From 2372188d8e825b6f2a535569ed540ce88cee8576 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 11 Jul 2021 17:20:09 +0100 Subject: [PATCH] Update profiles. --- apparmor.d/abstractions/user-read | 9 +++++++++ apparmor.d/groups/gnome/gdm-xsession | 7 +++++++ apparmor.d/groups/gnome/gnome-calculator-search-provider | 2 ++ .../groups/gnome/gnome-control-center-search-provider | 2 ++ apparmor.d/groups/gnome/gnome-shell | 3 ++- apparmor.d/groups/gnome/tracker-miner | 2 ++ apparmor.d/groups/pacman/reflector | 2 +- apparmor.d/groups/systemd/systemd-logind | 1 + apparmor.d/profiles-a-l/gtk-query-immodules | 1 + apparmor.d/profiles-m-z/start-pulseaudio-x11 | 1 + apparmor.d/profiles-m-z/xhost | 2 +- 11 files changed, 29 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index 22379da7..38ff5085 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -8,5 +8,14 @@ owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} r, owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r, owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + + owner @{MOUNTS}/*/@{XDG_DOCUMENTS_DIR}/{,**} r, + owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} r, + owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} r, + owner @{MOUNTS}/*/@{XDG_VIDEOS_DIR}/{,**} r, + owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/{,**} r, + owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/{,**} r, + owner @{MOUNTS}/*/@{XDG_WALLPAPERS_DIR}/{,**} r, include if exists \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index dcf20164..5abf933f 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -35,11 +35,18 @@ profile gdm-xsession @{exec_path} { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + # file_inherit + /dev/tty rw, + /dev/tty[0-9]* rw, + profile dbus { include /{usr/,}bin/dbus-update-activation-environment mr, + # file_inherit + /dev/tty rw, + /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, } diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 92ae12a6..35789c25 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -26,5 +26,7 @@ profile gnome-calculator-search-provider @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 51f66679..938813ff 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -21,5 +21,7 @@ profile gnome-control-center-search-provider @{exec_path} { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 68cb269e..e5bc9e93 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -31,9 +31,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { ptrace (read), signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(usr1) peer=ibus-daemon, + signal (send) set=(kill) peer=unconfined, signal (send) set=(term) peer=polkit*, signal (send) set=(term) peer=xwayland, + signal (send) set=(usr1) peer=ibus-daemon, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index aae0df76..f350f1aa 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -40,5 +40,7 @@ profile tracker-miner @{exec_path} { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + @{run}/mount/utab r, + include if exists } diff --git a/apparmor.d/groups/pacman/reflector b/apparmor.d/groups/pacman/reflector index f3a4fc68..337a8e80 100644 --- a/apparmor.d/groups/pacman/reflector +++ b/apparmor.d/groups/pacman/reflector @@ -9,9 +9,9 @@ include @{exec_path} = /{usr/,}bin/reflector profile reflector @{exec_path} flags=(attach_disconnected) { include - include include include + include include network inet dgram, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 482e4915..db9946bc 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -42,6 +42,7 @@ profile systemd-logind @{exec_path} flags=(complain) { @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{run}/udev/data/c237:[0-9]* r, @{run}/udev/data/c238:[0-9]* r, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad diff --git a/apparmor.d/profiles-a-l/gtk-query-immodules b/apparmor.d/profiles-a-l/gtk-query-immodules index 2d612438..710add22 100644 --- a/apparmor.d/profiles-a-l/gtk-query-immodules +++ b/apparmor.d/profiles-a-l/gtk-query-immodules @@ -12,6 +12,7 @@ profile gtk-query-immodules @{exec_path} { @{exec_path} mr, + /{usr/,}lib/gtk-{3,4}.0/**/immodules.cache w, /{usr/,}lib/gtk-{3,4}.0/**/immodules.cache.[0-9A-Z]* w, # Silencer diff --git a/apparmor.d/profiles-m-z/start-pulseaudio-x11 b/apparmor.d/profiles-m-z/start-pulseaudio-x11 index 6b1719a0..de71e9f4 100644 --- a/apparmor.d/profiles-m-z/start-pulseaudio-x11 +++ b/apparmor.d/profiles-m-z/start-pulseaudio-x11 @@ -13,6 +13,7 @@ profile start-pulseaudio-x11 @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/pactl rPx, /dev/tty rw, diff --git a/apparmor.d/profiles-m-z/xhost b/apparmor.d/profiles-m-z/xhost index 53117ba4..54aef47d 100644 --- a/apparmor.d/profiles-m-z/xhost +++ b/apparmor.d/profiles-m-z/xhost @@ -18,7 +18,7 @@ profile xhost @{exec_path} { owner @{run}/user/@{uid}/gdm/Xauthority r, # file_inherit - owner /dev/tty[0-9]* rw, + /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, include if exists