feat(dbus): rewrite some dbus rules (7).

apparmor.d/groups/avahi/avahi-browse

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,20 +10,14 @@ include <tunables/global>
 @{exec_path} = @{bin}/avahi-browse @{bin}/avahi-browse-domains
 profile avahi-browse @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus/avahi>
   include <abstractions/consoles>
   include <abstractions/dbus-strict>
 
-  dbus send bus=system path=/
-      interface=org.freedesktop.DBus.Peer
-      member=Ping,
-
-  dbus send bus=system path=/
-      interface=org.freedesktop.Avahi.Server
-      member={GetAPIVersion,GetState,ServiceTypeBrowserNew,ServiceBrowserNew},
-
-  dbus receive bus=system path=/Client[0-9]/ServiceTypeBrowser[0-9]
+  dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
       interface=org.freedesktop.Avahi.ServiceTypeBrowser
-      member={ItemNew,CacheExhausted,AllForNow},
+       member={ItemNew,AllForNow,CacheExhausted}
+       peer=(name=:*, label=avahi-daemon),
 
   @{exec_path} mr,
 

apparmor.d/groups/avahi/avahi-resolve

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,24 +10,19 @@ include <tunables/global>
 @{exec_path} = @{bin}/avahi-resolve @{bin}/avahi-resolve-address @{bin}/avahi-resolve-host-name
 profile avahi-resolve @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus/avahi>
   include <abstractions/consoles>
   include <abstractions/dbus-strict>
 
-  dbus send bus=system path=/
-      interface=org.freedesktop.DBus.Peer
-      member=Ping,
+  dbus send bus=system path=/Client@{int}/AddressResolver@{int}
+       interface=org.freedesktop.Avahi.AddressResolver
+       member={Free,HostNameResolverNew}
+       peer=(name=:*, label=avahi-daemon),
 
-  dbus send bus=system path=/
-      interface=org.freedesktop.Avahi.Server
-      member={GetAPIVersion,GetState,AddressResolverNew},
-
-  dbus send bus=system path=/Client[0-9]/AddressResolver[0-9]
-      interface=org.freedesktop.Avahi.AddressResolver
-      member={Free,HostNameResolverNew,},
-
-  dbus receive bus=system path=/Client[0-9]/AddressResolver[0-9]
-      interface=org.freedesktop.Avahi.AddressResolver
-      member={Failure,Found},
+  dbus receive bus=system path=/Client@{int}/AddressResolver@{int}
+       interface=org.freedesktop.Avahi.AddressResolver
+       member={Failure,Found}
+       peer=(name=:*, label=avahi-daemon),
 
   @{exec_path} mr,
 

apparmor.d/groups/freedesktop/colord

@@ -18,20 +18,13 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
 
   dbus bind bus=system name=org.freedesktop.ColorManager,
-
   dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
-       interface=org.freedesktop.DBus.Properties
+       interface=org.freedesktop.ColorManager
        peer=(name=:*),
-
   dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
-       interface=org.freedesktop.ColorManager
-       peer=(name=:*, label=gnome-shell),
-
-  dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
        interface=org.freedesktop.DBus.Properties
-       peer=(name=org.freedesktop.DBus),
-
-  dbus send bus=system path=/org/freedesktop/ColorManager
+       peer=(name=:*),
+  dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
        interface=org.freedesktop.ColorManager
        peer=(name=org.freedesktop.DBus),
 

apparmor.d/groups/freedesktop/colord-sane

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,colord/}colord-sane
 profile colord-sane @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus/avahi>
   include <abstractions/dbus-strict>
   include <abstractions/devices-usb>
   include <abstractions/openssl>
@@ -18,18 +19,6 @@ profile colord-sane @{exec_path} flags=(attach_disconnected) {
   network inet6 dgram,
   network netlink raw,
 
-  dbus (send,receive) bus=system path=/org/freedesktop/ColorManager
-       interface=org.freedesktop.{DBus.Properties,ColorManager},
-
-  dbus send bus=system path=/
-       interface=org.freedesktop.{DBus.Peer,Avahi.Server}
-       member={GetAPIVersion,GetState,ServiceBrowserNew,Ping}
-       peer=(name=org.freedesktop.Avahi),
-
-  dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]*
-       interface=org.freedesktop.Avahi.ServiceBrowser
-       member={CacheExhausted,AllForNow},
-
   @{exec_path} mr,
 
   /usr/share/snmp/mibs/{,*} r,

apparmor.d/groups/freedesktop/geoclue

@@ -9,6 +9,10 @@ include <tunables/global>
 @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent
 profile geoclue @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus/avahi>
+  include <abstractions/bus/modem-manager>
+  include <abstractions/bus/network-manager>
+  include <abstractions/bus/wpa-supplicant>
   include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/p11-kit>
@@ -36,44 +40,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
        peer=(name=org.freedesktop.DBus, label=dbus-daemon),
 
-  dbus send bus=system path=/
-       interface=org.freedesktop.Avahi.Server
-       member={GetAPIVersion,GetState,ServiceBrowserNew},
-
-  dbus send bus=system path=/
-       interface=org.freedesktop.DBus.Peer
-       member=Ping,
-
-  dbus send bus=system path=/fi/w1/wpa_supplicant1
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged 
-       peer=(name=:*, label=wpa-supplicant),
-
-  dbus send bus=system path=/org/freedesktop/ModemManager[0-9]
-       interface=org.freedesktop.DBus.ObjectManager
-       member=GetManagedObjects,
-
-  dbus send bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.DBus.Properties
-       member={GetAll,PropertiesChanged},
-
-  dbus receive bus=system path=/
-       interface=org.freedesktop.Avahi.Server
-       member=StateChanged,
-
-  dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
-       interface=org.freedesktop.Avahi.ServiceBrowser
-       member={AllForNow,CacheExhausted}
-       peer=(name=:*, label=avahi-daemon),
-
-  dbus receive bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.NetworkManager
-       member={CheckPermissions,StateChanged,PropertiesChanged},
-
-  dbus receive bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged,
-
   @{exec_path} mr,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,

apparmor.d/groups/freedesktop/pulseaudio

@@ -12,6 +12,8 @@ include <tunables/global>
 profile pulseaudio @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
+  include <abstractions/bus/avahi>
+  include <abstractions/bus/bluetooth>
   include <abstractions/bus/hostname>
   include <abstractions/bus/rtkit>
   include <abstractions/consoles>
@@ -39,37 +41,12 @@ profile pulseaudio @{exec_path} {
   network bluetooth stream,
   network bluetooth seqpacket,
 
-  dbus bind bus=session name=org.freedesktop.ReserveDevice[0-9].Audio[0-9],
+  dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio1,
 
-  dbus bind bus=session name=org.PulseAudio[0-9],
+  dbus bind bus=session name=org.PulseAudio1,
 
   dbus bind bus=session name=org.pulseaudio*,
 
-  dbus send bus=session path=/Client[0-9]*/EntryGroup[0-9]*
-       interface=org.freedesktop.Avahi.EntryGroup
-       member={GetState,AddService,AddServiceSubtype,Commit}
-       peer=(name=org.freedesktop.Avahi),
-
-  dbus receive bus=system path=/Client[0-9]*/EntryGroup[0-9]*
-       interface=org.freedesktop.Avahi.EntryGroup
-       member={AddService,AddServiceSubtype,Commit,GetState,StateChanged}
-       peer=(name=org.freedesktop.Avahi),
-
-  dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
-       interface=org.freedesktop.Avahi.ServiceBrowser
-       member={ItemNew,ItemRemove}
-       peer=(name=org.freedesktop.Avahi), # no peer's label
-
-  dbus receive bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
-       interface=org.freedesktop.Avahi.ServiceResolver
-       member=Found
-       peer=(name=org.freedesktop.Avahi),
-
-  dbus send bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
-       interface=org.freedesktop.Avahi.ServiceResolver
-       member=Free
-       peer=(name=org.freedesktop.Avahi),
-
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
@@ -79,25 +56,6 @@ profile pulseaudio @{exec_path} {
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
        peer=(name=org.bluez),
-
-  dbus send bus=system path=/
-       interface=org.freedesktop.DBus.Peer
-       member=Ping
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
-
-  dbus send bus=system path=/
-       interface=org.freedesktop.Avahi.Server
-       member={GetAPIVersion,GetState,EntryGroupNew}
-       peer=(name=org.freedesktop.Avahi),
-
-  dbus receive bus=system path=/
-       interface=org.freedesktop.Avahi.Server
-       member=StateChanged
-       peer=(name=org.freedesktop.Avahi),
-
-  dbus receive bus=system path=/org/bluez/hci*/**
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*),
 
   @{exec_path} mrix,
 

apparmor.d/groups/freedesktop/upowerd

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,upower/}upowerd
 profile upowerd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus/bluetooth>
   include <abstractions/bus/login>
   include <abstractions/dbus-strict>
   include <abstractions/devices-usb>
@@ -24,11 +25,6 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.Properties
        peer=(name=:*),
 
-  dbus receive bus=system path=/org/bluez/hci@{int}{,/**}
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name=:*, label=bluetoothd),
-
   @{exec_path} mr,
 
   /etc/UPower/ r,

apparmor.d/groups/freedesktop/xdg-dbus-proxy

@@ -9,40 +9,29 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-dbus-proxy
 profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/dbus-strict>
+  include <abstractions/bus/avahi>
+  include <abstractions/bus/desktop>
+  include <abstractions/bus/network-manager>
+  include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
 
-  @{exec_path} mr,
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.portal.Realtime
+       member=MakeThreadRealtimeWithPID
+       peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
 
-  dbus (send,receive) bus=system path=/
+  dbus send bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=:*, label=at-spi2-registryd),
+
+  dbus send bus=session path=/
        interface=org.freedesktop.DBus
        member={AddMatch,GetNameOwner}
-       peer=(label=dbus-daemon),
+       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
 
-  dbus (send,receive) bus=system path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member={AddMatch,RemoveMatch,NameHasOwner,GetNameOwner}
-       peer=(label=dbus-daemon),
-
-  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.NetworkManager
-       member=GetDevices
-       peer=(label=NetworkManager),
-
-  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{/Devices/[0-9]*,/ActiveConnection/[0-9]*}
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(label=NetworkManager),
-
-  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings
-       interface=org.freedesktop.NetworkManager.Settings
-       member=ListConnections
-       peer=(label=NetworkManager),
-
-  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]*
-       interface=org.freedesktop.NetworkManager.Settings.Connection
-       member=GetSettings
-       peer=(label=NetworkManager),
+  @{exec_path} mr,
 
   owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
   owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,

apparmor.d/groups/freedesktop/xdg-desktop-portal

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/xdg-desktop-portal
 profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus/network-manager>
   include <abstractions/bus/rtkit>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
@@ -44,6 +45,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.Properties
        peer=(name=org.freedesktop.DBus),
 
+  dbus send bus=system path=/net/hadess/PowerProfiles
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*, label=power-profiles-daemon),
+
   dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
        interface=org.freedesktop.DBus.Properties
        peer=(name=:*, label=xdg-permission-store),