diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 49785fdd..f40bd360 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -70,7 +70,7 @@ profile child-open { /{usr/,}bin/gnome-calculator rPUx, /{usr/,}bin/gnome-disk-image-mounter rPx, /{usr/,}bin/gnome-disks rPx, - /{usr/,}bin/kgx rPUx, + /{usr/,}bin/kgx rPx, /{usr/,}bin/okular rPx, /{usr/,}bin/qbittorrent rPx, /{usr/,}bin/qpdfview rPx, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx new file mode 100644 index 00000000..18977cf2 --- /dev/null +++ b/apparmor.d/groups/gnome/kgx @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/kgx +profile kgx @{exec_path} { + include + include + include + include + include + include + include + include + + ptrace (read), + + @{exec_path} mr, + + # The shell is not confined on purpose. + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + + # Some CLI program can be launched directly from Gnome Shell + /{usr/,}bin/htop rPx, + /{usr/,}bin/micro rPUx, + /{usr/,}bin/nvtop rPx, + + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, + + /usr/share/themes/{,**} r, + /usr/share/X11/xkb/{,**} r, + + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index bf059154..45891dae 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -124,6 +124,7 @@ irqbalance complain iwctl complain iwd complain kernel-install complain +kgx complain kmod attach_disconnected,complain landscape-sysinfo complain landscape-sysinfo.wrapper complain