33
33
#include "/usr/share/apparmor/hardware/graphics.d"
36
# DBus rules common for all webapps
36
# IPC rules common for all webapps
38
38
# Allow connecting to session bus and where to connect to services
41
path=/org/freedesktop/DBus
42
interface=org.freedesktop.DBus
44
peer=(name=org.freedesktop.DBus),
47
path=/org/freedesktop/{db,DB}us
48
interface=org.freedesktop.DBus
49
member={Add,Remove}Match
50
peer=(name=org.freedesktop.DBus),
51
# NameHasOwner and GetNameOwner could leak running processes and apps
52
# depending on how services are implemented
55
path=/org/freedesktop/DBus
56
interface=org.freedesktop.DBus
58
peer=(name=org.freedesktop.DBus),
61
path=/org/freedesktop/DBus
62
interface=org.freedesktop.DBus
64
peer=(name=org.freedesktop.DBus),
66
# Allow starting services on the session bus (actual communications with
67
# the service are mediated elsewhere)
70
path=/org/freedesktop/DBus
71
interface=org.freedesktop.DBus
72
member=StartServiceByName
73
peer=(name=org.freedesktop.DBus),
39
#include <abstractions/dbus-session-strict>
75
41
# Allow connecting to system bus and where to connect to services. Put these
76
42
# here so we don't need to repeat these rules in multiple places (actual
77
43
# communications with any system services is mediated elsewhere). This does
78
44
# allow apps to brute-force enumerate system services, but our system
79
45
# services aren't a secret.
80
/{,var/}run/dbus/system_bus_socket rw,
83
path=/org/freedesktop/DBus
84
interface=org.freedesktop.DBus
86
peer=(name=org.freedesktop.DBus),
89
path=/org/freedesktop/{db,DB}us
90
interface=org.freedesktop.DBus
91
member={Add,Remove}Match
92
peer=(name=org.freedesktop.DBus),
93
# NameHasOwner and GetNameOwner could leak running processes and apps
94
# depending on how services are implemented
97
path=/org/freedesktop/DBus
98
interface=org.freedesktop.DBus
100
peer=(name=org.freedesktop.DBus),
103
path=/org/freedesktop/DBus
104
interface=org.freedesktop.DBus
106
peer=(name=org.freedesktop.DBus),
108
# Allow starting services on the system bus (actual communications with
109
# the service are mediated elsewhere)
112
path=/org/freedesktop/DBus
113
interface=org.freedesktop.DBus
114
member=StartServiceByName
115
peer=(name=org.freedesktop.DBus),
46
#include <abstractions/dbus-strict>
254
188
audit deny /dev/input/** rw,
255
189
deny /dev/fb0 rw, # don't use 'audit' since it is too noisy with the camera
257
# FIXME: ought to go in a dbus abstraction, but dbus-session is too loose
259
/var/lib/dbus/machine-id r,
261
191
# subset of GNOME stuff
262
192
/{,custom/}usr/share/icons/** r,
263
193
/{,custom/}usr/share/themes/** r,
455
385
owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl,
456
386
owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME
457
387
owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix,
458
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR
388
owner /{,var/}run/user/*/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR
389
owner /{,var/}run/user/*/@{APP_PKGNAME}/** mrwkl,
390
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR (for TMPDIR)
459
391
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl,
461
393
###ABSTRACTIONS###