mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): improve gnome startup process.

Browse source
This commit is contained in:
Alexandre Pujol 2024-03-18 00:50:59 +00:00
parent 1f3da81d5a
commit 25c2dc3399
Failed to generate hash of commit
16 changed files with 189 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
apparmor.d/groups/gnome/evolution-user-prompter Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/{,evolution-data-server/}evolution-user-prompter
profile evolution-user-prompter @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
# dbus: own bus=session name=org.gnome.evolution.dataserver.UserPrompter0
@{exec_path} mr,
include if exists <local/evolution-user-prompter>
}

12
apparmor.d/groups/gnome/gdm
View file

@ -15,6 +15,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
include <abstractions/wutmp>
capability chown,
capability dac_override,
capability dac_read_search,
capability fsetid,
capability kill,
@ -25,7 +26,14 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
ptrace (read) peer=unconfined,
signal (send) set=(term),
signal (send) set=(term) peer=dbus-accessibility,
signal (send) set=(term) peer=dbus-session,
signal (send) set=(term) peer=dconf-service,
signal (send) set=(term) peer=gdm-session-worker,
signal (send) set=(term) peer=gdm-session,
signal (send) set=(term) peer=gnome-session-binary,
signal (send) set=(term) peer=xdg-permission-store,
signal (send) set=(term) peer=xorg,
unix (bind, listen) type=stream addr="@/tmp/dbus-@{rand8}",
unix (send receive accept) type=stream addr="@/tmp/dbus-@{rand8}" peer=(label=gdm-session-worker, addr=none),
@ -63,6 +71,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
/var/{lib,log}/gdm{3,}/ rw,
owner @{GDM_HOME}/block-initial-setup rw,
@{run}/gdm{3,}/greeter/ rw,
@{run}/systemd/seats/seat@{int} r,
@{run}/systemd/sessions/* r,

7
apparmor.d/groups/gnome/gdm-generate-config
View file

@ -32,10 +32,9 @@ profile gdm-generate-config @{exec_path} {
/usr/share/gdm{3,}/{,**} r,
/var/lib/ r,
owner /var/lib/gdm{3,}/ rw,
owner /var/lib/gdm{3,}/{,**} r,
owner /var/lib/gdm{3,}/greeter-dconf-defaults rw,
owner /var/lib/gdm{3,}/greeter-dconf-defaults.@{rand6} w,
owner @{GDM_HOME}/ rw,
owner @{GDM_HOME}/greeter-dconf-defaults rw,
owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} w,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,

9
apparmor.d/groups/gnome/gdm-session
View file

@ -17,6 +17,7 @@ profile gdm-session @{exec_path} {
signal (receive) set=(hup term) peer=gdm-session-worker,
signal (receive) set=(term) peer=gdm,
signal (send) set=(term) peer=dbus-session,
signal (send) set=(term) peer=gnome-session-binary,
signal (send) set=(term) peer=xorg,
dbus receive bus=session
@ -49,10 +50,10 @@ profile gdm-session @{exec_path} {
/etc/sysconfig/proxy r,
/etc/sysconfig/windowmanager r,
owner /var/lib/gdm{3,}/.cache/gdm/ rw,
owner /var/lib/gdm{3,}/.cache/gdm/Xauthority rw,
owner /var/lib/gdm{3,}/.config/dconf/user r,
owner /var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{gdm_cache_dirs}/gdm/ rw,
owner @{gdm_cache_dirs}/gdm/Xauthority rw,
owner @{gdm_config_dirs}/.config/dconf/user r,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{run}/gdm{3,}/custom.conf r,

6
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -83,6 +83,12 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
/etc/sysconfig/displaymanager r,
/etc/sysconfig/windowmanager r,
/var/lib/lastlog/ r,
/var/lib/lastlog/* rwk,
/var/lib/wtmpdb/ r,
/var/lib/wtmpdb/* rwk,
owner @{HOME}/.pam_environment r,
owner @{run}/systemd/seats/seat@{int} r,

10
apparmor.d/groups/gnome/gjs-console
View file

@ -68,11 +68,11 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-shell/{,**} r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl,
owner @{gdm_cache_dirs}/gstreamer-1.0/ rw,
owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
owner @{gdm_config_dirs}/dconf/user r,
owner @{GDM_HOME}/greeter-dconf-defaults r,
/tmp/ r,
/var/tmp/ r,

2
apparmor.d/groups/gnome/gnome-initial-setup
View file

@ -47,7 +47,7 @@ profile gnome-initial-setup @{exec_path} {
/etc/timezone r,
/var/lib/gdm{,3}/greeter-dconf-defaults r,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{user_config_dirs}/gnome-initial-setup-done w,
owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6}BQK2 rw,

6
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -41,9 +41,9 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
/etc/gcrypt/hwf.deny r,
/var/lib/gdm{3,}/.local/ rw,
/var/lib/gdm{3,}/.local/share/ rw,
/var/lib/gdm{3,}/.local/share/keyrings/ rw,
owner @{gdm_local_dirs}/ rw,
owner @{gdm_share_dirs}/ rw,
owner @{gdm_share_dirs}/keyrings/ rw,
# Keyrings location
owner @{user_share_dirs}/keyrings/ rw,

17
apparmor.d/groups/gnome/gnome-session
View file

@ -20,11 +20,17 @@ profile gnome-session @{exec_path} {
@{bin}/cat rix,
@{bin}/gettext.sh r,
@{bin}/grep rix,
@{bin}/head rix,
@{bin}/id rix,
@{bin}/locale rix,
@{bin}/locale-check rix,
@{bin}/manpath rix,
@{bin}/readlink rix,
@{bin}/realpath rix,
@{bin}/sed rix,
@{bin}/tr rix,
@{bin}/tty rix,
@{bin}/uname rPx,
@{bin}/flatpak rCx -> flatpak,
@{bin}/gsettings rPx,
@ -32,13 +38,24 @@ profile gnome-session @{exec_path} {
/usr/share/im-config/{,**} r,
/usr/share/libdebuginfod-common/debuginfod.sh r,
/usr/share/xsessions/gnome.desktop r,
@{etc_ro}/profile.d/{,*} r,
/etc/debuginfod/{,*} r,
/etc/default/im-config r,
/etc/manpath.config r,
/etc/shells r,
/etc/sysconfig/console r,
/etc/sysconfig/displaymanager r,
/etc/sysconfig/language r,
/etc/sysconfig/mail r,
/etc/sysconfig/proxy r,
/etc/sysconfig/windowmanager r,
/etc/X11/Xsession.d/*im-config_launch r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/loginuid r,
/dev/tty@{int} rw,
profile flatpak {

118
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -50,57 +50,22 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{bin}/{,z,ba,da}sh rix,
@{bin}/env rix,
@{bin}/gnome-session rix,
@{bin}/grep rix,
@{bin}/gsettings rPx,
@{bin}/gsettings-data-convert rix,
@{bin}/mkdir rix,
@{bin}/session-migration rix,
@{bin}/touch rix,
@{bin}/xdg-user-dirs-gtk-update rix,
@{sh_path} rix,
@{bin}/dbus-daemon rPx -> dbus-session,
@{bin}/env rix,
@{bin}/gnome-session rPx,
@{bin}/gnome-shell rPx,
@{bin}/session-migration rPx,
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx -> dbus-accessibility,
@{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rix,
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix,
@{lib}/gnome-session-check-accelerated rix,
@{lib}/gnome-session-check-accelerated-gl-helper rix,
@{lib}/gnome-session-check-accelerated-gles-helper rix,
@{lib}/gnome-session-failed rix,
@{lib}/gsd-* rPx,
@{lib}/gio-launch-desktop rix,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix,
@{bin}/aa-notify rPx,
@{bin}/baloo_file rPx,
@{bin}/blueman-applet rPx,
@{bin}/firewall-applet rPUx,
@{bin}/gnome-keyring-daemon rPx,
@{bin}/gnome-shell rPx,
@{bin}/gnome-software rPUx,
@{bin}/im-launch rPx,
@{bin}/keepassxc rPx,
@{bin}/parcellite rPUx,
@{bin}/pkcs11-register rPx,
@{bin}/snap rPUx,
@{bin}/snapshot-detect rPUx,
@{bin}/spice-vdagent rPx,
@{bin}/start-pulseaudio-x11 rPx,
@{bin}/ubuntu-report rPx,
@{bin}/update-notifier rPx,
@{bin}/xbrlapi rPx,
@{bin}/xdg-user-dirs-update rPx,
@{lib}/@{multiarch}/libexec/kdeconnectd rPUx,
@{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx,
@{lib}/baloo_file rPx,
@{lib}/caribou/caribou rPUx,
@{lib}/deja-dup/deja-dup-monitor rPx,
@{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx,
@{lib}/gsd-disk-utility-notify rPx,
@{lib}/update-notifier/ubuntu-advantage-notification rPx,
@{lib}/xapps/sn-watcher/* rPUx,
@{thunderbird_path} rPx,
/usr/share/libpam-kwallet-common/pam_kwallet_init rPUx,
@{lib}/gio-launch-desktop rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
@ -112,17 +77,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{etc_ro}/xdg/autostart/{,*.desktop} r,
/var/lib/gdm{3,}/.cache/gdm/Xauthority r,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
/var/lib/gdm{3,}/.config/dconf/user rw,
/var/lib/gdm{3,}/.config/gnome-session/ rw,
/var/lib/gdm{3,}/.config/gnome-session/saved-session/ rw,
/var/lib/gdm{3,}/.local/share/applications/{,**} r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/flatpak/exports/share/applications/{,**} r,
/var/lib/flatpak/exports/share/mime/mime.cache r,
/var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
owner @{gdm_cache_dirs}/gdm/Xauthority r,
owner @{gdm_cache_dirs}/mesa_shader_cache/index rw,
owner @{gdm_config_dirs}/dconf/user rw,
owner @{gdm_config_dirs}/gnome-session/ rw,
owner @{gdm_config_dirs}/gnome-session/saved-session/ rw,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_share_dirs}/applications/{,**} r,
owner /tmp/dirs-@{rand6} rw,
@ -136,7 +97,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
owner @{run}/user/@{uid}/ICEauthority rw,
owner @{run}/user/@{uid}/ICEauthority-c w,
owner @{run}/user/@{uid}/ICEauthority-l wl -> @{run}/user/@{uid}/ICEauthority-c,
owner @{run}/user/@{uid}/systemd/notify w,
@{sys}/devices/**/{vendor,device} r,
@ -150,6 +113,47 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/dev/tty rw,
/dev/tty@{int} rw,
profile open {
include <abstractions/base>
@{lib}/gio-launch-desktop mr,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@{bin}/aa-notify rPx,
@{bin}/blueman-applet rPx,
@{bin}/firewall-applet rPx,
@{bin}/gnome-keyring-daemon rPx,
@{bin}/gnome-software rPx,
@{bin}/im-launch rPx,
@{bin}/keepassxc rPx,
@{bin}/opensuse-welcome rPx,
@{bin}/parcellite rPUx,
@{bin}/pkcs11-register rPx,
@{bin}/snap rPUx,
@{bin}/snapshot-detect rPUx,
@{bin}/spice-vdagent rPx,
@{bin}/start-pulseaudio-x11 rPx,
@{bin}/ubuntu-report rPx,
@{bin}/update-notifier rPx,
@{bin}/xbrlapi rPx,
@{bin}/xdg-user-dirs-gtk-update rPx,
@{bin}/xdg-user-dirs-update rPx,
@{lib}/@{multiarch}/libexec/kdeconnectd rPUx,
@{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx,
@{lib}/baloo_file rPx,
@{lib}/caribou/caribou rPUx,
@{lib}/deja-dup/deja-dup-monitor rPx,
@{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx,
@{lib}/gsd-disk-utility-notify rPx,
@{lib}/update-notifier/ubuntu-advantage-notification rPx,
@{lib}/xapps/sn-watcher/* rPUx,
@{thunderbird_path} rPx,
/usr/share/libpam-kwallet-common/pam_kwallet_init rPUx,
include if exists <usr/gnome-session-binary_open.d>
include if exists <local/gnome-session-binary_open>
}
include if exists <usr/gnome-session-binary.d>
include if exists <local/gnome-session-binary>

46
apparmor.d/groups/gnome/gnome-shell
View file

@ -250,29 +250,29 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/var/lib/flatpak/appstream/**/icons/** r,
/var/lib/flatpak/exports/share/gnome-shell/{,**} r,
owner /var/lib/gdm{3,}/.cache/ w,
owner /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,
owner /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl,
owner /var/lib/gdm{3,}/.cache/gstreamer-@{int}/ rw,
owner /var/lib/gdm{3,}/.cache/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
owner /var/lib/gdm{3,}/.cache/ibus/dbus-@{rand8} rw,
owner /var/lib/gdm{3,}/.cache/libgweather/ r,
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/ rw,
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw,
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
owner /var/lib/gdm{3,}/.config/dconf/user r,
owner /var/lib/gdm{3,}/.config/ibus/ rw,
owner /var/lib/gdm{3,}/.config/ibus/bus/ rw,
owner /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner /var/lib/gdm{3,}/.config/pulse/ rw,
owner /var/lib/gdm{3,}/.config/pulse/client.conf r,
owner /var/lib/gdm{3,}/.config/pulse/cookie rwk,
owner /var/lib/gdm{3,}/.local/share/applications/{,**} r,
owner /var/lib/gdm{3,}/.local/share/gnome-shell/{,**} rw,
owner /var/lib/gdm{3,}/.local/share/icc/{,*} rw,
owner /var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_cache_dirs}/ w,
owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,
owner @{gdm_cache_dirs}/fontconfig/{,*} rwl,
owner @{gdm_cache_dirs}/gstreamer-@{int}/ rw,
owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw,
owner @{gdm_cache_dirs}/libgweather/ r,
owner @{gdm_cache_dirs}/mesa_shader_cache/ rw,
owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/ rw,
owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/@{hex} rw,
owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,
owner @{gdm_cache_dirs}/mesa_shader_cache/index rw,
owner @{gdm_config_dirs}/dconf/user r,
owner @{gdm_config_dirs}/ibus/ rw,
owner @{gdm_config_dirs}/ibus/bus/ rw,
owner @{gdm_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner @{gdm_config_dirs}/pulse/ rw,
owner @{gdm_config_dirs}/pulse/client.conf r,
owner @{gdm_config_dirs}/pulse/cookie rwk,
owner @{gdm_share_dirs}/applications/{,**} r,
owner @{gdm_share_dirs}/gnome-shell/{,**} rw,
owner @{gdm_share_dirs}/icc/{,*} rw,
owner @{HOME}/.face r,
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,

3
apparmor.d/groups/gnome/gnome-software
View file

@ -53,6 +53,7 @@ profile gnome-software @{exec_path} {
/var/cache/app-info/icons/**.png r,
/var/cache/app-info/xmls/{,**} r,
/var/cache/swcatalog/xml/{,**} r,
/var/lib/apt/lists/*.yml.gz r,
@ -120,6 +121,8 @@ profile gnome-software @{exec_path} {
owner /tmp/ostree-gpg-*/ r,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{run}/user/@{uid}/gnupg/ w,
include if exists <local/gnome-software_gpg>
}

5
apparmor.d/groups/gnome/gsd-color
View file

@ -27,6 +27,11 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
# dbus: talk bus=system name=org.freedesktop.ColorManager label=colord
dbus receive bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gsd-xsettings),
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,

5
apparmor.d/groups/gnome/gsd-power
View file

@ -46,6 +46,11 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
member=GetBrightness
peer=(name=:*, label=upowerd),
dbus receive bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gsd-xsettings),
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,

2
apparmor.d/groups/gnome/gsd-smartcard
View file

@ -30,6 +30,8 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/opensc.conf r,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,

20
apparmor.d/groups/gnome/gsd-wwan Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/gsd-wwan
profile gsd-wwan @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/dconf-write>
# dbus: own bus=session name=org.gnome.SettingsDaemon.Wwan
@{exec_path} mr,
include if exists <local/gsd-wwan>
}