mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
5cf5b74f4b
commit
032d805666
28 changed files with 82 additions and 186 deletions
|
|
@ -8,27 +8,27 @@ abi <abi/3.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/dpkg-genbuildinfo
|
@{exec_path} = @{bin}/dpkg-genbuildinfo
|
||||||
profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
|
profile dpkg-genbuildinfo @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/perl>
|
include <abstractions/perl>
|
||||||
|
|
||||||
# For "mk-build-deps -i"
|
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
|
|
||||||
@{exec_path} r,
|
@{exec_path} r,
|
||||||
|
|
||||||
@{bin}/perl r,
|
@{bin}/perl r,
|
||||||
|
|
||||||
/usr/share/lto-disabled-list/lto-disabled-list r,
|
|
||||||
/usr/share/dpkg/cputable r,
|
|
||||||
/usr/share/dpkg/tupletable r,
|
|
||||||
|
|
||||||
/usr/local/bin/ r,
|
/usr/local/bin/ r,
|
||||||
/usr/local/sbin/ r,
|
/usr/local/etc/ r,
|
||||||
|
/usr/local/include/ r,
|
||||||
/usr/local/lib/ r,
|
/usr/local/lib/ r,
|
||||||
/usr/local/lib/**/ r,
|
/usr/local/lib/**/ r,
|
||||||
/usr/local/include/ r,
|
/usr/local/sbin/ r,
|
||||||
/usr/local/etc/ r,
|
|
||||||
|
/usr/share/dpkg/abitable r,
|
||||||
|
/usr/share/dpkg/cputable r,
|
||||||
|
/usr/share/dpkg/tupletable r,
|
||||||
|
/usr/share/lto-disabled-list/lto-disabled-list r,
|
||||||
|
|
||||||
/etc/dpkg/origins/* r,
|
/etc/dpkg/origins/* r,
|
||||||
|
|
||||||
|
|
@ -36,7 +36,6 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
|
||||||
|
|
||||||
owner @{user_config_dirs}/dpkg/buildflags.conf r,
|
owner @{user_config_dirs}/dpkg/buildflags.conf r,
|
||||||
|
|
||||||
# For package building
|
|
||||||
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||||
|
|
||||||
include if exists <local/dpkg-genbuildinfo>
|
include if exists <local/dpkg-genbuildinfo>
|
||||||
|
|
|
||||||
|
|
@ -23,6 +23,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/bus/org.freedesktop.login1>
|
include <abstractions/bus/org.freedesktop.login1>
|
||||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||||
include <abstractions/bus/org.freedesktop.RealtimeKit1>
|
include <abstractions/bus/org.freedesktop.RealtimeKit1>
|
||||||
|
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/enchant>
|
include <abstractions/enchant>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,7 @@ profile gdm-wayland-session @{exec_path} {
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/bus/org.freedesktop.systemd1-session>
|
include <abstractions/bus/org.freedesktop.systemd1-session>
|
||||||
|
include <abstractions/bus/org.gnome.DisplayManager>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
@ -24,11 +25,6 @@ profile gdm-wayland-session @{exec_path} {
|
||||||
signal (send) set=(term) peer=dbus-daemon,
|
signal (send) set=(term) peer=dbus-daemon,
|
||||||
signal (send) set=(term) peer=gnome-session-binary,
|
signal (send) set=(term) peer=gnome-session-binary,
|
||||||
|
|
||||||
dbus send bus=system path=/org/gnome/DisplayManager/Manager
|
|
||||||
interface=org.gnome.DisplayManager.Manager
|
|
||||||
member=RegisterDisplay
|
|
||||||
peer=(name=:*, label=gdm),
|
|
||||||
|
|
||||||
dbus receive bus=session
|
dbus receive bus=session
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
member=Introspect
|
member=Introspect
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,7 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/bus/org.freedesktop.systemd1-session>
|
include <abstractions/bus/org.freedesktop.systemd1-session>
|
||||||
|
include <abstractions/bus/org.gnome.DisplayManager>
|
||||||
|
|
||||||
signal (receive) set=term peer=gdm{,-session-worker},
|
signal (receive) set=term peer=gdm{,-session-worker},
|
||||||
# signal (send) set=term peer=unconfined,
|
# signal (send) set=term peer=unconfined,
|
||||||
|
|
@ -19,11 +20,6 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
|
||||||
signal (send) set=term peer=xorg,
|
signal (send) set=term peer=xorg,
|
||||||
signal (send) set=term peer=gnome-session-binary,
|
signal (send) set=term peer=gnome-session-binary,
|
||||||
|
|
||||||
dbus send bus=system path=/org/gnome/DisplayManager/Manager
|
|
||||||
interface=org.gnome.DisplayManager.Manager
|
|
||||||
member=RegisterDisplay
|
|
||||||
peer=(name=:*, label=gdm),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/DBus
|
dbus send bus=session path=/org/freedesktop/DBus
|
||||||
interface=org.freedesktop.DBus
|
interface=org.freedesktop.DBus
|
||||||
member=UpdateActivationEnvironment
|
member=UpdateActivationEnvironment
|
||||||
|
|
@ -42,13 +38,13 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
|
||||||
/etc/gdm{3,}/custom.conf r,
|
/etc/gdm{3,}/custom.conf r,
|
||||||
/etc/gdm{3,}/daemon.conf r,
|
/etc/gdm{3,}/daemon.conf r,
|
||||||
/etc/sysconfig/displaymanager r,
|
/etc/sysconfig/displaymanager r,
|
||||||
|
|
||||||
/var/lib/gdm{3,}/.cache/gdm/Xauthority rw,
|
|
||||||
/var/lib/gdm{3,}/.cache/gdm/ rw,
|
|
||||||
|
|
||||||
|
/var/lib/gdm{3,}/.cache/gdm/ rw,
|
||||||
|
/var/lib/gdm{3,}/.cache/gdm/Xauthority rw,
|
||||||
|
|
||||||
|
@{run}/gdm{3,}/custom.conf r,
|
||||||
owner @{run}/user/@{uid}/gdm/ w,
|
owner @{run}/user/@{uid}/gdm/ w,
|
||||||
owner @{run}/user/@{uid}/gdm/Xauthority rw,
|
owner @{run}/user/@{uid}/gdm/Xauthority rw,
|
||||||
@{run}/gdm{3,}/custom.conf r,
|
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/app-launcher-user>
|
include <abstractions/app-launcher-user>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/deny-sensitive-home>
|
||||||
include <abstractions/gnome-strict>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/trash>
|
include <abstractions/trash>
|
||||||
|
|
||||||
|
|
@ -29,5 +30,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/dev/dri/card@{int} rw,
|
/dev/dri/card@{int} rw,
|
||||||
|
|
||||||
|
deny @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||||
|
|
||||||
include if exists <local/gio-launch-desktop>
|
include if exists <local/gio-launch-desktop>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,8 @@ profile gnome-extension-ding @{exec_path} {
|
||||||
include <abstractions/bus/org.a11y>
|
include <abstractions/bus/org.a11y>
|
||||||
include <abstractions/bus/org.freedesktop.FileManager1>
|
include <abstractions/bus/org.freedesktop.FileManager1>
|
||||||
include <abstractions/bus/org.freedesktop.Notifications>
|
include <abstractions/bus/org.freedesktop.Notifications>
|
||||||
|
include <abstractions/bus/org.gnome.Nautilus.FileOperations2>
|
||||||
|
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
|
||||||
include <abstractions/bus/org.gtk.vfs.Daemon>
|
include <abstractions/bus/org.gtk.vfs.Daemon>
|
||||||
include <abstractions/bus/org.gtk.vfs.Metadata>
|
include <abstractions/bus/org.gtk.vfs.Metadata>
|
||||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||||
|
|
@ -35,16 +37,6 @@ profile gnome-extension-ding @{exec_path} {
|
||||||
interface=org.gtk.Actions
|
interface=org.gtk.Actions
|
||||||
peer=(label=gnome-shell),
|
peer=(label=gnome-shell),
|
||||||
|
|
||||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
|
||||||
member={IsSupported,List}
|
|
||||||
peer=(name=:*, label=gvfs-*-monitor),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/Nautilus/FileOperations*
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=GetAll
|
|
||||||
peer=(name=:*, label=nautilus),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/DBus
|
dbus send bus=session path=/org/freedesktop/DBus
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
member=Introspect
|
member=Introspect
|
||||||
|
|
|
||||||
|
|
@ -35,6 +35,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/bus/org.freedesktop.secrets>
|
include <abstractions/bus/org.freedesktop.secrets>
|
||||||
include <abstractions/bus/org.freedesktop.systemd1>
|
include <abstractions/bus/org.freedesktop.systemd1>
|
||||||
include <abstractions/bus/org.freedesktop.UPower>
|
include <abstractions/bus/org.freedesktop.UPower>
|
||||||
|
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
|
||||||
include <abstractions/bus/org.gtk.vfs.Daemon>
|
include <abstractions/bus/org.gtk.vfs.Daemon>
|
||||||
include <abstractions/bus/org.gtk.vfs.Metadata>
|
include <abstractions/bus/org.gtk.vfs.Metadata>
|
||||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||||
|
|
@ -170,15 +171,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
## Session bus
|
## Session bus
|
||||||
|
|
||||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
|
||||||
member={IsSupported,List,VolumeMount}
|
|
||||||
peer=(name=:*, label=gvfs-*-monitor),
|
|
||||||
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
|
||||||
member={MountAdded,VolumeChanged}
|
|
||||||
peer=(name=:*, label=gvfs-*-monitor),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/DBus
|
dbus send bus=session path=/org/freedesktop/DBus
|
||||||
interface=org.freedesktop.DBus
|
interface=org.freedesktop.DBus
|
||||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
|
member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
|
||||||
|
|
|
||||||
|
|
@ -32,20 +32,11 @@ profile gnome-shell-calendar-server @{exec_path} {
|
||||||
interface=org.gnome.evolution.dataserver.Calendar*
|
interface=org.gnome.evolution.dataserver.Calendar*
|
||||||
peer=(name=:*, label=evolution-*),
|
peer=(name=:*, label=evolution-*),
|
||||||
|
|
||||||
dbus (send receive) bus=session path=/org/gnome/Shell/CalendarServer
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
peer=(name=:*, label=gnome-shell),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager
|
dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager
|
||||||
interface=org.freedesktop.DBus.ObjectManager
|
interface=org.freedesktop.DBus.ObjectManager
|
||||||
member=GetManagedObjects
|
member=GetManagedObjects
|
||||||
peer=(name=:*, label=evolution-source-registry),
|
peer=(name=:*, label=evolution-source-registry),
|
||||||
|
|
||||||
dbus send bus=session path=/org/gnome/Shell/CalendarServer
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
member=PropertiesChanged
|
|
||||||
peer=(name=org.freedesktop.DBus, label=gnome-shell),
|
|
||||||
|
|
||||||
dbus receive bus=session
|
dbus receive bus=session
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
member=Introspect
|
member=Introspect
|
||||||
|
|
|
||||||
|
|
@ -38,6 +38,10 @@ profile gnome-terminal-server @{exec_path} {
|
||||||
interface=org.gtk.Actions
|
interface=org.gtk.Actions
|
||||||
peer=(name=org.freedesktop.DBus),
|
peer=(name=org.freedesktop.DBus),
|
||||||
|
|
||||||
|
dbus receive bus=session path=/org/gnome/Terminal/SearchProvider
|
||||||
|
interface=org.gnome.Shell.SearchProvider2
|
||||||
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/systemd1
|
dbus send bus=session path=/org/freedesktop/systemd1
|
||||||
interface=org.freedesktop.systemd1.Manager
|
interface=org.freedesktop.systemd1.Manager
|
||||||
member=StartTransientUnit
|
member=StartTransientUnit
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,9 @@ include <tunables/global>
|
||||||
@{exec_path} = @{lib}/mutter-x11-frames
|
@{exec_path} = @{lib}/mutter-x11-frames
|
||||||
profile mutter-x11-frames @{exec_path} {
|
profile mutter-x11-frames @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/bus-accessibility>
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/bus/org.a11y>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/dri-common>
|
include <abstractions/dri-common>
|
||||||
include <abstractions/dri-enumerate>
|
include <abstractions/dri-enumerate>
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/bus/org.a11y>
|
include <abstractions/bus/org.a11y>
|
||||||
include <abstractions/bus/org.freedesktop.hostname1>
|
include <abstractions/bus/org.freedesktop.hostname1>
|
||||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||||
|
include <abstractions/bus/org.freedesktop.Tracker3.Miner.Files>
|
||||||
|
include <abstractions/bus/org.gnome.SessionManager>
|
||||||
|
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/deny-sensitive-home>
|
include <abstractions/deny-sensitive-home>
|
||||||
include <abstractions/dri-enumerate>
|
include <abstractions/dri-enumerate>
|
||||||
|
|
@ -28,38 +31,23 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
dbus bind bus=session name=org.gnome.Nautilus,
|
dbus bind bus=session name=org.gnome.Nautilus,
|
||||||
dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/**}
|
dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/**}
|
||||||
interface=org.gtk.{Actions,Application},
|
interface={org.gnome.Nautilus,org.freedesktop.{Application,DBus.Properties},org.gtk.{Actions,Application}}
|
||||||
dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/**}
|
peer=(name="{:*,org.gnome.Nautilus,org.freedesktop.DBus}"),
|
||||||
interface=org.freedesktop.DBus.Properties
|
|
||||||
peer=(name=:*),
|
|
||||||
dbus receive bus=session path=/org/gnome/Nautilus
|
|
||||||
interface=org.freedesktop.Application
|
|
||||||
peer=(name=:*),
|
|
||||||
|
|
||||||
dbus bind bus=session name=org.freedesktop.FileManager1,
|
dbus bind bus=session name=org.freedesktop.FileManager1,
|
||||||
dbus receive bus=session path=/org/freedesktop/FileManager1
|
dbus (send, receive) bus=session path=/org/freedesktop/FileManager1
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
peer=(name=:*),
|
peer=(name="{:*,org.freedesktop.DBus}"),
|
||||||
dbus send bus=session path=/org/freedesktop/FileManager1
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
dbus receive bus=session path=/org/gnome/Nautilus/SearchProvider
|
||||||
peer=(name=org.freedesktop.DBus),
|
interface=org.gnome.Shell.SearchProvider2
|
||||||
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
||||||
dbus receive bus=session path=/org/gnome/Nautilus/*
|
dbus receive bus=session path=/org/gnome/Nautilus/*
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
member=Introspect
|
member=Introspect
|
||||||
peer=(name=:*, label=gnome-extension-ding),
|
peer=(name=:*, label=gnome-extension-ding),
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
|
|
||||||
interface=org.freedesktop.DBus.Peer
|
|
||||||
peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
|
|
||||||
dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
|
|
||||||
interface=org.freedesktop.Tracker3.Endpoint
|
|
||||||
peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
|
|
||||||
|
|
||||||
dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
|
||||||
peer=(name=:*, label=gvfs-*-monitor),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/DBus
|
dbus send bus=session path=/org/freedesktop/DBus
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member={GetAll,ListActivatableNames}
|
member={GetAll,ListActivatableNames}
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/seahorse
|
@{exec_path} = @{bin}/seahorse
|
||||||
profile seahorse @{exec_path} {
|
profile seahorse @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/bus-accessibility>
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/bus/org.a11y>
|
include <abstractions/bus/org.a11y>
|
||||||
|
|
|
||||||
|
|
@ -10,67 +10,43 @@ include <tunables/global>
|
||||||
profile tracker-extract @{exec_path} flags=(attach_disconnected) {
|
profile tracker-extract @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
|
||||||
include <abstractions/bus/org.gtk.vfs.Daemon>
|
include <abstractions/bus/org.gtk.vfs.Daemon>
|
||||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/deny-sensitive-home>
|
include <abstractions/deny-sensitive-home>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
|
include <abstractions/dri-common>
|
||||||
include <abstractions/dri-enumerate>
|
include <abstractions/dri-enumerate>
|
||||||
include <abstractions/fonts>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/opencl-nvidia>
|
include <abstractions/opencl-nvidia>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
signal (receive) set=(term) peer=gdm,
|
signal (receive) set=(term) peer=gdm,
|
||||||
|
|
||||||
dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Extract,
|
dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Extract,
|
||||||
dbus receive bus=session path=/org/freedesktop/Tracker3/**
|
|
||||||
interface=org.freedesktop.Tracker3.*
|
|
||||||
peer=(name=:*), # all members
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/freedesktop/Tracker3/**
|
# Talk to tracker-miner
|
||||||
interface=org.freedesktop.DBus.{Peer,Properties}
|
dbus send bus=session path=/org/freedesktop/Tracker3/{Files,Endpoint,Miner/Extract}
|
||||||
peer=(label=tracker-miner),
|
interface={org.freedesktop.Tracker3.{Miner,Endpoint,Files},org.freedesktop.DBus.{Peer,Properties}}
|
||||||
dbus send bus=session path=/org/freedesktop/Tracker3/**
|
peer=(name="{:*,org.freedesktop.Tracker3.Miner.Files,org.freedesktop.DBus}", label=tracker-miner),
|
||||||
interface=org.freedesktop.Tracker3.*
|
|
||||||
peer=(label=tracker-miner),
|
|
||||||
dbus send bus=session path=/org/freedesktop/Tracker3/**
|
|
||||||
interface=org.freedesktop.DBus.Peer
|
|
||||||
peer=(name=org.freedesktop.Tracker3.Miner.Files),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
|
||||||
member={List,IsSupported,MountAdded}
|
|
||||||
peer=(name=:*, label=gvfs-*-volume-monitor),
|
|
||||||
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
|
||||||
member={MountAdded,VolumeChanged}
|
|
||||||
peer=(name=:*, label=gvfs-*-volume-monitor),
|
|
||||||
|
|
||||||
dbus send bus=session path=/org/gtk/vfs/metadata
|
dbus send bus=session path=/org/gtk/vfs/metadata
|
||||||
interface=org.gtk.vfs.Metadata
|
interface=org.gtk.vfs.Metadata
|
||||||
member={GetTreeFromDevice,Remove}
|
member={GetTreeFromDevice,Remove}
|
||||||
peer=(name=:*, label=gvfsd-metadata),
|
peer=(name=:*, label=gvfsd-metadata),
|
||||||
|
|
||||||
dbus receive bus=session
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name=:*, label=gnome-shell),
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/dconf/profile/gdm r,
|
/usr/share/dconf/profile/gdm r,
|
||||||
/usr/share/drirc.d/{,*.conf} r,
|
|
||||||
/usr/share/gdm/greeter/applications/*.desktop r,
|
/usr/share/gdm/greeter/applications/*.desktop r,
|
||||||
/usr/share/gvfs/remote-volume-monitors/{,*} r,
|
/usr/share/gvfs/remote-volume-monitors/{,*} r,
|
||||||
/usr/share/hwdata/*.ids r,
|
/usr/share/hwdata/*.ids r,
|
||||||
/usr/share/ladspa/rdf/{,**} r,
|
/usr/share/ladspa/rdf/{,**} r,
|
||||||
/usr/share/mime/mime.cache r,
|
|
||||||
/usr/share/osinfo/{,**} r,
|
/usr/share/osinfo/{,**} r,
|
||||||
/usr/share/poppler/{,**} r,
|
/usr/share/poppler/{,**} r,
|
||||||
/usr/share/tracker3-miners/{,**} r,
|
/usr/share/tracker3-miners/{,**} r,
|
||||||
|
|
@ -91,7 +67,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
/var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
|
/var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
|
||||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||||
/var/lib/snapd/desktop/applications/*.desktop r,
|
|
||||||
|
|
||||||
# Allow to search user files
|
# Allow to search user files
|
||||||
owner @{HOME}/{,**} r,
|
owner @{HOME}/{,**} r,
|
||||||
|
|
|
||||||
|
|
@ -12,12 +12,13 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/bus/org.freedesktop.UPower>
|
include <abstractions/bus/org.freedesktop.UPower>
|
||||||
|
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
|
||||||
include <abstractions/bus/org.gtk.vfs.Daemon>
|
include <abstractions/bus/org.gtk.vfs.Daemon>
|
||||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/deny-sensitive-home>
|
include <abstractions/deny-sensitive-home>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/private-files-strict>
|
include <abstractions/private-files-strict>
|
||||||
|
|
@ -27,24 +28,15 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
|
||||||
signal (receive) set=(term, kill) peer=gdm,
|
signal (receive) set=(term, kill) peer=gdm,
|
||||||
signal (receive) set=(hup) peer=gdm-session-worker,
|
signal (receive) set=(hup) peer=gdm-session-worker,
|
||||||
|
|
||||||
dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Files{,.Control},
|
dbus bind bus=session name=org.freedesktop.Tracker3.Miner.Files{,.*},
|
||||||
|
dbus (send, receive) bus=session path=/org/freedesktop/Tracker3/Endpoint
|
||||||
dbus (send, receive) bus=session path=/org/freedesktop/Tracker3/**
|
interface={org.freedesktop.Tracker3.Endpoint,org.freedesktop.DBus.Peer}
|
||||||
interface=org.freedesktop.Tracker3.*
|
|
||||||
peer=(name="{:*,org.freedesktop.DBus}"), # all members
|
|
||||||
dbus receive bus=session path=/org/freedesktop/Tracker3/**
|
|
||||||
interface=org.freedesktop.DBus.{Peer,Properties}
|
|
||||||
peer=(name=:*),
|
peer=(name=:*),
|
||||||
|
|
||||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
# Talk from tracker-extract
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
dbus receive bus=session path=/org/freedesktop/Tracker3/{Files,Endpoint,Miner/Extract}
|
||||||
member={List,IsSupported,VolumeChanged,MountAdded}
|
interface={org.freedesktop.Tracker3.{Miner,Endpoint,Files},org.freedesktop.DBus.{Peer,Properties}}
|
||||||
peer=(name=:*, label=gvfs-*-volume-monitor),
|
peer=(name=:*, label=tracker-extract),
|
||||||
|
|
||||||
dbus receive bus=session
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name=:*, label=gnome-shell),
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,9 +13,9 @@ profile gvfs-afc-volume-monitor @{exec_path} {
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
|
|
||||||
dbus bind bus=session name=org.gtk.vfs.AfcVolumeMonitor,
|
dbus bind bus=session name=org.gtk.vfs.AfcVolumeMonitor,
|
||||||
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||||
peer=(name=:*),
|
peer=(name="{:*,org.freedesktop.DBus}"),
|
||||||
|
|
||||||
dbus receive bus=session
|
dbus receive bus=session
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
|
|
|
||||||
|
|
@ -13,11 +13,9 @@ profile gvfs-goa-volume-monitor @{exec_path} {
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
|
|
||||||
dbus bind bus=session name=org.gtk.vfs.GoaVolumeMonitor,
|
dbus bind bus=session name=org.gtk.vfs.GoaVolumeMonitor,
|
||||||
|
dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||||
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||||
member={List,IsSupported}
|
peer=(name="{:*,org.freedesktop.DBus}"),
|
||||||
peer=(name=:*, label="{gnome-shell,nautilus,gnome-control-center,gnome-extension-ding,tracker-*,unconfined}"),
|
|
||||||
|
|
||||||
dbus receive bus=session
|
dbus receive bus=session
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
|
|
|
||||||
|
|
@ -16,27 +16,24 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} {
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
dbus bind bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor,
|
||||||
|
dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||||
member={List,IsSupported}
|
peer=(name="{:*,org.freedesktop.DBus}"),
|
||||||
peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,nautilus,tracker-*,unconfined}"),
|
|
||||||
|
|
||||||
dbus receive bus=session
|
dbus receive bus=session
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
member=Introspect
|
member=Introspect
|
||||||
peer=(name=:*, label=gnome-shell),
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
||||||
dbus bind bus=session
|
|
||||||
name=org.gtk.vfs.GPhoto2VolumeMonitor,
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/etc/fstab r,
|
||||||
|
|
||||||
|
@{sys}/class/scsi_generic/ r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
|
||||||
@{sys}/class/scsi_generic/ r,
|
|
||||||
|
|
||||||
/etc/fstab r,
|
|
||||||
|
|
||||||
include if exists <local/gvfs-gphoto2-volume-monitor>
|
include if exists <local/gvfs-gphoto2-volume-monitor>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -16,11 +16,9 @@ profile gvfs-mtp-volume-monitor @{exec_path} {
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
dbus bind bus=session name=org.gtk.vfs.MTPVolumeMonitor,
|
dbus bind bus=session name=org.gtk.vfs.MTPVolumeMonitor,
|
||||||
|
dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||||
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||||
member={List,IsSupported}
|
peer=(name="{:*,org.freedesktop.DBus}"),
|
||||||
peer=(name=:*, label="{gnome-shell,gnome-control-center,gnome-extension-ding,nautilus,tracker-*,unconfined}"),
|
|
||||||
|
|
||||||
dbus receive bus=session
|
dbus receive bus=session
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
|
|
|
||||||
|
|
@ -31,13 +31,9 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
|
||||||
ptrace (read),
|
ptrace (read),
|
||||||
|
|
||||||
dbus bind bus=session name=org.gtk.vfs.UDisks2VolumeMonitor,
|
dbus bind bus=session name=org.gtk.vfs.UDisks2VolumeMonitor,
|
||||||
|
dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||||
dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||||
peer=(name=:*),
|
peer=(name="{:*,org.freedesktop.DBus}"),
|
||||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
|
||||||
peer=(name=org.freedesktop.DBus),
|
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/UDisks2/**
|
dbus send bus=system path=/org/freedesktop/UDisks2/**
|
||||||
interface=org.freedesktop.UDisks2.Filesystem
|
interface=org.freedesktop.UDisks2.Filesystem
|
||||||
|
|
|
||||||
|
|
@ -92,13 +92,12 @@ profile xdm-xsession @{exec_path} {
|
||||||
|
|
||||||
profile dbus {
|
profile dbus {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/bus-session>
|
||||||
|
|
||||||
@{bin}/dbus-update-activation-environment mr,
|
@{bin}/dbus-update-activation-environment mr,
|
||||||
|
|
||||||
owner @{user_share_dirs}/sddm/xorg-session.log rw,
|
owner @{user_share_dirs}/sddm/xorg-session.log rw,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/bus rw,
|
|
||||||
|
|
||||||
include if exists <local/xdm-xsession_dbus>
|
include if exists <local/xdm-xsession_dbus>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -22,9 +22,6 @@ profile livepatch-notification @{exec_path} {
|
||||||
/usr/share/icons/{,**} r,
|
/usr/share/icons/{,**} r,
|
||||||
/usr/share/X11/{,**} r,
|
/usr/share/X11/{,**} r,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
|
||||||
owner @{run}/user/@{uid}/bus rw,
|
|
||||||
|
|
||||||
@{run}/user/@{uid}/gdm/Xauthority r,
|
@{run}/user/@{uid}/gdm/Xauthority r,
|
||||||
|
|
||||||
include if exists <local/livepatch-notification>
|
include if exists <local/livepatch-notification>
|
||||||
|
|
|
||||||
|
|
@ -16,13 +16,10 @@ profile update-notifier @{exec_path} {
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/bus/org.a11y>
|
include <abstractions/bus/org.a11y>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/fonts>
|
include <abstractions/gnome-strict>
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/gtk>
|
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
include <abstractions/python>
|
include <abstractions/python>
|
||||||
include <abstractions/wayland>
|
|
||||||
|
|
||||||
dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
|
dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
|
||||||
interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
|
interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
|
||||||
|
|
@ -33,11 +30,6 @@ profile update-notifier @{exec_path} {
|
||||||
member=RegisterStatusNotifierItem
|
member=RegisterStatusNotifierItem
|
||||||
peer=(name=:*, label=gnome-shell),
|
peer=(name=:*, label=gnome-shell),
|
||||||
|
|
||||||
dbus receive bus=session
|
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
|
||||||
member=Introspect
|
|
||||||
peer=(name=:*, label=gnome-shell),
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/{,ba,da}sh rix,
|
@{bin}/{,ba,da}sh rix,
|
||||||
|
|
@ -70,20 +62,17 @@ profile update-notifier @{exec_path} {
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
/var/lib/snapd/desktop/applications/{,**} r,
|
/var/lib/snapd/desktop/applications/{,**} r,
|
||||||
/var/lib/snapd/desktop/icons/ r,
|
|
||||||
/var/lib/update-notifier/user.d/ r,
|
/var/lib/update-notifier/user.d/ r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/update-notifier/ w,
|
owner @{user_config_dirs}/update-notifier/ w,
|
||||||
owner @{user_share_dirs}/applications/ r,
|
owner @{user_share_dirs}/applications/ r,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
|
||||||
owner @{run}/user/@{uid}/bus rw,
|
|
||||||
owner @{run}/user/@{uid}/update-notifier.pid rwk,
|
owner @{run}/user/@{uid}/update-notifier.pid rwk,
|
||||||
|
|
||||||
owner /tmp/#@{int} rw,
|
owner /tmp/#@{int} rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
|
||||||
@{PROC}/@{pids}/mountinfo r,
|
@{PROC}/@{pids}/mountinfo r,
|
||||||
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
include if exists <local/update-notifier>
|
include if exists <local/update-notifier>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,6 @@ profile torbrowser-start @{exec_path} {
|
||||||
@{bin}/rm rix,
|
@{bin}/rm rix,
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
@{bin}/sh rix,
|
@{bin}/sh rix,
|
||||||
@{bin}/sh rix,
|
|
||||||
@{lib_dirs}/abicheck rix,
|
@{lib_dirs}/abicheck rix,
|
||||||
@{lib_dirs}/firefox rix,
|
@{lib_dirs}/firefox rix,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,7 @@ profile engrampa @{exec_path} {
|
||||||
include <abstractions/bus-accessibility>
|
include <abstractions/bus-accessibility>
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/bus/org.a11y>
|
include <abstractions/bus/org.a11y>
|
||||||
|
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
|
||||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
|
|
@ -30,17 +31,12 @@ profile engrampa @{exec_path} {
|
||||||
member=GetId
|
member=GetId
|
||||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||||
|
|
||||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
|
||||||
member={IsSupported,List}
|
|
||||||
peer=(name=:*),
|
|
||||||
|
|
||||||
dbus receive bus=session path=/org/gtk/Application/anonymous
|
dbus receive bus=session path=/org/gtk/Application/anonymous
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=GetAll
|
member=GetAll
|
||||||
peer=(name=:*),
|
peer=(name=:*),
|
||||||
|
|
||||||
dbus receive bus=session path=/org/gtk/Application/anonymous{,/window/[0-9]*}
|
dbus receive bus=session path=/org/gtk/Application/anonymous{,/window/@{int}}
|
||||||
interface=org.gtk.Actions
|
interface=org.gtk.Actions
|
||||||
member=DescribeAll
|
member=DescribeAll
|
||||||
peer=(name=:*),
|
peer=(name=:*),
|
||||||
|
|
|
||||||
|
|
@ -34,8 +34,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
dbus bind bus=system name=org.freedesktop.fwupd,
|
dbus bind bus=system name=org.freedesktop.fwupd,
|
||||||
dbus (send, receive) bus=session path=/
|
dbus (send, receive) bus=system path=/
|
||||||
interface={org.freedesktop.fwupd,org.freedesktop.DBus}
|
interface={org.freedesktop.fwupd,org.freedesktop.DBus{,.Properties}}
|
||||||
peer=(name="{:*,org.freedesktop.fwupd,org.freedesktop.DBus}"),
|
peer=(name="{:*,org.freedesktop.fwupd,org.freedesktop.DBus}"),
|
||||||
|
|
||||||
dbus send bus=system path=/org/freedesktop/DBus
|
dbus send bus=system path=/org/freedesktop/DBus
|
||||||
|
|
|
||||||
|
|
@ -21,8 +21,6 @@ profile gsettings @{exec_path} {
|
||||||
/var/lib/gdm{3,}/.config/dconf/user r,
|
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/bus rw,
|
|
||||||
|
|
||||||
/dev/tty@{int} rw,
|
/dev/tty@{int} rw,
|
||||||
|
|
||||||
include if exists <local/gsettings>
|
include if exists <local/gsettings>
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@ profile remmina @{exec_path} {
|
||||||
include <abstractions/bus/org.a11y>
|
include <abstractions/bus/org.a11y>
|
||||||
include <abstractions/bus/org.freedesktop.hostname1>
|
include <abstractions/bus/org.freedesktop.hostname1>
|
||||||
include <abstractions/bus/org.freedesktop.secrets>
|
include <abstractions/bus/org.freedesktop.secrets>
|
||||||
|
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
|
|
@ -43,11 +44,6 @@ profile remmina @{exec_path} {
|
||||||
member=RegisterStatusNotifierItem
|
member=RegisterStatusNotifierItem
|
||||||
peer=(name=:*),
|
peer=(name=:*),
|
||||||
|
|
||||||
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
|
||||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
|
||||||
member={IsSupported,List}
|
|
||||||
peer=(name=:*),
|
|
||||||
|
|
||||||
@{exec_path} r,
|
@{exec_path} r,
|
||||||
|
|
||||||
/usr/share/remmina/{,**} r,
|
/usr/share/remmina/{,**} r,
|
||||||
|
|
|
||||||
|
|
@ -145,6 +145,7 @@ profile run-parts @{exec_path} {
|
||||||
|
|
||||||
profile motd {
|
profile motd {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
@{bin}/{,ba,da}sh rix,
|
@{bin}/{,ba,da}sh rix,
|
||||||
@{bin}/{e,}grep rix,
|
@{bin}/{e,}grep rix,
|
||||||
|
|
@ -167,7 +168,7 @@ profile run-parts @{exec_path} {
|
||||||
/ r,
|
/ r,
|
||||||
/etc/default/motd-news r,
|
/etc/default/motd-news r,
|
||||||
/etc/lsb-release r,
|
/etc/lsb-release r,
|
||||||
/etc/update-motd.d/@{int}-[a-z]* r,
|
/etc/update-motd.d/* r,
|
||||||
|
|
||||||
/var/cache/motd-news rw,
|
/var/cache/motd-news rw,
|
||||||
/var/lib/update-notifier/updates-available r,
|
/var/lib/update-notifier/updates-available r,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue