feat(tunable): add p_dbus_* variables.

This allow for better integration for system when dbus is not confined.

Author: roddhjav

apparmor.d/abstractions/bus-accessibility

@@ -7,12 +7,12 @@
   dbus send bus=accessibility path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
 
   dbus send bus=accessibility path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
 
   owner @{run}/user/@{uid}/at-spi/ rw,
   owner @{run}/user/@{uid}/at-spi/bus rw,

apparmor.d/abstractions/bus-session

@@ -11,12 +11,12 @@
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,

apparmor.d/abstractions/bus-system

@@ -7,12 +7,12 @@
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{run}/dbus/system_bus_socket rw,
 

apparmor.d/abstractions/bus/org.a11y

@@ -36,7 +36,7 @@
   dbus send bus=session path=/org/a11y/bus
        interface=org.a11y.Bus
        member=GetAddress
-       peer=(name=org.a11y.Bus, label=dbus-accessibility),
+       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
 
   dbus send bus=session path=/org/a11y/bus
        interface=org.a11y.Bus

apparmor.d/groups/_full/systemd

@@ -138,7 +138,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=GetConnectionUnixUser
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{bin}/**                         Px,
   @{lib}/**                         Px,

apparmor.d/groups/apt/apt

@@ -43,7 +43,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus/Bus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetConnectionUnixUser}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   dbus send bus=system
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/bus/at-spi2-registryd

@@ -20,7 +20,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
   signal receive set=hup  peer=gdm-session-worker,
 
   #aa:dbus own bus=accessibility name=org.a11y.atspi
-  #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility
+  #aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}"
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/freedesktop/accounts-daemon

@@ -28,7 +28,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/freedesktop/colord

@@ -25,7 +25,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mrix,
 

apparmor.d/groups/freedesktop/geoclue

@@ -29,7 +29,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/freedesktop/pipewire

@@ -28,7 +28,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/freedesktop/pipewire-media-session

@@ -26,7 +26,7 @@ profile pipewire-media-session @{exec_path} {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=GetConnectionUnixProcessID
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/freedesktop/polkitd

@@ -26,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/freedesktop/xdg-desktop-portal

@@ -47,7 +47,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/gnome/gdm

@@ -40,7 +40,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetConnectionUnixUser}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/gnome/gnome-extension-ding

@@ -38,14 +38,14 @@ profile gnome-extension-ding @{exec_path} {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus*
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus*
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   dbus send bus=session path=/org/gtk/vfs/metadata
        interface=org.gtk.vfs.Metadata

apparmor.d/groups/gnome/gnome-session-binary

@@ -37,7 +37,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment}
-       peer=(name=org.freedesktop.DBus label=dbus-session),
+       peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager

apparmor.d/groups/gnome/gnome-shell

@@ -112,22 +112,22 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   # Session bus
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
   dbus send bus=session path=/
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetNameOwner,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
        interface=org.a11y.atspi.Socket
@@ -161,7 +161,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   dbus send bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/gnome/*/SearchProvider
       interface=org.gnome.Shell.SearchProvider2

apparmor.d/groups/gnome/gsd-media-keys

@@ -43,7 +43,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/
        interface=org.freedesktop.DBus
        member=ListNames
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/gnome/SettingsDaemon/Power
        interface=org.freedesktop.DBus.Properties

apparmor.d/groups/gnome/gsd-xsettings

@@ -41,7 +41,7 @@ profile gsd-xsettings @{exec_path} {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=GetId
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/gnome/nautilus

@@ -43,12 +43,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=ListActivatableNames
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/freedesktop/dbus
        interface=org.freedesktop.DBus
        member=NameHasOwner
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/network/NetworkManager

@@ -70,7 +70,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/ssh/ssh-agent-launch

@@ -27,7 +27,7 @@ profile ssh-agent-launch @{exec_path} {
     dbus send bus=session path=/org/freedesktop/DBus
          interface=org.freedesktop.DBus
          member=UpdateActivationEnvironment
-         peer=(name=org.freedesktop.DBus, label=dbus-session),
+         peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
     dbus send bus=session path=/org/freedesktop/systemd1
          interface=org.freedesktop.systemd1.Manager

apparmor.d/groups/systemd/busctl

@@ -33,7 +33,7 @@ profile busctl @{exec_path} {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus.Monitoring
        member=BecomeMonitor
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-hostnamed

@@ -25,7 +25,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=GetConnectionUnixUser
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-logind

@@ -43,7 +43,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-resolved

@@ -34,7 +34,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/profiles-a-f/fwupd

@@ -42,7 +42,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   dbus send bus=system path=/org/freedesktop/UDisks2/Manager
        interface=org.freedesktop.UDisks2.Manager

apparmor.d/profiles-m-r/packagekitd

@@ -43,7 +43,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/rtkit-daemon

@@ -26,7 +26,7 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/profiles-s-z/udisksd

@@ -67,7 +67,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/tunables/multiarch.d/profiles

@@ -11,4 +11,9 @@
 @{p_systemd}=unconfined
 @{p_systemd_user}=unconfined
 
+# Name of the dbus daemon profiles
+@{p_dbus_system}=dbus-system
+@{p_dbus_session}=dbus-session
+@{p_dbus_accessibility}=dbus-accessibility
+
 # vim:syntax=apparmor

docs/development/guidelines.md

@@ -85,7 +85,7 @@ For DBus, try to determine peer's label when possible. E.g.:
 dbus send bus=session path=/org/freedesktop/DBus
      interface=org.freedesktop.DBus
      member={RequestName,ReleaseName}
-     peer=(name=org.freedesktop.DBus, label=dbus-session),
+     peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 ```
 If there is no predictable label it can be omitted.