Merge profiles: add a profile for notify-send

Signed-off-by: Ryan Lee <ryan.lee@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1635 Approved-by: Maxime Bélair <maxime.belair@canonical.com> Merged-by: Maxime Bélair <maxime.belair@canonical.com>
2025-08-22 01:57:43 +00:00 · 2025-05-12 13:46:55 +00:00 · 2025-05-12 13:46:55 +00:00 · 2800aaedd0
commit 2800aaedd0
parent d0cf1bff72 7461536d52
1 changed files with 21 additions and 0 deletions
--- a/profiles/apparmor.d/notify-send
+++ b/profiles/apparmor.d/notify-send
@ -0,0 +1,21 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile notify-send /usr/bin/notify-send {
+    include <abstractions/base>
+    include <abstractions/dbus-session-strict>
+
+    /usr/bin/notify-send mr,
+
+    # No idea why notify-send wants cgroup info but it works fine without it
+    deny /proc/@{pid}/cgroup r,
+    
+    dbus (send)
+        bus=session
+        path=/org/freedesktop/Notifications
+        interface=org.freedesktop.Notifications
+        member={GetServerInformation,Notify},
+
+    include if exists <local/notify-send>
+}