feat(profile): improve gnome profiles.

2025-01-18 17:08:09 +01:00 · 2024-03-17 21:29:49 +00:00 · 2024-03-17 21:29:49 +00:00 · 233b1f2f0e
commit 233b1f2f0e
parent fb064431be
7 changed files with 25 additions and 25 deletions
--- a/apparmor.d/groups/gnome/gcr-ssh-agent
+++ b/apparmor.d/groups/gnome/gcr-ssh-agent
@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -50,7 +50,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
  @{lib}/{,gdm/}gdm-session-worker rPx,
  /etc/gdm{3,}/PrimeOff/Default    rix,

-  /usr/share/gdm/gdm.schemas r,
+  /usr/share/gdm{3,}/gdm.schemas r,
  /usr/share/wayland-sessions/*.desktop r,
  /usr/share/xsessions/*.desktop r,

@ -63,14 +63,14 @@ profile gdm @{exec_path} flags=(attach_disconnected) {

  /var/{lib,log}/gdm{3,}/ rw,

-  @{run}/gdm{3,}.pid rw,
-  @{run}/gdm{3,}/ rw,
-  @{run}/gdm{3,}/custom.conf r,
-  @{run}/gdm{3,}/gdm.pid rw,
-  @{run}/gdm{3,}/greeter/ rw,
-  @{run}/systemd/seats/seat@{int} r,
-  @{run}/systemd/sessions/* r,
-  @{run}/systemd/users/@{uid} r,
+        @{run}/gdm{3,}/greeter/ rw,
+        @{run}/systemd/seats/seat@{int} r,
+        @{run}/systemd/sessions/* r,
+        @{run}/systemd/users/@{uid} r,
+  owner @{run}/gdm{3,}.pid rw,
+  owner @{run}/gdm{3,}/ rw,
+  owner @{run}/gdm{3,}/custom.conf r,
+  owner @{run}/gdm{3,}/gdm.pid rw,

  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
--- a/apparmor.d/groups/gnome/gdm-generate-config
+++ b/apparmor.d/groups/gnome/gdm-generate-config
@ -29,21 +29,22 @@ profile gdm-generate-config @{exec_path} {
  @{bin}/setsid      rix,

  /etc/gdm{3,}/* r,
-  /usr/share/gdm/{,**} r,
+  /usr/share/gdm{3,}/{,**} r,

-  /var/lib/ r,
-  /var/lib/gdm{3,}/ rw,
-  /var/lib/gdm{3,}/{,**} r,
-  /var/lib/gdm{3,}/greeter-dconf-defaults rw,
-  /var/lib/gdm{3,}/greeter-dconf-defaults.@{rand6} w,
+        /var/lib/ r,
+  owner /var/lib/gdm{3,}/ rw,
+  owner /var/lib/gdm{3,}/{,**} r,
+  owner /var/lib/gdm{3,}/greeter-dconf-defaults rw,
+  owner /var/lib/gdm{3,}/greeter-dconf-defaults.@{rand6} w,
+
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,

  @{PROC}/ r,
  @{PROC}/@{pid}/cgroup  r,
  @{PROC}/@{pid}/cmdline r,
  @{PROC}/@{pid}/stat r,
  @{PROC}/uptime r,
-  @{sys}/devices/system/node/ r,
-  @{sys}/devices/system/node/node@{int}/meminfo r,

  include if exists <local/gdm-generate-config>
 }
--- a/apparmor.d/groups/gnome/gdm-runtime-config
+++ b/apparmor.d/groups/gnome/gdm-runtime-config
@ -12,8 +12,8 @@ profile gdm-runtime-config @{exec_path} {

  @{exec_path} mr,

-  @{run}/gdm{3,}/ rw,
-  @{run}/gdm{3,}/custom.conf{,.@{rand6}} rw,
+  owner @{run}/gdm{3,}/ rw,
+  owner @{run}/gdm{3,}/custom.conf{,.@{rand6}} rw,

  include if exists <local/gdm-runtime-config>
 }
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -68,6 +68,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {

  /usr/share/gdm/gdm.schemas r,
  /usr/share/wayland-sessions/*.desktop r,
+  /usr/share/xsessions/gnome-xorg.desktop r,

  @{etc_ro}/environment r,
  @{etc_ro}/security/limits.d/{,*.conf} r,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -94,7 +94,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher  rPUx,
  @{lib}/baloo_file                                      rPx,
  @{lib}/caribou/caribou                                rPUx,
-  @{lib}/deja-dup/deja-dup-monitor                      rPUx,
+  @{lib}/deja-dup/deja-dup-monitor                       rPx,
  @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx,
  @{lib}/gsd-disk-utility-notify                         rPx,
  @{lib}/update-notifier/ubuntu-advantage-notification   rPx,
@ -129,11 +129,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/autostart/{,*.desktop} r,
  owner @{user_config_dirs}/gnome-session/ rw,
  owner @{user_config_dirs}/gnome-session/saved-session/ rw,
-  owner @{user_config_dirs}/gtk-3.0/bookmarks rw,
-  owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw,
-  owner @{user_config_dirs}/user-dirs.locale r,
  owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw,
-  owner @{user_share_dirs}/session_migration-ubuntu r,

        @{run}/systemd/inhibit/[0-9]*.ref rw,
        @{run}/systemd/sessions/* r,
--- a/apparmor.d/groups/gnome/gnome-tour
+++ b/apparmor.d/groups/gnome/gnome-tour
@ -16,5 +16,7 @@ profile gnome-tour @{exec_path} {

  @{exec_path} mr,

+  /usr/share/gnome-tour/{,**} r,
+
  include if exists <local/gnome-tour>
 }