# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Profile for session dbus, regardless of the dbus implementation used.
# It does not specify an attachment path as it would be the same than
# "dbus-system". It is intended to be used only via "px ->" or via
# systemd drop-in AppArmorProfile= setting.

abi <abi/4.0>,

include <tunables/global>

@{exec_path}  = @{bin}/dbus-run-session @{bin}/dbus-update-activation-environment
@{exec_path} += @{bin}/dbus-broker @{bin}/dbus-broker-launch
@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper
@{att} = /att/dbus-session/
profile dbus-session  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/bus-session>
  include <abstractions/attached/consoles>
  include <abstractions/deny-sensitive-home>
  include <abstractions/nameservice-strict>

  network unix stream,

  unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none),
  unix type=stream peer=(label=fapp),
  unix type=stream peer=(label=fbwrap),

  signal (send receive) set=kill peer=dbus-session//&unconfined,

  signal receive set=(term hup)      peer=gdm{,-*},
  signal send    set=(term hup kill) peer=dbus-accessibility,
  signal send    set=(term hup kill) peer=dconf-service,
  signal send    set=(term hup kill) peer=xdg-*,

  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.freedesktop.DBus{,.*},
  dbus receive bus=session path=/{,org/freedesktop/{dBus,DBus,dbus}}
       interface=org.freedesktop.DBus{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/{,org/freedesktop/{dBus,DBus,dbus}}
       interface=org.freedesktop.DBus{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/{,org/freedesktop/{dBus,DBus,dbus}}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/{,org/freedesktop/{dBus,DBus,dbus}}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/{,org/freedesktop/{dBus,DBus,dbus}}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.DBus{,.*}}"),
  dbus send bus=session path=/{,org/freedesktop/{dBus,DBus,dbus}}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
       peer=(name="{@{busname},org.freedesktop.DBus}"),

  @{exec_path} mrix,

  @{bin}/{true,false}                            rix,
  @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher  rpx -> dbus-accessibility,

  @{bin}/**                   pux,
  @{lib}/**                   pux,
  @{user_share_dirs}/*/**     pux,
  /usr/share/*/**             pux,

  /etc/dbus-1/{,**} r,
  /usr/share/dbus-1/{,**} r,
  /var/lib/snapd/dbus-1/{,**} r,
  @{system_share_dirs}/dbus-1/{,**} r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  # Dbus can receive any user files
  owner @{HOME}/** r,
  owner @{att}/@{HOME}/** rk,

  owner @{HOME}/.var/app/*/**/.ref rw,
  owner @{HOME}/.var/app/*/**/logs/* rw,

  owner @{user_share_dirs}/dbus-1/services/{,**} r,

        @{run}/systemd/users/@{uid} r,
  owner @{run}/user/@{uid}/dbus-1/ rw,
  owner @{run}/user/@{uid}/dbus-1/services/ rw,
  owner @{run}/user/@{uid}/systemd/notify w,

  @{sys}/kernel/security/apparmor/.access rw,
  @{sys}/kernel/security/apparmor/features/dbus/mask r,
  @{sys}/module/apparmor/parameters/enabled r,

        @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/attr/apparmor/current r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_score_adj r,

  /dev/ptmx rw,
  /dev/tty@{int} rw,

  include if exists <local/dbus-session>
}

# vim:syntax=apparmor
