From 6cfeb55e0e11f25d6be28bd7ac52467a4299943b Mon Sep 17 00:00:00 2001
From: Vincas Dargis <vindrg@gmail.com>
Date: Mon, 5 Aug 2019 15:24:36 +0300
Subject: [PATCH] Add dbus-network-manager-strict abstraction

Some applications queries network configuration (using
QNetworkConfigurationManager class in Qt and similar), and that produces
DBus denials under AppArmor confinement when NetworkManager backend is
used.

Add abstraction that allows most common read-only DBus queries for
getting current network configuration from NetworkManager backend.
---
 .../abstractions/dbus-network-manager-strict  | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 profiles/apparmor.d/abstractions/dbus-network-manager-strict

diff --git a/profiles/apparmor.d/abstractions/dbus-network-manager-strict b/profiles/apparmor.d/abstractions/dbus-network-manager-strict
new file mode 100644
index 000000000..8b8beaeec
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/dbus-network-manager-strict
@@ -0,0 +1,44 @@
+# vim:syntax=apparmor
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=GetDevices
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Devices/[0-9]*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Settings
+       interface=org.freedesktop.NetworkManager.Settings
+       member={GetDevices,ListConnections}
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+       interface=org.freedesktop.NetworkManager.Settings.Connection
+       member=GetSettings
+       peer=(name=org.freedesktop.NetworkManager),
+
-- 
GitLab