feat(tunable): add p_dbus_* variables.

This allow for better integration for system when dbus is not confined.
roddhjav · Nov 13, 2024 · 24ea5f0 · 24ea5f0
1 parent 7c148fc
commit 24ea5f0
Show file tree

Hide file tree

Showing 33 changed files with 47 additions and 42 deletions.
diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility
@@ -7,12 +7,12 @@
   dbus send bus=accessibility path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
 
   dbus send bus=accessibility path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
 
   owner @{run}/user/@{uid}/at-spi/ rw,
   owner @{run}/user/@{uid}/at-spi/bus rw,

diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session
@@ -11,12 +11,12 @@
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,

diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system
@@ -7,12 +7,12 @@
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{run}/dbus/system_bus_socket rw,
 

diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y
@@ -36,7 +36,7 @@
   dbus send bus=session path=/org/a11y/bus
        interface=org.a11y.Bus
        member=GetAddress
-       peer=(name=org.a11y.Bus, label=dbus-accessibility),
+       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
 
   dbus send bus=session path=/org/a11y/bus
        interface=org.a11y.Bus

diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
@@ -138,7 +138,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=GetConnectionUnixUser
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{bin}/**                         Px,
   @{lib}/**                         Px,

diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
@@ -43,7 +43,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus/Bus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetConnectionUnixUser}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   dbus send bus=system
        interface=org.freedesktop.DBus.Introspectable

diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd
@@ -20,7 +20,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
   signal receive set=hup  peer=gdm-session-worker,
 
   #aa:dbus own bus=accessibility name=org.a11y.atspi
-  #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility
+  #aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}"
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon
@@ -28,7 +28,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord
@@ -25,7 +25,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mrix,
 

diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue
@@ -29,7 +29,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire
@@ -28,7 +28,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session
@@ -26,7 +26,7 @@ profile pipewire-media-session @{exec_path} {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=GetConnectionUnixProcessID
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd
@@ -26,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -47,7 +47,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm
@@ -40,7 +40,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetConnectionUnixUser}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding
@@ -38,14 +38,14 @@ profile gnome-extension-ding @{exec_path} {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus*
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus*
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   dbus send bus=session path=/org/gtk/vfs/metadata
        interface=org.gtk.vfs.Metadata

diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
@@ -37,7 +37,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment}
-       peer=(name=org.freedesktop.DBus label=dbus-session),
+       peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager

diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
@@ -112,22 +112,22 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   # Session bus
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
   dbus send bus=session path=/
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetNameOwner,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
        interface=org.a11y.atspi.Socket
@@ -161,7 +161,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   dbus send bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/gnome/*/SearchProvider
       interface=org.gnome.Shell.SearchProvider2

diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys
@@ -43,7 +43,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/
        interface=org.freedesktop.DBus
        member=ListNames
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/gnome/SettingsDaemon/Power
        interface=org.freedesktop.DBus.Properties

diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings
@@ -41,7 +41,7 @@ profile gsd-xsettings @{exec_path} {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=GetId
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
@@ -43,12 +43,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=ListActivatableNames
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/freedesktop/dbus
        interface=org.freedesktop.DBus
        member=NameHasOwner
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
@@ -70,7 +70,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch
@@ -27,7 +27,7 @@ profile ssh-agent-launch @{exec_path} {
     dbus send bus=session path=/org/freedesktop/DBus
          interface=org.freedesktop.DBus
          member=UpdateActivationEnvironment
-         peer=(name=org.freedesktop.DBus, label=dbus-session),
+         peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
     dbus send bus=session path=/org/freedesktop/systemd1
          interface=org.freedesktop.systemd1.Manager

diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl
@@ -33,7 +33,7 @@ profile busctl @{exec_path} {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus.Monitoring
        member=BecomeMonitor
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed
@@ -25,7 +25,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=GetConnectionUnixUser
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
@@ -43,7 +43,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved
@@ -34,7 +34,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
@@ -42,7 +42,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   dbus send bus=system path=/org/freedesktop/UDisks2/Manager
        interface=org.freedesktop.UDisks2.Manager

diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd
@@ -43,7 +43,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon
@@ -26,7 +26,7 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
@@ -67,7 +67,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles
@@ -11,4 +11,9 @@
 @{p_systemd}=unconfined
 @{p_systemd_user}=unconfined
 
+# Name of the dbus daemon profiles
+@{p_dbus_system}=dbus-system
+@{p_dbus_session}=dbus-session
+@{p_dbus_accessibility}=dbus-accessibility
+
 # vim:syntax=apparmor
diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md
@@ -85,7 +85,7 @@ For DBus, try to determine peer's label when possible. E.g.:
 dbus send bus=session path=/org/freedesktop/DBus
      interface=org.freedesktop.DBus
      member={RequestName,ReleaseName}
-     peer=(name=org.freedesktop.DBus, label=dbus-session),
+     peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 ```
 If there is no predictable label it can be omitted.