13 +7,26 @@ abi , include @{exec_path} = /{usr/,}bin/avahi-daemon -profile avahi-daemon @{exec_path} flags=(complain) { +profile avahi-daemon @{exec_path} { include include network inet dgram, network inet6 dgram, + dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + peer=(name=:*, label="{colord-sane,gsd-print-notifications}"), # all members + + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=:*, label="{colord-sane,gsd-print-notifications}"), + + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + peer=(name=:*, label="{colord-sane,gsd-print-notifications}"), # all members + @{exec_path} mr, /etc/avahi/** r, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index dd48a3f17..385152a85 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/dbus-daemon -profile dbus-daemon @{exec_path} flags=(attach_disconnected) { +profile dbus-daemon @{exec_path} flags=(attach_disconnected complain) { include include include @@ -21,17 +21,18 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_resource, - signal (receive) set=(term hup kill) peer=at-spi-bus-launcher, - signal (receive) set=(term hup kill) peer=dbus-run-session, - signal (receive) set=(term hup kill) peer=gdm*, - signal (send) set=(term hup kill) peer=at-spi-bus-launcher, - signal (send) set=(term hup kill) peer=dconf-service, - signal (send) set=(term hup kill) peer=xdg-permission-store, +# signal (receive) set=(term hup kill) peer=at-spi-bus-launcher, +# signal (receive) set=(term hup kill) peer=dbus-run-session, +# signal (receive) set=(term hup kill) peer=gdm*, +# signal (send) set=(term hup kill) peer=at-spi-bus-launcher, +# signal (send) set=(term hup kill) peer=at-spi2-registryd, +# signal (send) set=(term hup kill) peer=dconf-service, +# signal (send) set=(term hup kill) peer=xdg-permission-store, - network netlink raw, +# network netlink raw, - network bluetooth stream, - network bluetooth seqpacket, +# network bluetooth stream, +# network bluetooth seqpacket, ptrace (read), diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper index 504f9bea4..76979b7c4 100644 --- a/apparmor.d/groups/bus/dbus-daemon-launch-helper +++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper @@ -22,8 +22,11 @@ profile dbus-daemon-launch-helper @{exec_path} { /{usr/,}lib/cups-pk-helper-mechanism rPx, /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx, /{usr/,}lib/software-properties/software-properties-dbus rPx, + @{libexec}/language-selector/ls-dbus-backend rPx, /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, + /usr/share/usb-creator/usb-creator-helper rPx, + /usr/share/hplip/pkservice.py rPx, /usr/share/dbus-1/{,**} r, @@ -32,4 +35,4 @@ profile dbus-daemon-launch-helper @{exec_path} { owner @{PROC}/@{pid}/oom_score_adj rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session index b344e912f..97093592e 100644 --- a/apparmor.d/groups/bus/dbus-run-session +++ b/apparmor.d/groups/bus/dbus-run-session @@ -12,14 +12,14 @@ profile dbus-run-session @{exec_path} { include signal (receive) set=(term, kill, hup) peer=gdm*, - signal (send) set=term peer=dbus-daemon, + signal (send) set=term peer=dbus-daemon, @{exec_path} mr, - /{usr/,}bin/dbus-daemon rPx, /{usr/,}bin/gnome-session rix, - /{usr/,}bin/gnome-shell rPx, /{usr/,}bin/gsettings rix, + /{usr/,}bin/dbus-daemon rPx, + /{usr/,}bin/gnome-shell rPx, @{libexec}/gnome-session-binary rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -28,6 +28,7 @@ profile dbus-run-session @{exec_path} { /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.cache/dconf/ rw, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index baa8420ce..c25a59d53 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -16,6 +16,35 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(usr1) peer=gnome-shell, signal (send) set=(term) peer=ibus*, + unix (bind, listen) type=stream addr=@/var/lib/gdm{3,}/.cache/ibus/dbus-*, + unix (send, receive, accept) type=stream addr=@/var/lib/gdm{3,}/.cache/ibus/dbus-* peer=(label=ibus-*), + unix (send, receive, accept) type=stream addr=@/var/lib/gdm{3,}/.cache/ibus/dbus-* peer=(label=gnome-shell), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.DBus.Peer + peer=(name=org.freedesktop.portal.IBus), # all members, all peer's labels + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.portal.IBus, + + dbus bind bus=session + name=org.freedesktop.IBus, + @{exec_path} mr, /{usr/,}lib/ibus/ibus-* rPx, @@ -37,4 +66,4 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { owner /dev/tty[0-9]* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 049df8485..f01866351 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -11,10 +11,20 @@ include profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include + include + include include signal (receive) set=term peer=ibus-daemon, + unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*", label=ibus-daemon), + unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /usr/share/gdm/greeter-dconf-defaults r, @@ -22,16 +32,16 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /etc/dconf/profile/ibus r, /etc/dconf/db/ibus r, - /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r, + /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r, - /var/lib/gdm{3,}/.cache/dconf/ w, /var/lib/gdm{3,}/.cache/dconf/user rw, /var/lib/gdm{3,}/.config/dconf/user rw, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 160a02b0e..e34cce534 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -14,6 +14,8 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=ibus-daemon, + unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon), + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 6f57deef4..ff67d01a0 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -26,6 +26,49 @@ profile ibus-extension-gtk3 @{exec_path} { network inet6 stream, network netlink raw, + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,RequestName,ReleaseName,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.IBus.Panel.Extension.Gtk3, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -38,7 +81,12 @@ profile ibus-extension-gtk3 @{exec_path} { owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, + /var/lib/gdm{3,}/.config/ibus/bus/*-unix{,-wayland}-[0-9]* r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, + + # file inherit + /dev/tty[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 7c31da158..13f627d5e 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -15,6 +15,19 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.portal.IBus, + @{exec_path} mr, /{usr/,}lib/gio/modules/{,*} r, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 7cef8bf1f..7ea427c4e 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -21,12 +21,37 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { unix (connect, receive, send) type=stream peer=(label=ibus-daemon), + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + @{exec_path} mr, - /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, + /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9] r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 6c761146e..8275e7fc1 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -51,6 +51,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { /etc/default/locale r, /etc/gdm{3,}/ r, + /etc/gdm{3,}/daemon.conf r, /etc/gdm{3,}/custom.conf rw, /etc/gdm{3,}/custom.conf.* rw, /etc/machine-id r, diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 62e8f12e8..7c246a07f 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -20,6 +20,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup kill) peer=gnome-session-binary, signal (send) set=(term hup kill) peer=dbus-daemon, + unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg), + network inet stream, network inet6 stream, @@ -39,6 +41,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { /var/lib/lightdm/.Xauthority r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/log/lightdm/seat[0-9]*-greeter.log w, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 8fa2940bd..89700f1cd 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -12,9 +12,74 @@ include profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include + include include - signal (receive) set=(term hup) peer=gdm*, + signal (receive) set=(term hup) peer=gdm*, + signal (receive) set=(term hup kill) peer=dbus-daemon, + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,ClientRemoved,SessionRunning} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label="{gnome-extension-ding,gnome-control-center}"), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=:*, label="{gnome-extension-ding,gnome-control-center,spice-vdagent}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=org.freedesktop.DBus), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=:*, label=gnome-control-center), + + dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=:*, label="{gnome-control-center,xdg-desktop-portal-*}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=accessibility + name=org.a11y.atspi.Registry, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index f1cd38b75..c6177d794 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -17,20 +17,32 @@ profile colord @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.{DBus.Properties,ColorManager*}, - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}, - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.ColorManager*, - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority - member=CheckAuthorization, + member=CheckAuthorization + peer=(name=:*, label=polkitd), + + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=Changed + peer=(name=:*, label=polkitd), + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label="{gsd-color,polkitd}"), + + dbus receive bus=system path=/org/freedesktop/ColorManager{,/devices/*} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label="{gsd-color,colord-sane,gnome-control-center}"), dbus bind bus=system name=org.freedesktop.ColorManager, diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index 536080dfd..19c76c3b1 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -12,13 +12,19 @@ profile dconf @{exec_path} flags=(attach_disconnected) { include capability sys_nice, + capability dac_override, @{exec_path} mr, /etc/dconf/db/** rw, + /usr/share/gdm/dconf/{,**} r, + + /var/lib/gdm{3,}/ r, + /var/lib/gdm{3,}/greeter-dconf-defaults{,.??????} rw, + owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/user{,.*} rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index ebcf010d4..d18de36ca 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -15,6 +15,29 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term kill hup) peer=dbus-daemon, signal (receive) set=(term hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Notify + peer=(name=org.freedesktop.DBus), # all peer's labels + + dbus receive bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Change + peer=(name=:*, label=gnome-control-center), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=ca.desrt.dconf, + @{exec_path} mr, owner @{user_config_dirs}/dconf/ rw, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 378710753..308e1502c 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -45,9 +45,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.Avahi.Server member=StateChanged, - dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* interface=org.freedesktop.Avahi.ServiceBrowser - member={AllForNow,CacheExhausted}, + member={AllForNow,CacheExhausted} + peer=(name=:*, label=avahi-daemon), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager @@ -69,4 +70,4 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 46c7cd733..cbb4cdff3 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -17,6 +17,11 @@ profile pipewire @{exec_path} { ptrace (read), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixProcessID + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] interface=org.freedesktop.RealtimeKit[0-9] member=MakeThread* @@ -27,6 +32,11 @@ profile pipewire @{exec_path} { member=Get peer=(name=org.freedesktop.RealtimeKit[0-9]), + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /{usr/,}bin/pipewire-media-session rPx, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index d70f8362e..c52bc5f34 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/pipewire-media-session -profile pipewire-media-session @{exec_path} { +profile pipewire-media-session @{exec_path} flags=(complain ) { include include include @@ -31,6 +31,11 @@ profile pipewire-media-session @{exec_path} { member=MakeThreadRealtime peer=(name=org.freedesktop.RealtimeKit1), + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /usr/share/alsa-card-profile/{,**} r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index d84041113..bc10f4a13 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -109,7 +109,7 @@ profile pulseaudio @{exec_path} { @{exec_path} mrix, - /{usr/,}@{libexec}/pulse/gsettings-helper mrix, + @{libexec}/pulse/gsettings-helper mrix, /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, /{usr/,}lib/pulse-*/modules/*.so mr, @@ -138,7 +138,9 @@ profile pulseaudio @{exec_path} { owner @{user_config_dirs}/pulse/{,**} rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/pulse/{,*} rw, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 72a183ee1..ff05a04ff 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -16,6 +16,11 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*}, @@ -27,14 +32,10 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=RequestName - peer=(name=org.freedesktop.DBus), - dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={SessionNew,SessionRemoved,PrepareForShutdown}, + member={UserNew,UserRemoved,SessionNew,SessionRemoved,PrepareForShutdown,PrepareForSleep} + peer=(name=:*, label=systemd-logind), dbus bind bus=system name=org.freedesktop.UPower, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 322257051..f3f0fa705 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -22,6 +22,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { ptrace (read), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll, @@ -42,6 +47,59 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label="{gnome-shell,xdg-desktop-portal-*,gnome-keyring-daemon}"), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Background + member=GetAppState + peer=(name=:*, label=xdg-desktop-portal-*), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Background + member=RunningApplicationsChanged + peer=(name=:*, label=xdg-desktop-portal-*), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=SettingChanged + peer=(name=org.freedesktop.DBus), # all peer's labels + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=SettingChanged + peer=(name=:*, label=xdg-desktop-portal-*), + + dbus send bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.portal.Documents + member=GetMountPoint + peer=(name=:*, label=xdg-document-portal), + + dbus (send, receive) bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=xdg-document-portal), + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-permission-store), + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=:*, label=xdg-permission-store), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.portal.Desktop, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -72,4 +130,4 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 611f2e2b2..9403ca40b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -19,6 +19,11 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.DBus.Properties member=GetAll, @@ -31,6 +36,79 @@ profile xdg-desktop-portal-gnome @{exec_path} { interface=org.freedesktop.Accounts.User member=Changed, + dbus send bus=session path=/org/gnome/Shell/Screenshot + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect + member=GetRunningApplications + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect + member={RunningApplicationsChanged,WindowsChanged} + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Background + member=RunningApplicationsChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Background + member=GetAppState + peer=(name=:*, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=SettingChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/ScreenCast + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/RemoteDesktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.impl.portal.desktop.gnome, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -47,4 +125,4 @@ profile xdg-desktop-portal-gnome @{exec_path} { owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 173a6fe68..690515ae0 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} { include + include include include include @@ -20,6 +21,18 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include + unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.DBus.Properties member=GetAll, @@ -40,6 +53,104 @@ profile xdg-desktop-portal-gtk @{exec_path} { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,ClientRemoved,SessionRunning} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={EndSession,QueryEndSession,CancelEndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect + member={RunningApplicationsChanged,WindowsChanged} + peer=(name=:*, label=gnome-shell), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=ActiveChanged + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=SettingChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.impl.portal.desktop.gtk, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -58,4 +169,4 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 3a0453645..15adce726 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -7,14 +7,48 @@ abi , include @{exec_path} = @{libexec}/xdg-document-portal -profile xdg-document-portal @{exec_path} { +profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include include + capability sys_nice, + capability sys_resource, +# capability sys_admin, + ptrace (read) peer=xdg-desktop-portal, + signal (receive) set=(term) peer=gdm, + unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-permission-store), + + dbus receive bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.portal.Documents + member=GetMountPoint + peer=(name=:*, label="{snap,xdg-desktop-portal}"), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus bind bus=session + name=org.freedesktop.portal.Documents, + @{exec_path} mr, /{usr/,}bin/flatpak rCx -> flatpak, @@ -33,6 +67,9 @@ profile xdg-document-portal @{exec_path} { /dev/fuse rw, + # file inherit + owner /dev/tty[0-9]* rw, + profile flatpak { include @@ -50,6 +87,8 @@ profile xdg-document-portal @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, /dev/tty rw, + + include if exists } profile fusermount { @@ -76,8 +115,12 @@ profile xdg-document-portal @{exec_path} { @{PROC}/@{pids}/mounts r, + owner @{run}/user/@{uid}/doc/ rw, + /dev/fuse rw, + + include if exists } include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index a7113a766..e5c36cd5a 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -11,9 +11,39 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include include + capability sys_nice, + signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label="{gnome-shell,xdg-document-portal}"), + + dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=:*, label="{gnome-shell,xdg-desktop-portal}"), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus bind bus=session + name=org.freedesktop.impl.portal.PermissionStore, + @{exec_path} mr, @{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw, @@ -25,4 +55,4 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { /dev/tty[0-9]* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost index ca1862646..b2df7653e 100644 --- a/apparmor.d/groups/freedesktop/xhost +++ b/apparmor.d/groups/freedesktop/xhost @@ -11,11 +11,15 @@ profile xhost @{exec_path} { include include + unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg), + @{exec_path} mr, owner @{HOME}/.Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r, + /tmp/.X11-unix/* rw, + # file_inherit /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 35e3af296..fa8be9a5e 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -14,6 +14,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=xwayland), + unix (send,receive) type=stream addr=@/tmp/.X11-unix/X[0-9]* peer=(label=gsd-xsettings), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 2cd5cbcb6..55e84ac2d 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -11,7 +11,7 @@ include @{exec_path} += /{usr/,}bin/Xorg @{exec_path} += /{usr/,}lib/Xorg{,.wrap} @{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap} -profile xorg @{exec_path} flags=(attach_disconnected) { +profile xorg @{exec_path} flags=(attach_disconnected complain) { include include include @@ -32,19 +32,22 @@ profile xorg @{exec_path} flags=(attach_disconnected) { # deny capability sys_nice, #capability sys_tty_config, - signal (send) set=(usr1), +# signal (send) set=(usr1), - signal (receive) peer=lightdm, - signal (receive) peer=sddm, - signal (receive) peer=xinit, - signal (receive) set=term peer=gdm{,-x-session}, +# signal (receive) peer=lightdm, +# signal (receive) peer=sddm, +# signal (receive) peer=xinit, +# signal (receive) set=term peer=gdm{,-x-session}, - network netlink raw, +# unix (bind, listen) type=stream addr=@/tmp/.X11-unix/*, +# unix (send, receive, accept) type=stream addr=@/tmp/.X11-unix/*, # all peers - dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*} - interface=org.freedesktop.{DBus.Properties,login1.Session} +# network netlink raw, + + dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*} + interface=org.freedesktop.{DBus.Properties,login[0-9].Session,login[0-9]*.Manager} member={ReleaseControl,TakeControl,TakeDevice,ReleaseDevice,GetSessionByPID} - peer=(name=org.freedesktop.login[0-9]), + peer=(name=org.freedesktop.login[0-9], label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login[0-9]/session/* interface=org.freedesktop.login1.Session @@ -79,8 +82,10 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner /var/log/Xorg.[0-9].log{,.old} rw, owner /var/log/Xorg.pid-@{pid}.log{,.old} rw, + /var/lib/gdm{3,}/.local/share/xorg/ rw, /var/lib/gdm{3,}/.local/share/xorg/Xorg.[0-9].log{,.old} rw, /var/lib/gdm{3,}/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, @{run}/nvidia-xdriver-* rw, @{run}/sddm/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 701a0de2c..09c07d662 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -31,8 +31,11 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/X11/{,**} r, /usr/share/X11/xkb/rules/evdev r, + owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, + owner /tmp/server-[0-9]*.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/xwayland-shared-?????? rw, @{sys}/bus/pci/devices/ r, @{sys}/devices/system/cpu/possible r, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 776e10df0..d642d5802 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -30,10 +30,20 @@ profile gdm @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.{DBus.Properties,Accounts.User} member={Changed,GetAll,PropertiesChanged}, - dbus send bus=system path=/org/freedesktop/Accounts + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.{DBus.Properties,Accounts} member={GetAll,ListCachedUsers,FindUserByName}, + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=accounts-daemon), + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=UserAdded + peer=(name=:*, label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login1.Manager member={ListSeats,ActivateSessionOnSeat,UnlockSession}, @@ -48,18 +58,18 @@ profile gdm @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/gnome/DisplayManager/Manager interface={org.freedesktop.DBus.Properties,org.gnome.DisplayManager.Manager} - member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel}, + member={RegisterDisplay,Get,RegisterSession,GetAll,OpenReauthenticationChannel,OpenSession}, dbus bind bus=system name=org.gnome.DisplayManager, @{exec_path} mr, - /{usr/,}{s,}prime-switch rPx, + /{usr/,}{s,}prime-switch rPUx, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/plymouth rPx, + /{usr/,}bin/plymouth rPUx, /etc/gdm{3,}/PrimeOff/Default rix, - @{libexec}/gdm-session-worker rPx, + @{libexec}/gdm-session-worker rPUx, /usr/share/gdm/gdm.schemas r, /usr/share/wayland-sessions/*.desktop r, @@ -67,6 +77,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /etc/default/locale r, /etc/gdm{3,}/custom.conf r, + /etc/gdm{3,}/daemon.conf r, /etc/locale.conf r, /var/{lib,log}/gdm{3,}/ rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 0da648cba..017ddc7da 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -37,6 +37,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (send) set=hup peer=ibus-*, signal (send) set=hup peer=xorg, signal (send) set=hup peer=xwayland, + signal (send) set=hup peer=xdg-permission-store, + signal (send) set=hup peer=tracker-miner, signal (send) set=term peer=gdm-*-session, network netlink raw, @@ -45,6 +47,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.{DBus.Properties,Accounts*} member={GetAll,FindUserByName,SetLanguage,Changed,PropertiesChanged}, + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=UserAdded + peer=(name=:*, label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member={CreateSession,ReleaseSession}, @@ -63,6 +70,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /etc/default/locale r, /etc/environment r, /etc/gdm{3,}/custom.conf r, + /etc/gdm{3,}/daemon.conf r, /etc/locale.conf r, /etc/machine-id r, /etc/motd r, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 2bcfe250d..c989c4673 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -26,6 +26,16 @@ profile gdm-wayland-session @{exec_path} { interface=org.gnome.DisplayManager.Manager member=RegisterDisplay, + dbus send bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd[0-9]*, label=unconfined), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -42,6 +52,7 @@ profile gdm-wayland-session @{exec_path} { /{usr/,}bin/sort rix, /{usr/,}bin/tty rix, /{usr/,}bin/zsh rix, + /{usr/,}bin/id rix, /{usr/,}bin/dbus-daemon rPx, /{usr/,}bin/dbus-run-session rPx, @@ -54,6 +65,7 @@ profile gdm-wayland-session @{exec_path} { /etc/default/im-config r, /etc/gdm{3,}/custom.conf r, + /etc/gdm{3,}/daemon.conf r, /etc/shells r, /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index f8f3af9a4..b48e1d79a 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -18,6 +18,21 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { signal (send) set=term peer=xorg, signal (send) set=term peer=gnome-session-binary, + dbus bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd[0-9]*), + + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.DisplayManager.Manager + member=RegisterDisplay + peer=(name=:*, label=gdm), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + @{exec_path} mr, /{usr/,}bin/Xorg rPx, @@ -26,6 +41,7 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { /etc/gdm{3,}/Prime/Default rix, /etc/gdm{3,}/custom.conf r, + /etc/gdm{3,}/daemon.conf r, /usr/share/gdm/gdm.schemas r, /var/lib/gdm{3,}/.cache/gdm/Xauthority rw, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index f3829ea6f..f9a1c94e5 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -23,29 +23,62 @@ profile gdm-xsession @{exec_path} { /{usr/,}bin/id rix, /{usr/,}bin/tty rix, /{usr/,}bin/zsh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/gettext rix, + /{usr/,}bin/gettext.sh r, + /{usr/,}bin/{m,g,}awk rix, + /{usr/,}bin/truncate rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/locale-check rix, /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, /{usr/,}bin/flatpak rPUx, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/xbrlapi rPx, /{usr/,}bin/xhost rPx, + /{usr/,}bin/im-launch rPx, + /{usr/,}bin/gpgconf rPx, @{libexec}/gnome-session-binary rPx, + /{usr/,}bin/dpkg-query rpx, + + /etc/X11/{,**} r, + /etc/default/im-config r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/X11/{,**} r, + /usr/share/im-config/data/{,*} r, + /usr/share/im-config/xinputrc.common r, + + owner /tmp/gdm{3,}-config-err-?????? rw, # file_inherit /dev/tty[0-9]* rw, - profile dbus { + profile dbus flags=(complain) { include /{usr/,}bin/dbus-update-activation-environment mr, + owner @{run}/user/@{uid}/bus rw, + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,UpdateActivationEnvironment} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.systemd[0-9]*.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd[0-9]*), + # file_inherit /dev/tty rw, /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + + include if exists } include if exists diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index c11907e7d..76a4af2c6 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -26,6 +26,55 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-extension-ding), + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal-*), + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=ActiveChanged + peer=(name=org.freedesktop.DBus, label="{gnome-session-binary,gsd-power,xdg-desktop-portal-gtk}"), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen,GetActive} + peer=(name=:*, label="{gnome-shell,gnome-session-binary,xdg-desktop-portal-*}"), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.ScreenSaver, + + dbus bind bus=session + name=org.freedesktop.Notifications, + + dbus bind bus=session + name=org.gnome.Shell.Notifications, + @{exec_path} mr, /{usr/,}bin/ r, /{usr/,}bin/[a-z0-9]* rPUx, @@ -38,6 +87,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/{,**} r, /usr/share/X11/xkb/** r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 58aa25a73..5359646c1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -34,6 +34,38 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { signal (send) set=(kill) peer=unconfined, signal (send) set=(kill) peer=passwd, + unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*", label=ibus-daemon), + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + @{exec_path} mr, /{usr/,}bin/{,b,d,rb}ash rUx, @@ -76,6 +108,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /etc/security/pwquality.conf r, /etc/security/pwquality.conf.d/{,**} r, + /etc/fstab r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -88,7 +121,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gnome-control-center/{,**} rw, owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix{,-wayland}-[0-9]} r, owner @{user_config_dirs}/mimeapps.list.* rw, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @@ -103,6 +136,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk, owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, + owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, @{run}/cups/cups.sock rw, @{run}/samba/ rw, @{run}/systemd/sessions/ r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 9fef80ddd..28a2f0321 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -20,6 +20,16 @@ profile gnome-control-center-print-renderer @{exec_path} { include include + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + @{exec_path} mr, /usr/share/egl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 3db55197d..a563de61f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,8 +9,10 @@ include @{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js profile gnome-extension-ding @{exec_path} { include - include + include include + include + include include include include @@ -18,15 +20,31 @@ profile gnome-extension-ding @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - dbus send bus=system path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={ListNames,ListActivatableNames}, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,ListNames,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=system path=/org/freedesktop/DBus + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect, @@ -34,6 +52,91 @@ profile gnome-extension-ding @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gvfsd-metadata), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=ListMonitorImplementations + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=ClientRemoved + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={IsSupported,List} + peer=(name=:*, label=gvfs-*-monitor), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={ListMounts2,ListMountableInfo} + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=session path=/com/rastersoft/dingextension/control + interface=org.gtk.Actions + member=DescribeAll + peer=(name=com.rastersoft.dingextension, label=gnome-shell), + + dbus receive bus=session path=/com/rastersoft/ding + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/com/rastersoft/ding + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + dbus bind bus=session name=com.rastersoft.ding, @@ -63,9 +166,10 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/home r, owner @{user_share_dirs}/gvfs-metadata/home-*.log r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 85b6e24bd..1486f6162 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -19,25 +19,64 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=ssh-agent, - dbus send bus=system path=/org/freedesktop/login[0-9]/session/* + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop/login[0-9]/session/* interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.login[0-9]), - dbus send bus=system path=/org/freedesktop/login[0-9] + dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=GetSession peer=(name=org.freedesktop.login[0-9]), - dbus receive bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + dbus (send, receive) bus=session path=/org/gnome/keyring/daemon + interface=org.gnome.keyring.Daemon + member=GetControlDirectory + peer=(name="{org.gnome.keyring,:*}", label=gnome-keyring-daemon), # itself + + dbus receive bus=session path=/org/freedesktop/secrets interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=SearchItems + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.keyring, + + dbus bind bus=session + name=org.freedesktop.secrets, @{exec_path} mr, /{usr/,}bin/ssh-add rix, /{usr/,}bin/ssh-agent rPx, + /var/lib/gdm{3,}/.local/share/keyrings/ r, + # Keyrings location owner @{user_share_dirs}/keyrings/ rw, owner @{user_share_dirs}/keyrings/* rwl, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index ad23994fc..e10208589 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -16,6 +16,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -29,43 +30,111 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=at-spi-bus-launcher, signal (send) set=(term) peer=gsd-*, - dbus send bus=system path=/org/freedesktop/login[0-9] + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,UpdateActivationEnvironment,GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus label=dbus-daemon), + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={CanPowerOff,GetSession,PowerOff,Inhibit}, + member={CanPowerOff,GetSession,PowerOff,Inhibit,Reboot} + peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* + dbus send bus=system path=/org/freedesktop/login[0-9]/session/* interface=org.freedesktop.login[0-9].Session - member=SetIdleHint, - - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={SessionNew,PrepareForShutdown,SessionRemoved}, + member=SetIdleHint + peer=(name=org.freedesktop.login[0-9], label=systemd-logind), dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/**} - interface={org.freedesktop.DBus.{Properties,Introspectable},org.gnome.SessionManager}, + interface={org.freedesktop.DBus.Introspectable,org.gnome.SessionManager**}, - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - peer=(name=:org.freedesktop.systemd1), + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=at-spi2-registryd), - dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=CancelEndSession + peer=(name=org.freedesktop.DBus, label=gsd-*), + + dbus send bus=session path=/org/gnome/SessionManager/Presence + interface=org.gnome.SessionManager.Presence + member=StatusChanged + peer=(name=org.freedesktop.DBus, label=gnome-shell), + + dbus send bus=session path=/org/gnome/SessionManager/EndSessionDialog + interface=org.gnome.SessionManager.EndSessionDialog + member=Open + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/SessionManager/EndSessionDialog + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus (send, receive) bus=system path=/org/freedesktop/login[0-9]* + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=systemd-logind), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/**} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name="{org.freedesktop.DBus,:*}", label="{gsd-*,gnome-*,xdg-desktop-portal-*}"), + + dbus send bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.systemd[0-9]*.Manager + peer=(name=org.freedesktop.systemd[0-9]*, label=unconfined), # all members + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor - member=AddIdleWatch - peer=(name=:*), + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member=WatchFired + peer=(name=:*, label=gnome-shell), dbus send bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member=GetActive peer=(name=:*), + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=ActiveChanged + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SessionManager, + @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rix, @@ -77,6 +146,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/gsettings-data-convert rix, /{usr/,}bin/session-migration rix, /{usr/,}bin/xdg-user-dirs-gtk-update rix, + /{usr/,}bin/gnome-session rix, @{libexec}/gnome-session-check-accelerated rix, @{libexec}/gnome-session-check-accelerated-gl-helper rix, @{libexec}/gnome-session-check-accelerated-gles-helper rix, @@ -97,7 +167,14 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/update-notifier rPx, /{usr/,}bin/xbrlapi rPx, /{usr/,}bin/xdg-user-dirs-update rPx, + /{usr/,}bin/parcellite rPUx, + /{usr/,}bin/baloo_file rPUx, +# /{usr/,}bin/gnome-software rPUx, + /{usr/,}share/libpam-kwallet-common/pam_kwallet_init rPUx, /{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx, + /{usr/,}lib/@{multiarch}/libexec/kdeconnectd rPUx, + /{usr/,}lib/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx, + @{libexec}/deja-dup/deja-dup-monitor rPUx, @{libexec}/at-spi-bus-launcher rPx, @{libexec}/evolution-data-server/evolution-alarm-notify rPx, @{libexec}/gsd-* rPx, @@ -114,8 +191,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gnome/autostart/{,*.desktop} r, /usr/share/icons/{,**} r, /usr/share/mime/mime.cache r, - /usr/share/ubuntu/applications/{,*.desktop} r, + /usr/share/*ubuntu/applications/{,*.desktop} r, + /usr/share/*ubuntu/applications/mimeinfo.cache r, /usr/share/X11/xkb/{,**} r, + /usr/share/session-migration/scripts/{,*} r, /etc/gnome/defaults.list r, /etc/xdg/autostart/{,*.desktop} r, @@ -125,11 +204,14 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/gnome-session/ rw, /var/lib/gdm{3,}/.config/gnome-session/saved-session/ rw, /var/lib/gdm{3,}/.local/share/applications/{,**} r, + /var/lib/gdm{3,}/.local/share/session_migration-* r, /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, /var/lib/flatpak/exports/share/applications/{,**} r, + owner /tmp/dirs-?????? rw, + owner @{user_config_dirs}/autostart/{,*.desktop} r, owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ rw, diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index bf073f989..608c00245 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -10,6 +10,23 @@ include profile gnome-session-ctl @{exec_path} { include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.systemd[0-9]*.Manager + member={StartUnit,StopUnit} + peer=(name=org.freedesktop.systemd[0-9]*), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=Initialized + peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + + unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-*, label=dbus-daemon), + @{exec_path} mr, owner @{run}/user/@{uid}/bus rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1ff379b48..e875a59e1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -46,6 +46,30 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), unix (send,receive) type=stream addr=none peer=(label=xwayland), + unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon), + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/ interface=org.freedesktop.DBus + member=ListNames + peer=(name=org.freedesktop.DBus label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixUser, + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,ListNames} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} interface=org.freedesktop.{DBus.Properties,login[0-9].*}, @@ -56,7 +80,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} interface=org.freedesktop.{DBus.Properties,Accounts*} - member={GetAll,FindUserByName,Changed,PropertiesChanged}, + member={GetAll,FindUserByName,Changed,PropertiesChanged,FindUserById,ListCachedUsers,UserAdded}, dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} interface=org.freedesktop.DBus.Properties @@ -66,55 +90,403 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.{DBus.Properties,GeoClue2.Manager} member={PropertiesChanged,AddAgent,GetAll}, - dbus send bus=system path=/org/freedesktop + dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, + member=GetManagedObjects + peer=(name=:*, label=NetworkManager), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetConnectionUnixUser, + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.{freedesktop.DBus.Properties,gnome.DisplayManager.Manager} + member={RegisterSession,Get,GetAll,OpenReauthenticationChannel,OpenSession}, dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Properties member=GetAll, - dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* - interface=org.freedesktop.NetworkManager.Settings.Connection - member=GetSettings, + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gjs-console), - dbus send bus=system path=/org/gnome/DisplayManager/Manager - interface=org.{freedesktop.DBus.Properties,gnome.DisplayManager.Manager} - member={RegisterSession,Get,GetAll,OpenReauthenticationChannel}, + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-keyring-daemon), + + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=SearchItems + peer=(name=:*, label=gnome-keyring-daemon), dbus send bus=system path=/net/hadess/{PackageKit,PowerProfiles,SwitcherooControl} interface=org.freedesktop.DBus.Properties member=GetAll, + dbus send bus=system path=/org/freedesktop/locale[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.locale[0-9]*), # all peer's labels + + dbus send bus=session path=/org/gnome/SettingsDaemon/Power + interface=org.freedesktop.DBus.Properties + member={GetAll,Set} + peer=(name=:*, label=gsd-power), + + dbus receive bus=session path=/org/gnome/SettingsDaemon/Power + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gsd-power), + dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member=GetDefaultDevice, - dbus send bus=system path=/org/freedesktop/NetworkManager{,/AgentManager} + dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/[0-9]* + interface=org.freedesktop.NetworkManager.Device + member=Disconnect + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=Updated + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent + interface=org.freedesktop.NetworkManager.SecretAgent + member={SaveSecrets,DeleteSecrets} + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager{,/AgentManager} interface=org.freedesktop.NetworkManager{,.AgentManager} member={Unregister,RegisterWithCapabilities,GetPermissions}, + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=ActivateConnection + peer=(name=:*, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions, - dbus receive bus=system path=/org/freedesktop/NetworkManager/{Devices,DHCP{4,6}Config,IP{4,6}Config}/[0-9]* + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + member=PropertiesChanged + peer=(name=:*, label=NetworkManager), - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus receive bus=system - path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent interface=org.freedesktop.PolicyKit[0-9].AuthenticationAgent member=BeginAuthentication, - + + dbus send bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.systemd[0-9]*.Manager + member={GetUnit,StartUnit,StartTransientUnit} + peer=(name=org.freedesktop.systemd[0-9]*), # all peer's labels + + dbus receive bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.systemd[0-9]*.Manager + member=JobRemoved + peer=(name=:*), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member={GetResources,GetCrtcGamma} + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member={GetResources,GetCrtcGamma} + peer=(name=:*, label="{gsd-power,gsd-color}"), + + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState + peer=(name=:*, label=xdg-desktop-portal-*), + + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState + peer=(name=:*, label="{spice-vdagent,gsd-xsettings}"), + + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member={GetAll,GetResources,Set} + peer=(name=:*, label="{gsd-power,gsd-color,xdg-desktop-portal-*}"), + + dbus receive bus=session path={/org/gnome/Shell/Screenshot,/org/gnome/Shell/Introspect,/org/gtk/Notifications,/org/gnome/Mutter/RemoteDesktop,/org/gnome/Mutter/ScreenCast} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:* label=xdg-desktop-portal-*), + + dbus receive bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=:*, label=gsd-xsettings), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=org.freedesktop.DBus, label=gjs-console), + + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-media-keys), + + dbus send bus=session path=/org/gnome/Shell + interface=org.gnome.Shell + member=AcceleratorActivated + peer=(name=:*, label=gsd-media-keys), + + dbus receive bus=session path=/org/gnome/Shell + interface=org.gnome.Shell + member={GrabAccelerators,UngrabAccelerators} + peer=(name=:*, label=gsd-media-keys), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect + member={RunningApplicationsChanged,WindowsChanged} + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal-*), + + dbus receive bus=session path=/org/gnome/Shell/Introspect + interface=org.gnome.Shell.Introspect + member=GetRunningApplications + peer=(name=:*, label=xdg-desktop-portal-*), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-permission-store), + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=:*, label=xdg-permission-store), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/**} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Presence + interface=org.gnome.SessionManager.Presence + member=StatusChanged + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/EndSessionDialog + interface=org.gnome.SessionManager.EndSessionDialog + member={Canceled,Closed,ConfirmedLogout,ConfirmedReboot,ConfirmedShutdown} + peer=(name=org.freedesktop.DBus, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/EndSessionDialog + interface=org.gnome.SessionManager.EndSessionDialog + member={Open,Close} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=Setenv + peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={CanShutdown,Shutdown,Reboot,Logout} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Inhibitor[0-9]* + interface=org.gnome.SessionManager.Inhibitor + member=GetAppId + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*), # all paths and peer's labels + + dbus receive bus=session path={/,/org,/StatusNotifierWatcher} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), # itself + + dbus (send, receive) bus=session path=/org/gnome/SettingsDaemon/Rfkill + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gsd-rfkill), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Color + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-color), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Wacom + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-wacom), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Smartcard + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-smartcard), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Smartcard + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=gsd-smartcard), + + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label="{gnome-session-binary,gsd-power}"), + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member=WatchFired + peer=(name=:*, label="{gnome-session-binary,gsd-power}"), + + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} + peer=(name=:*, label="{gnome-session-binary,gsd-power}"), + + dbus receive bus=session path=/com/rastersoft/dingextension/control + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*, label=gnome-extension-ding), + + dbus send bus=session path=/com/rastersoft/ding + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*, label=gnome-extension-ding), + + dbus send bus=session path=/com/rastersoft/ding + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-extension-ding), + + dbus send bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Change + peer=(name=ca.desrt.dconf), # no peer's labels + + dbus receive bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Notify + peer=(name=:*, label=dconf-service), + + dbus send bus=session path=/org/gnome/ControlCenter + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*, label=gnome-control-center), + + dbus send bus=session path=/org/gnome/ControlCenter + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-control-center), + + dbus receive bus=session path=/org/gnome/ControlCenter + interface=org.gtk.Actions + member=Changed + peer=(name=:*, label=gnome-control-center), + + dbus send bus=session path=/org/gnome/ControlCenter/window/[0-9]* + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*, label=gnome-control-center), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member={Remove,GetTreeFromDevice} + peer=(name=:*, label=gvfsd-metadata), + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label=gvfs-*-volume-monitor), + + dbus bind bus=session + name=org.gnome.Shell{,*}, + + dbus bind bus=session + name=com.rastersoft.dingextension, + + dbus bind bus=session + name=org.gnome.Mutter.{DisplayConfig,IdleMonitor,ScreenCast,RemoteDesktop}, + + dbus bind bus=session + name=org.gtk.MountOperationHandler, + + dbus bind bus=session + name=org.gtk.Notifications, + + dbus bind bus=session + name=org.gnome.keyring.SystemPrompter, + + dbus bind bus=session + name=com.canonical.Unity, + + dbus bind bus=session + name=org.kde.StatusNotifierWatcher, + @{exec_path} mr, /{usr/,}bin/Xwayland rPx, @@ -132,6 +504,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/evolution-data-server/icons/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, + /usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/libgweather/Locations.xml r, @@ -142,6 +515,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/ubuntu/applications/{,*.desktop} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, + /usr/share/desktop-base/** r, /.flatpak-info r, /etc/fstab r, @@ -153,6 +527,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, + /var/lib/gdm{3,}/.cache/libgweather/ r, + /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/ibus/ rw, /var/lib/gdm{3,}/.config/ibus/bus/ rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 560fbeb9e..fa814152c 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -13,6 +13,9 @@ profile gnome-shell-calendar-server @{exec_path} { include include + dbus bind bus=session + name=org.gnome.Shell.CalendarServer, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 20ca500e2..3238d3882 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -18,6 +18,9 @@ profile gnome-terminal-server @{exec_path} { signal (send) set=(term hup kill) peer=unconfined, + dbus bind bus=session + name=org.gnome.Terminal, + @{exec_path} mr, # The shell is not confined on purpose. @@ -46,4 +49,4 @@ profile gnome-terminal-server @{exec_path} { /dev/ptmx rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 602cee7ad..e7eed0bd5 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -25,6 +25,11 @@ profile goa-daemon @{exec_path} { network inet6 dgram, network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member={PropertiesChanged,GetAll}, @@ -33,10 +38,35 @@ profile goa-daemon @{exec_path} { interface=org.freedesktop.NetworkManager member={CheckPermissions,StateChanged}, + dbus send bus=session path=/org/gnome/Identity + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=goa-identity-service), + + dbus receive bus=session path=/org/gnome/OnlineAccounts + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label="{gvfs-goa-volume-monitor,goa-daemon,goa-identity-service,unconfined}"), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Identity/Manager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=goa-identity-service), + + dbus bind bus=session + name=org.gnome.OnlineAccounts, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /var/lib/gdm{3,}/.config/dconf/user r, + owner @{user_config_dirs}/goa-1.0/ rw, owner @{user_config_dirs}/goa-1.0/accounts.conf* rw, diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index c7b98a84a..a92b86859 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -12,6 +12,34 @@ profile goa-identity-service @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gnome/Identity + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=goa-daemon), + + dbus send bus=session path=/org/gnome/OnlineAccounts + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=goa-daemon), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Identity/Manager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=goa-daemon), + + dbus bind bus=session + name=org.gnome.Identity, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 2c7c85504..196177821 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -14,6 +14,44 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.A11ySettings, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -21,6 +59,7 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 3f14d3eaf..eac978521 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -18,6 +18,16 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (send, receive) bus=system path=/org/freedesktop/ColorManager{,/devices/*} interface=org.freedesktop.ColorManager*, @@ -25,6 +35,89 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus receive bus=session path=/org/gnome/SettingsDaemon/Color + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member={GetResources,GetCrtcGamma} + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Color, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 119998b77..f92f53554 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -14,6 +14,44 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Datetime, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 28175182b..9943fdfd0 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -12,6 +12,11 @@ profile gsd-disk-utility-notify @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus receive bus=system path=/org/freedesktop/UDisks2{,/**} interface=org.freedesktop.DBus.{Properties,ObjectManager}, @@ -19,6 +24,9 @@ profile gsd-disk-utility-notify @{exec_path} { interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects, + dbus bind bus=session + name=org.gnome.Disks.NotificationMonitor, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 9e0146319..ba966ed9c 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -17,6 +17,49 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gnome*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Housekeeping, + @{exec_path} mr, /etc/fstab r, @@ -29,6 +72,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/applications/ rw, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index a278f2b3f..e9c409367 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -18,10 +18,83 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/locale[0-9] interface=org.freedesktop.DBus.Properties member=GetAll, + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Keyboard, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -31,6 +104,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { /usr/share/X11/xkb/** r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/.config/.gsd-keyboard.settings-ported* rw, owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 051d2653f..81b73a7ea 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,8 +10,9 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include - include include + include + include include include include @@ -21,17 +22,27 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.DBus.Properties member=GetAll, - dbus send bus=system path=/org/freedesktop/login[0-9] + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=Inhibit, - dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=PowerOff, + + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,SessionRemoved,PrepareForShutdown,UserNew,UserRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.DBus.Properties @@ -41,13 +52,107 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=Get, - dbus send bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member=PowerOff, + dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} + interface=org.freedesktop.DBus.Properties + member=GetAll, - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={SessionNew,SessionRemoved,PrepareForShutdown}, + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Shell + interface=org.gnome.Shell + member={GrabAccelerators,UngrabAccelerators} + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Shell + interface=org.gnome.Shell + member=AcceleratorActivated + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-rfkill), + + dbus send bus=session path=/ + interface=org.freedesktop.DBus + member=ListNames + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Power + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-power), + + dbus receive bus=session path=/org/gnome/SettingsDaemon/Power + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gsd-power), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member=WatchFired + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.MediaKeys, @{exec_path} mr, @@ -66,6 +171,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/recently-used.xbel{,.*} rw, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/cookie rk, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 1cf7670f9..f9a721eaf 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -21,6 +21,16 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.{DBus.Properties,UPower*}, @@ -44,17 +54,121 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll, + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,SessionRemoved,PrepareForShutdown,UserNew,UserRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.DBus.Properties member=PropertiesChanged, - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={SessionNew,SessionRemoved,PrepareForShutdown}, + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorAdded,InhibitorRemoved} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member={GetAll,GetResources,Set} + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label=gsd-power), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetResources + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus (send, receive) bus=session path=/org/gnome/SettingsDaemon/Power + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged,Set} + peer=(name="{org.freedesktop.DBus,:*}", label="{gsd-media-keys,gnome-shell}"), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member=WatchFired + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=ActiveChanged + peer=(name=:*, label=gjs-console), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Power, @{exec_path} mr, @@ -64,9 +178,12 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, + /var/lib/gdm{3,}/.config/pulse/ rw, + /var/lib/gdm{3,}/.config/pulse/cookie rwk, /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.* rwk, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/pulse/client.conf r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index cf9a4654e..4445412e1 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -19,25 +19,63 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (send) set=(hup) peer=gsd-printer, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (send,receive) bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* interface=org.freedesktop.Avahi.ServiceBrowser member={CacheExhausted,AllForNow,CacheExhausted,AllForNow,Free}, - dbus send bus=system path=/ + dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping, - dbus send bus=system path=/ + dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,ServiceBrowserNew}, - dbus receive bus=system path=/org/cups/cupsd/Notifier - interface=org.cups.cupsd.Notifier, - dbus receive bus=system path=/ interface=org.freedesktop.Avahi.Server member=StateChanged, + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier, + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.PrintNotifications, + @{exec_path} mr, @{libexec}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 9167de2fc..6411d0100 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -30,10 +30,20 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { interface=org.gnome.SessionManager peer=(name=:*), - dbus send bus=session path=/org/gnome/SessionManager + dbus send bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*), + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={EndSession,QueryEndSession,CancelEndSession,Stop} + peer=(name=:*, label=gnome-session-binary), dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 52d98363e..11085fccd 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -16,6 +16,11 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/hostname[0-9] interface=org.freedesktop.DBus.Properties member=Get, @@ -36,6 +41,49 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label="{gsd-media-keys,gnome-shell}"), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label=gnome-shell), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Rfkill, + @{exec_path} mr, /sys/devices/virtual/misc/rfkill/uevent r, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index b0d8a5526..e92ec8f6f 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -13,6 +13,47 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.ScreenSaver, + + dbus bind bus=session + name=org.gnome.SettingsDaemon.ScreensaverProxy, + @{exec_path} mr, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 0973a395b..3f6c92fbd 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -16,25 +16,88 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=system path=/org/freedesktop + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, + member=GetManagedObjects + peer=(name=:*, label=NetworkManager), - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=GetPermissions, + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name=:*, label=NetworkManager), - dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9] + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* interface=org.freedesktop.NetworkManager.Settings.Connection - member=GetSettings, + member=GetSettings + peer=(name=:*, label=NetworkManager), - dbus receive bus=system path=/org/freedesktop/NetworkManager{,/{Devices,DHCP{4,6}Config,IP{4,6}Config}/[0-9]*} + dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=Updated + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + member=PropertiesChanged + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=GetPermissions + peer=(name=:*, label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member=CheckPermissions, + member=CheckPermissions + peer=(name=:*, label=NetworkManager), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/**} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/freedesktop/systemd[0-9]* + interface=org.freedesktop.systemd[0-9]*.Manager + member=StopUnit + peer=(name=org.freedesktop.systemd[0-9]*), # all peer's labels + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Sharing, @{exec_path} mr, @@ -43,6 +106,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 09a91c681..6eb8f8bee 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,12 +9,61 @@ include @{exec_path} = @{libexec}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include + include include include include signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/SettingsDaemon/Smartcard + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Smartcard, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 9d6045458..c84b8338e 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -15,6 +15,49 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Sound, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 43c58791e..a6d386c91 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -17,6 +18,84 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus (send, receive) bus=session path=/org/gnome/SessionManager{,/Client[0-9]*} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=RegisterClient + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus receive bus=session path=/org/gnome/SettingsDaemon/Wacom + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus bind bus=session + name=org.gnome.SettingsDaemon.Wacom, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -33,6 +112,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/wayland-[0-9] rw, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 56a5614ed..c196b33cd 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,8 +9,9 @@ include @{exec_path} = @{libexec}/gsd-xsettings profile gsd-xsettings @{exec_path} { include - include include + include + include include include include @@ -26,6 +27,11 @@ profile gsd-xsettings @{exec_path} { network inet6 dgram, network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName,GetId} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.Accounts.User member={SetInputSources,Changed,GetAll}, @@ -34,10 +40,81 @@ profile gsd-xsettings @{exec_path} { interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged}, - dbus send bus=system path=/org/freedesktop/Accounts + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=FindUserByName, + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member={UserAdded,UserRemoved} + peer=(name=:*, label=accounts-daemon), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,ClientRemoved,SessionRunning} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]* + interface=org.gnome.SessionManager.ClientPrivate + member={EndSession,QueryEndSession,CancelEndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), # many peer's labels + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState + peer=(name=org.gnome.Mutter.DisplayConfig, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.gnome.Shell.Introspect, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.Settings, + + dbus bind bus=session + name=org.gnome.SettingsDaemon.XSettings, + @{exec_path} mr, /{usr/,}bin/cat rix, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 99799a9c4..7ab9958ce 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/tracker-extract-3 -profile tracker-extract @{exec_path} { +profile tracker-extract @{exec_path} flags=(complain) { include include include @@ -21,6 +21,46 @@ profile tracker-extract @{exec_path} { network netlink raw, + signal (receive) set=(term) peer=gdm, + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Tracker3.Miner.Files), + + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=Query + peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=GraphUpdated + peer=(name=:*, label=tracker-miner), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label=gvfs-*-volume-monitor), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.Tracker3.Miner.Extract, + @{exec_path} mr, /usr/share/applications/*.desktop r, @@ -33,11 +73,15 @@ profile tracker-extract @{exec_path} { /usr/share/poppler/{,**} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, + /usr/share/gvfs/remote-volume-monitors/{,*} r, + /etc/fstab r, /etc/libva.conf r, /var/lib/gdm{3,}/.cache/ rw, /var/lib/gdm{3,}/.cache/tracker3/{,**} rw, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/snapd/desktop/applications/*.desktop r, @@ -68,5 +112,8 @@ profile tracker-extract @{exec_path} { /dev/media[0-9]* r, /dev/video[0-9]* rw, + # file_inherit + owner /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 4102052d6..3a7273b66 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3 -profile tracker-miner @{exec_path} { +profile tracker-miner @{exec_path} flags=(attach_disconnected complain) { include include include @@ -18,10 +18,61 @@ profile tracker-miner @{exec_path} { include include + signal (receive) set=(term, kill) peer=gdm, + signal (receive) set=(hup) peer=gdm-session-worker, + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} interface=org.freedesktop.DBus.Properties member=GetAll, + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member={ListMonitorImplementations,ListMountableInfo} + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label=gvfs-*-volume-monitor), + + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=:*, label=tracker-extract), + + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=GraphUpdated + peer=(name=org.freedesktop.DBus, label=tracker-extract), + + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=Query + peer=(name=:*, label=tracker-extract), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.freedesktop.Tracker3.Miner.*, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, @@ -38,7 +89,8 @@ profile tracker-miner @{exec_path} { /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, /var/lib/gdm{3,}/ r, - /var/lib/gdm{3,}/.cache/tracker3/tracker3/files/{,**} rwk, + /var/lib/gdm{3,}/.cache/tracker3/{,tracker3/}files/{,**} rwk, + /var/lib/gdm{3,}/.local/share/applications/ r, /var/lib/gdm{3,}/greeter-dconf-defaults r, owner /var/tmp/etilqs_@{hex} rw, @@ -59,5 +111,8 @@ profile tracker-miner @{exec_path} { @{run}/mount/utab r, + # file_inherit + owner /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 31a90ffc9..81b0ab217 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -75,10 +75,13 @@ profile gpg-agent @{exec_path} { owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, owner /tmp/tmp.*/gnupg/sshcontrol r, - owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fd/ r, # Silencer deny /{usr/,}bin/.gnupg/ w, + # file inherit + owner /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 1baa4eda1..2ec862700 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -12,6 +12,24 @@ profile gvfs-afc-volume-monitor @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + + dbus receive bus=session path={/,/org/gtk/Private/RemoteVolumeMonitor} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.AfcVolumeMonitor, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index d55fa7de2..67c24489f 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -12,6 +12,29 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + + dbus receive bus=session path={/,/org/gtk/Private/RemoteVolumeMonitor} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/OnlineAccounts + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=goa-daemon), + + dbus bind bus=session + name=org.gtk.vfs.GoaVolumeMonitor, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index b5844365d..044464378 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -16,6 +16,24 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + + dbus receive bus=session path={/,/org,/org/gtk/Private/RemoteVolumeMonitor} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.GPhoto2VolumeMonitor, + @{exec_path} mr, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 1163dd549..cc6ba3de4 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -15,6 +15,24 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + + dbus receive bus=session path={/,/org,/org/gtk/Private/RemoteVolumeMonitor} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.MTPVolumeMonitor, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 19f28dcb1..08d959c0c 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -31,6 +31,29 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { interface=org.freedesktop.{DBus.*,UDisks2.*} peer=(label=udisksd), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={List,IsSupported} + peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.UDisks2VolumeMonitor, + @{exec_path} mr, /{usr/,}bin/lsof rix, @@ -40,6 +63,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, + /var/lib/gdm{3,}/.config/dconf/user r, + / r, /etc/fstab r, /etc/machine-id r, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 18f55c822..1857d56b1 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -13,6 +13,43 @@ profile gvfsd @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=org.freedesktop.DBus, label="{gvfsd-*,gnome-*,tracker-miner}"), + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + peer=(name=:*), # all members + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=ListMonitorImplementations + peer=(name=:*), # all peer's labels + + dbus send bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd-*), + + dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd-*), + + dbus receive bus=session path={/,/org} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.Daemon, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 0c83581b4..b1b98d214 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -14,6 +14,11 @@ profile gvfsd-dnssd @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={Ping,GetAPIVersion,GetState,ServiceBrowserNew}, @@ -27,6 +32,29 @@ profile gvfsd-dnssd @{exec_path} { interface=org.freedesktop.Avahi.ServiceBrowser member={CacheExhausted,AllForNow}, + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gvfsd-network), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus bind bus=session + name=org.gtk.vfs.mountpoint_dnssd, + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index eff619259..d536ed8eb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -17,6 +17,20 @@ profile gvfsd-fuse @{exec_path} { mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + peer=(name=:*, label=gvfsd), # all members + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, /{usr/,}bin/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index fb46ee851..a73155d43 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -16,6 +16,29 @@ profile gvfsd-metadata @{exec_path} { network netlink raw, + dbus bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gtk/vfs/metadata + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-extension-ding), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=AttributeChanged + peer=(name=org.freedesktop.DBus, label=gnome-extension-ding), + + dbus receive bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member={GetTreeFromDevice,Remove} + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.Metadata, + @{exec_path} mr, owner @{user_share_dirs}/gvfs-metadata/{,*} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 5b6c9ab77..9a29d0197 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -14,6 +14,39 @@ profile gvfsd-network @{exec_path} { include include + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount,ListMountableInfo} + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gvfsd-dnssd), + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gnome-control-center), + + dbus bind bus=session + name=org.gtk.vfs.mountpoint_[0-9]*, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index d9488b3dd..c9572909b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -21,6 +21,34 @@ profile gvfsd-smb-browse @{exec_path} { network inet dgram, network inet6 dgram, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMounts2 + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus bind bus=session + name=org.gtk.vfs.mountpoint_smb_browse, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 7b2913f15..0b9a1a7f4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -20,6 +20,29 @@ profile gvfsd-trash @{exec_path} { network inet stream, network inet6 stream, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gnome-control-center), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/[0-9]* + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + dbus bind bus=session + name=org.gtk.vfs.mountpoint_[0-9]*, + @{exec_path} mr, # Can restore all user files diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 6e56b5372..e33b5f018 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -14,18 +14,23 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll, - dbus send bus=system path=/org/freedesktop/login[0-9] + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=Inhibit, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus), + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={UserNew,SessionNew,PrepareForShutdown,SeatNew,UserRemoved,SessionRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), dbus receive bus=system path=/org/freedesktop/ModemManager[0-9] interface=org.freedesktop.DBus.ObjectManager @@ -39,10 +44,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.PolicyKit[0-9].Authority member=Changed, - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={UserNew,SessionNew,PrepareForShutdown,SeatNew,UserRemoved,SessionRemoved}, - dbus bind bus=system name=org.freedesktop.ModemManager[0-9], @@ -68,4 +69,4 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/tty/*/ r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index c612f740c..294ac4932 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -44,7 +44,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown,UserRemoved}, + member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown,UserRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -52,7 +53,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded, + member={InterfacesAdded,InterfacesRemoved} + peer=(name=org.freedesktop.DBus), # label="{gnome-shell,...}" dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher @@ -103,6 +105,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/ r, /etc/resolv.conf rw, /etc/resolv.conf.[0-9A-Z]* rw, + /etc/network/interfaces r, + /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, @@ -116,6 +120,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/net/ r, @{sys}/class/net/rfkill/ r, + @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 15f077331..3ce1aa004 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -34,5 +34,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify rw, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index c410568f5..300ba5425 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -37,6 +37,11 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/resolve[0-9] interface=org.freedesktop.resolve[0-9].Manager, + dbus receive bus=system path=/org/freedesktop/login[0-9]* + interface=org.freedesktop.login[0-9]*.Manager + member=PrepareForSleep + peer=(name=:*, label=systemd-logind), + dbus bind bus=system name=org.freedesktop.resolve[0-9], diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index f23379653..ce5940d38 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -16,11 +16,20 @@ profile systemd-sleep @{exec_path} { capability sys_admin, capability sys_resource, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + @{run}/dbus/system_bus_socket rw, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/nvidia-sleep.sh rix, /{usr/,}lib/systemd/system-sleep/nvidia rix, + /{usr/,}lib/systemd/system-sleep/hdparm rix, + /{usr/,}lib/systemd/system-sleep/unattended-upgrades rix, /etc/systemd/sleep.conf r, /etc/systemd/sleep.conf.d/{,*} r, @@ -32,4 +41,4 @@ profile systemd-sleep @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index f8663cb31..3b6ea99d3 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -21,12 +21,17 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + dbus bind bus=system name=org.freedesktop.timesync1, @{exec_path} mr, - /etc/adjtime r, + @{etc_rw}/adjtime r, /etc/systemd/timesyncd.conf r, /etc/systemd/timesyncd.conf.d/{,**} r, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 755dcce4e..43b81e677 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -24,6 +24,11 @@ profile check-new-release-gtk @{exec_path} { network inet6 stream, network netlink raw, + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), # all peer's labels + @{exec_path} mr, /{usr/,}bin/dpkg rPx, @@ -37,10 +42,13 @@ profile check-new-release-gtk @{exec_path} { /usr/share/ubuntu-release-upgrader/{,**} r, /usr/share/update-manager/{,**} r, /usr/share/X11/xkb/{,**} r, + /usr/share/dconf/profile/gdm r, /etc/update-manager/{,**} r, /var/lib/update-manager/{,**} rw, + /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/lib/gdm{3,}/.cache/update-manager-core/meta-release-lts rw, owner @{user_cache_dirs}/update-manager-core/{,**} rw, @@ -51,4 +59,4 @@ profile check-new-release-gtk @{exec_path} { @{PROC}/@{pids}/mounts r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index ef3d6a6ea..1ee639fb4 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -67,7 +67,8 @@ profile packagekitd @{exec_path} { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved}, + member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), dbus bind bus=system name=org.freedesktop.PackageKit, @@ -112,4 +113,4 @@ profile packagekitd @{exec_path} { @{PROC}/@{pids}/mountinfo r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index ef5eb9bc0..a17da1532 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/ubuntu-release-upgrader/release-upgrade-motd -profile release-upgrade-motd @{exec_path} { +profile release-upgrade-motd @{exec_path} flags=(complain) { include @{exec_path} mr, @@ -17,6 +17,7 @@ profile release-upgrade-motd @{exec_path} { /{usr/,}bin/expr rix, /{usr/,}bin/id rPx, /{usr/,}bin/stat rix, + /{usr/,}bin/cat rix, /{usr/,}bin/do-release-upgrade rPx, /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index c2c9a6ffa..5c2975c74 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -41,8 +41,9 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/journal/socket rw, @{run}/systemd/inhibit/*.ref w, + @{run}/udev/data/c239:[0-9]* r, @{sys}/class/hidraw/ r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index 98d10349f..6bdac96a5 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -16,10 +16,12 @@ profile im-launch @{exec_path} { /{usr/,}bin/env rix, /{usr/,}bin/locale rix, /{usr/,}bin/gettext rix, + /{usr/,}bin/gettext.sh r, /{usr/,}bin/true rix, - /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/sed rix, - /{usr/,}bin/gettext.sh r, + /{usr/,}bin/dpkg-query rpx, + + /{usr/,}bin/gnome-session rCx, /usr/share/im-config/{,**} r, @@ -27,5 +29,23 @@ profile im-launch @{exec_path} { /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/70im-config_launch r, + # file inherit + owner /dev/tty[0-9]* rw, + + profile gnome-session /{usr/,}bin/gnome-session flags=(complain) { + include + + /{usr/,}bin/gnome-session r, + + /{usr/,}bin/{,ba,da}sh rix, + + @{libexec}/gnome-session-binary rPx, + + # file inherit + owner /dev/tty[0-9]* rw, + + include if exists + } + include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index b701b02b9..6e59e5d7b 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -106,8 +106,8 @@ profile pass @{exec_path} { network inet6 stream, network netlink raw, - /{usr/,}bin/git* mrix, - /{usr/,}@{libexec}/git-core/git* mrix, + /{usr/,}bin/git* mrix, + @{libexec}/git-core/git* mrix, /{usr/,}bin/gpg{2,} rUx, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 6b055f718..8d065f4f1 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -29,7 +29,7 @@ profile scrcpy @{exec_path} { /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/setpriv b/apparmor.d/profiles-s-z/setpriv index 9621c284c..d6c62f969 100644 --- a/apparmor.d/profiles-s-z/setpriv +++ b/apparmor.d/profiles-s-z/setpriv @@ -7,14 +7,28 @@ abi , include @{exec_path} = /{usr/,}bin/setpriv -profile setpriv @{exec_path} { +profile setpriv @{exec_path} flags=(complain) { include include + capability setuid, + capability setgid, + @{exec_path} mr, /{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}{s,}bin/[a-z0-9]* rPUx, + /etc/gdm{3,}/greeter.dconf-defaults r, + + /usr/share/gdm/dconf/{,**} r, + + /var/lib/gdm{3,}/ r, + /var/lib/gdm{3,}/greeter-dconf-defaults{,.??????} rw, + + @{PROC}/uptime r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/@{pids}/cmdline r, + include if exists } diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 5aaf88e65..72f733dab 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -13,6 +13,13 @@ profile snap @{exec_path} { include include + unix (send, receive) type=stream peer=(label=apt), + + dbus send bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.portal.Documents + member=GetMountPoint + peer=(name=org.freedesktop.portal.Documents), + @{exec_path} mrix, /snap/{,**} rw, @@ -22,11 +29,14 @@ profile snap @{exec_path} { /etc/fstab r, - /var/lib/snapd/{,**} rwk,# + /var/lib/snapd/{,**} rwk, + /var/cache/snapd/commands.db rwk, owner @{HOME}/snap/{,**} rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/systemd/notify rw, @{run}/snapd.socket rw, @@ -45,4 +55,4 @@ profile snap @{exec_path} { deny @{user_share_dirs}/gvfs-metadata/* r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 17d71d8b2..d78d57420 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -15,6 +15,41 @@ profile spice-vdagent @{exec_path} { include include + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry), # all peer's labels + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), # all peer's labels + @{exec_path} mr, /etc/pipewire/client.conf r, @@ -28,4 +63,4 @@ profile spice-vdagent @{exec_path} { /dev/dri/card[0-9]* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index bb1cfc9e0..e736fd7d4 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -37,7 +37,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/devices/pci[0-9]*/**/boot_vga r, - @{sys}/devices/pci[0-9]*/**/uevent r, + @{sys}/devices/{pci[0-9]*,virtual}/**/uevent r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index c89a78e60..72252d20f 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -64,6 +64,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, + dbus receive bus=system path=/org/freedesktop/login[0-9]* + interface=org.freedesktop.login[0-9]*.Manager + member=PrepareForSleep + peer=(name=:*, label=systemd-logind), + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll,