# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Profile for system dbus, regardless of the dbus implementation used.
# It does not specify an attachment path as it would be the same than
# "dbus-session". It is intended to be used only via "px ->" or via
# systemd drop-in AppArmorProfile= setting.

abi <abi/4.0>,

include <tunables/global>

@{exec_path}  = @{bin}/dbus-broker @{bin}/dbus-broker-launch
@{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper
@{att} = /att/dbus-system/
profile dbus-system  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/bus-system>
  include <abstractions/attached/consoles>
  include <abstractions/deny-sensitive-home>
  include <abstractions/nameservice-strict>

  capability audit_write,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_ptrace,
  capability sys_resource,

  network netlink raw,
  network bluetooth stream,
  network bluetooth seqpacket,

  ptrace read peer=@{p_systemd},

  # Internal stack dbus-system//&unconfined
  signal (send receive) set=kill peer=dbus-system//&unconfined,
  unix type=stream peer=(label=unconfined),

  include <abstractions/bus/system/own>

  dbus bind bus=system name=org.freedesktop.DBus{,.*},
  dbus receive bus=system path=/{,org/freedesktop/{dBus,DBus,dbus}}
       interface=org.freedesktop.DBus{,.*}
       peer=(name="@{busname}"),
  dbus send bus=system path=/{,org/freedesktop/{dBus,DBus,dbus}}
       interface=org.freedesktop.DBus{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=system path=/{,org/freedesktop/{dBus,DBus,dbus}}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=system path=/{,org/freedesktop/{dBus,DBus,dbus}}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=system path=/{,org/freedesktop/{dBus,DBus,dbus}}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.DBus{,.*}}"),
  dbus send bus=system path=/{,org/freedesktop/{dBus,DBus,dbus}}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),

  dbus receive bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
       peer=(name="{@{busname},org.freedesktop.DBus}"),

  dbus receive bus=system path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Activator
       member=ActivationFailure
       peer=(name=@{busname}, label="@{p_systemd}"),

  @{exec_path} mrix,

  @{bin}/**                   pux,
  @{sbin}/**                  pux,
  @{lib}/**                   pux,
  /usr/share/*/**             pux,

  /etc/dbus-1/{,**} r,
  /usr/share/dbus-1/{,**} r,
  /var/lib/snapd/dbus-1/{,**} r,
  @{system_share_dirs}/dbus-1/{,**} r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  @{att}@{desktop_share_dirs}/icc/ r,
  @{att}@{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
  @{att}@{user_share_dirs}/icc/ r,
  @{att}@{user_share_dirs}/icc/edid-@{hex32}.icc r,

  # Dbus can receive any user files
  @{HOME}/** r,

  @{att}@{run}/systemd/inhibit/@{int}.ref rw,
  @{att}@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,

  @{run}/systemd/notify w,
  @{run}/systemd/users/@{int} r,

  @{sys}/kernel/security/apparmor/.access rw,
  @{sys}/kernel/security/apparmor/features/dbus/mask r,
  @{sys}/module/apparmor/parameters/enabled r,

        @{PROC}/@{pids}/attr/apparmor/current r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/@{pids}/environ r,
        @{PROC}/@{pids}/mounts r,
        @{PROC}/@{pids}/oom_score_adj r,
        @{PROC}/@{pids}/status r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_score_adj rw,

  @{att}/dev/dri/card@{int} rw,
  @{att}/dev/input/event@{int} rw,
  @{att}/dev/pts/ptmx rw,

  include if exists <local/dbus-system>
}

# vim:syntax=apparmor
