feat(profile): use the new bus/atspi abstraction in the profiles.

roddhjav · Nov 30, 2023 · 459fe7c · 459fe7c
1 parent fe0cb4b
commit 459fe7c
Show file tree

Hide file tree

Showing 26 changed files with 58 additions and 379 deletions.
diff --git a/apparmor.d/abstractions/bus/atspi b/apparmor.d/abstractions/bus/atspi
@@ -38,10 +38,3 @@
        peer=(name=org.a11y.Bus, label="{at-spi-bus-launcher,dbus-daemon}"),
 
   include if exists <abstractions/bus/atspi.d>
-#  include <abstractions/bus/atspi>
-
-# From dbus-gtk:
-#   dbus (send) bus=session path=/org/a11y/bus
-#        interface=org.freedesktop.DBus.Properties
-#        member=Get
-#        peer=(name=org.a11y.Bus),
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
@@ -16,7 +16,7 @@ include <tunables/global>
 profile firefox @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
-  include <abstractions/dbus-gtk>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>

diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
@@ -10,6 +10,7 @@ include <tunables/global>
 profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-session>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus>
@@ -37,31 +38,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
 
   unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon),
 
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
-
-  dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.freedesktop.DBus.Properties
-       member=Set
-       peer=(name=:*, label=at-spi2-registryd),
-
-  dbus send    bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=GetRegisteredEvents
-       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
-
-  dbus receive bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=EventListenerDeregistered
-       peer=(name=:*, label=at-spi2-registryd),
-
-  dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
-       interface=org.a11y.atspi.DeviceEventController
-       member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
-
   @{exec_path} mr,
 
   @{bin}/{,b,d,rb}ash  rUx,

diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gnome-control-center-print-renderer
 profile gnome-control-center-print-renderer @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
@@ -22,11 +23,6 @@ profile gnome-control-center-print-renderer @{exec_path} {
   include <abstractions/vulkan>
   include <abstractions/wayland>
 
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus, label=at-spi-bus-launcher),
-
   @{exec_path} mr,
 
   /usr/share/egl/{,**} r,

diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding
@@ -9,14 +9,15 @@ include <tunables/global>
 @{exec_path} = /usr/share/gnome-shell/extensions/[email protected]/ding.js
 profile gnome-extension-ding @{exec_path} {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
-  include <abstractions/dbus-strict>
-  include <abstractions/dbus-session-strict>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
+  include <abstractions/nameservice-strict>
 
   unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
 

diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gnome-session-binary
 profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
@@ -120,11 +121,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
        member=ActiveChanged
        peer=(name=:*, label=gjs-console),
 
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus), # all peer's labels
-
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect 

diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
@@ -11,6 +11,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
   include <abstractions/audio>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-gtk>
   include <abstractions/dbus-network-manager-strict>

diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-color
 profile gsd-color @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
@@ -83,31 +84,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
        member=ListMountableInfo
        peer=(name=:*, label=gvfsd),
 
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus), # all peer's labels
-
-  dbus send    bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=GetRegisteredEvents
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
-  dbus receive bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=EventListenerDeregistered
-       peer=(name=:*, label=at-spi2-registryd),
-
-  dbus send    bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
-       interface=org.a11y.atspi.DeviceEventController
-       member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect

diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-keyboard
 profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
@@ -60,26 +61,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
        member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded}
        peer=(name=:*, label=gnome-session-binary),
 
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus), # all peer's labels
-
-  dbus send    bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=GetRegisteredEvents
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
-  dbus send    bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
-       interface=org.a11y.atspi.DeviceEventController
-       member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
   dbus send bus=session path=/org/gtk/vfs/mounttracker
        interface=org.gtk.vfs.MountTracker
        member=ListMountableInfo

diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys
@@ -10,6 +10,7 @@ include <tunables/global>
 profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
@@ -139,16 +140,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
        member=ListMountableInfo
        peer=(name=:*, label=gvfsd),
 
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus), # all peer's labels
-
-  dbus receive bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=EventListenerDeregistered
-       peer=(name=:*, label=at-spi2-registryd),
-
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect

diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power
@@ -10,6 +10,7 @@ include <tunables/global>
 profile gsd-power @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
@@ -105,26 +106,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
        member=GetResources
        peer=(name=:*, label=gnome-shell),
 
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus), # all peer's labels
-
-  dbus send    bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=GetRegisteredEvents
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
-  dbus send    bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
-       interface=org.a11y.atspi.DeviceEventController
-       member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
   dbus (send, receive) bus=session path=/org/gnome/SettingsDaemon/Power
        interface=org.freedesktop.DBus.Properties
        member={GetAll,PropertiesChanged,Set}

diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-wacom
 profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
@@ -50,31 +51,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
        member={ClientAdded,SessionRunning,ClientRemoved,InhibitorRemoved,InhibitorAdded}
        peer=(name=:*, label=gnome-session-binary),
 
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus), # all peer's labels
-
-  dbus send    bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=GetRegisteredEvents
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
-  dbus send    bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
-       interface=org.a11y.atspi.DeviceEventController
-       member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
-  dbus receive bus=session path=/org/gnome/SettingsDaemon/Wacom
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=gnome-shell),
-
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect

diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-xsettings
 profile gsd-xsettings @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
@@ -75,31 +76,6 @@ profile gsd-xsettings @{exec_path} {
        member=GetAll
        peer=(name=:*), # many peer's labels
 
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus, label=at-spi-bus-launcher),
-
-  dbus receive bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=EventListenerDeregistered
-       peer=(name=:*, label=at-spi2-registryd),
-
-  dbus send    bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=GetRegisteredEvents
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
-  dbus send    bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
-       interface=org.a11y.atspi.DeviceEventController
-       member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=org.a11y.atspi.Registry), # all peer's labels
-
   dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
        interface=org.gnome.Mutter.DisplayConfig
        member=GetCurrentState

diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
@@ -9,6 +9,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/nautilus
 profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus/atspi>
+  include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>

diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk
@@ -10,6 +10,7 @@ include <tunables/global>
 profile check-new-release-gtk @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
@@ -27,11 +28,6 @@ profile check-new-release-gtk @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus), # all peer's labels
-
   @{exec_path} mr,
 
   @{bin}/dpkg         rPx,

diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification
@@ -9,17 +9,13 @@ include <tunables/global>
 @{exec_path} = @{lib}/update-notifier/livepatch-notification
 profile livepatch-notification @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/gtk>
   include <abstractions/wayland>
 
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress 
-       peer=(name=org.a11y.Bus, label=at-spi-bus-launcher),
-
   @{exec_path} mr,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,

diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification
 profile ubuntu-advantage-notification @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus/atspi>
   include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>