From 03dd5fe4cd28faebb4791df63329bbc0680eede4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 7 May 2024 00:04:07 +0100
Subject: [PATCH] feat(profile): improve xfce profiles stack.

---
 apparmor.d/abstractions/desktop           | 2 ++
 apparmor.d/abstractions/xfce              | 2 ++
 apparmor.d/groups/display-manager/lightdm | 5 +++--
 apparmor.d/groups/xfce/ristretto          | 7 +++++++
 apparmor.d/groups/xfce/thunar             | 1 +
 apparmor.d/groups/xfce/xfce-session       | 2 ++
 apparmor.d/groups/xfce/xfwm               | 2 ++
 7 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop
index b9ae5594..bc273a00 100644
--- a/apparmor.d/abstractions/desktop
+++ b/apparmor.d/abstractions/desktop
@@ -47,6 +47,8 @@
 
   # else if @{DE} == xfce
 
+    /usr/share/xfce4/ r,
+
     owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
     owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,
 
diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce
index b625da98..eff45b14 100644
--- a/apparmor.d/abstractions/xfce
+++ b/apparmor.d/abstractions/xfce
@@ -8,6 +8,8 @@
   include <abstractions/wayland>
   include <abstractions/X-strict>
 
+  /usr/share/xfce4/ r,
+
   owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
   owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,
 
diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm
index 4467b35f..125e22e8 100644
--- a/apparmor.d/groups/display-manager/lightdm
+++ b/apparmor.d/groups/display-manager/lightdm
@@ -31,9 +31,10 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
-  signal (send) set=(term) peer=lightdm-*-greeter,
-  signal (send) set=(term) peer=xorg,
   signal (receive) set=(usr1) peer=xorg,
+  signal (send) set=(term) peer=lightdm-*-greeter,
+  signal (send) set=(term) peer=xfce-session,
+  signal (send) set=(term) peer=xorg,
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/groups/xfce/ristretto b/apparmor.d/groups/xfce/ristretto
index 12ad443f..441972e9 100644
--- a/apparmor.d/groups/xfce/ristretto
+++ b/apparmor.d/groups/xfce/ristretto
@@ -10,6 +10,7 @@ include <tunables/global>
 profile ristretto @{exec_path} {
   include <abstractions/base>
   include <abstractions/thumbnails-cache-read>
+  include <abstractions/trash-strict>
   include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
   include <abstractions/xfce>
@@ -20,7 +21,13 @@ profile ristretto @{exec_path} {
 
   /usr/share/file/{,**} r,
 
+  /etc/magic r,
+  /etc/timezone r,
+
   owner @{user_config_dirs}/ristretto/{,**} rw,
+  owner @{user_share_dirs}/ristretto/{,**} rw,
+
+  deny @{user_share_dirs}/gvfs-metadata/* r,
 
   include if exists <local/ristretto>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar
index 3a53fc06..d355c5bf 100644
--- a/apparmor.d/groups/xfce/thunar
+++ b/apparmor.d/groups/xfce/thunar
@@ -23,6 +23,7 @@ profile thunar @{exec_path} {
   @{open_path} rPx -> child-open,
 
   /usr/share/ r,
+  /usr/share/anon-apps-config/share/{,**} r, #aa:only whonix
   /usr/share/Thunar/{,**} r,
 
   /etc/fstab r,
diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session
index 705fb9aa..2c7e65b6 100644
--- a/apparmor.d/groups/xfce/xfce-session
+++ b/apparmor.d/groups/xfce/xfce-session
@@ -14,6 +14,8 @@ profile xfce-session @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/xfce>
 
+  signal (receive) set=(term) peer=lightdm,
+
   @{exec_path} mr,
 
   @{sh_path} rix,
diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm
index ffe99304..6a55af7d 100644
--- a/apparmor.d/groups/xfce/xfwm
+++ b/apparmor.d/groups/xfce/xfwm
@@ -21,5 +21,7 @@ profile xfwm @{exec_path} {
 
   /etc/machine-id r,
 
+  owner @{user_cache_dirs}/sessions/xfwm4-*.state rw,
+
   include if exists <local/xfwm>
 }
\ No newline at end of file