From 25c2dc3399fcd2c6d747c2a69711c1aa896e8e44 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 18 Mar 2024 00:50:59 +0000 Subject: [PATCH] feat(profile): improve gnome startup process. --- .../groups/gnome/evolution-user-prompter | 19 +++ apparmor.d/groups/gnome/gdm | 12 +- apparmor.d/groups/gnome/gdm-generate-config | 7 +- apparmor.d/groups/gnome/gdm-session | 9 +- apparmor.d/groups/gnome/gdm-session-worker | 6 + apparmor.d/groups/gnome/gjs-console | 10 +- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 6 +- apparmor.d/groups/gnome/gnome-session | 17 +++ apparmor.d/groups/gnome/gnome-session-binary | 118 +++++++++--------- apparmor.d/groups/gnome/gnome-shell | 46 +++---- apparmor.d/groups/gnome/gnome-software | 3 + apparmor.d/groups/gnome/gsd-color | 5 + apparmor.d/groups/gnome/gsd-power | 5 + apparmor.d/groups/gnome/gsd-smartcard | 2 + apparmor.d/groups/gnome/gsd-wwan | 20 +++ 16 files changed, 189 insertions(+), 98 deletions(-) create mode 100644 apparmor.d/groups/gnome/evolution-user-prompter create mode 100644 apparmor.d/groups/gnome/gsd-wwan diff --git a/apparmor.d/groups/gnome/evolution-user-prompter b/apparmor.d/groups/gnome/evolution-user-prompter new file mode 100644 index 00000000..5e60e6d7 --- /dev/null +++ b/apparmor.d/groups/gnome/evolution-user-prompter @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{,evolution-data-server/}evolution-user-prompter +profile evolution-user-prompter @{exec_path} { + include + include + + # dbus: own bus=session name=org.gnome.evolution.dataserver.UserPrompter0 + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 1c04459f..ba8ef493 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -15,6 +15,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { include capability chown, + capability dac_override, capability dac_read_search, capability fsetid, capability kill, @@ -25,7 +26,14 @@ profile gdm @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=unconfined, - signal (send) set=(term), + signal (send) set=(term) peer=dbus-accessibility, + signal (send) set=(term) peer=dbus-session, + signal (send) set=(term) peer=dconf-service, + signal (send) set=(term) peer=gdm-session-worker, + signal (send) set=(term) peer=gdm-session, + signal (send) set=(term) peer=gnome-session-binary, + signal (send) set=(term) peer=xdg-permission-store, + signal (send) set=(term) peer=xorg, unix (bind, listen) type=stream addr="@/tmp/dbus-@{rand8}", unix (send receive accept) type=stream addr="@/tmp/dbus-@{rand8}" peer=(label=gdm-session-worker, addr=none), @@ -63,6 +71,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /var/{lib,log}/gdm{3,}/ rw, + owner @{GDM_HOME}/block-initial-setup rw, + @{run}/gdm{3,}/greeter/ rw, @{run}/systemd/seats/seat@{int} r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 676c66eb..b11ca4ac 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -32,10 +32,9 @@ profile gdm-generate-config @{exec_path} { /usr/share/gdm{3,}/{,**} r, /var/lib/ r, - owner /var/lib/gdm{3,}/ rw, - owner /var/lib/gdm{3,}/{,**} r, - owner /var/lib/gdm{3,}/greeter-dconf-defaults rw, - owner /var/lib/gdm{3,}/greeter-dconf-defaults.@{rand6} w, + owner @{GDM_HOME}/ rw, + owner @{GDM_HOME}/greeter-dconf-defaults rw, + owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} w, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 52fe3eba..3cc889f4 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -17,6 +17,7 @@ profile gdm-session @{exec_path} { signal (receive) set=(hup term) peer=gdm-session-worker, signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=dbus-session, + signal (send) set=(term) peer=gnome-session-binary, signal (send) set=(term) peer=xorg, dbus receive bus=session @@ -49,10 +50,10 @@ profile gdm-session @{exec_path} { /etc/sysconfig/proxy r, /etc/sysconfig/windowmanager r, - owner /var/lib/gdm{3,}/.cache/gdm/ rw, - owner /var/lib/gdm{3,}/.cache/gdm/Xauthority rw, - owner /var/lib/gdm{3,}/.config/dconf/user r, - owner /var/lib/gdm{3,}/greeter-dconf-defaults r, + owner @{gdm_cache_dirs}/gdm/ rw, + owner @{gdm_cache_dirs}/gdm/Xauthority rw, + owner @{gdm_config_dirs}/.config/dconf/user r, + owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{run}/gdm{3,}/custom.conf r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index bed468de..a1307596 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -83,6 +83,12 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /etc/sysconfig/displaymanager r, /etc/sysconfig/windowmanager r, + /var/lib/lastlog/ r, + /var/lib/lastlog/* rwk, + + /var/lib/wtmpdb/ r, + /var/lib/wtmpdb/* rwk, + owner @{HOME}/.pam_environment r, owner @{run}/systemd/seats/seat@{int} r, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index acf2bfc5..5e816d99 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -68,11 +68,11 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/{,**} r, /usr/share/icu/@{int}.@{int}/*.dat r, - /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, - /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, - /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - /var/lib/gdm{3,}/.config/dconf/user r, - /var/lib/gdm{3,}/greeter-dconf-defaults r, + owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, + owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, + owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{gdm_config_dirs}/dconf/user r, + owner @{GDM_HOME}/greeter-dconf-defaults r, /tmp/ r, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 08225960..6c67889d 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -47,7 +47,7 @@ profile gnome-initial-setup @{exec_path} { /etc/timezone r, - /var/lib/gdm{,3}/greeter-dconf-defaults r, + owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{user_config_dirs}/gnome-initial-setup-done w, owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6}BQK2 rw, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index fd3c08cd..f23152a2 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -41,9 +41,9 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { /etc/gcrypt/hwf.deny r, - /var/lib/gdm{3,}/.local/ rw, - /var/lib/gdm{3,}/.local/share/ rw, - /var/lib/gdm{3,}/.local/share/keyrings/ rw, + owner @{gdm_local_dirs}/ rw, + owner @{gdm_share_dirs}/ rw, + owner @{gdm_share_dirs}/keyrings/ rw, # Keyrings location owner @{user_share_dirs}/keyrings/ rw, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index b4439175..63028120 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -20,11 +20,17 @@ profile gnome-session @{exec_path} { @{bin}/cat rix, @{bin}/gettext.sh r, @{bin}/grep rix, + @{bin}/head rix, + @{bin}/id rix, @{bin}/locale rix, @{bin}/locale-check rix, + @{bin}/manpath rix, + @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/sed rix, @{bin}/tr rix, @{bin}/tty rix, + @{bin}/uname rPx, @{bin}/flatpak rCx -> flatpak, @{bin}/gsettings rPx, @@ -32,13 +38,24 @@ profile gnome-session @{exec_path} { /usr/share/im-config/{,**} r, /usr/share/libdebuginfod-common/debuginfod.sh r, + /usr/share/xsessions/gnome.desktop r, @{etc_ro}/profile.d/{,*} r, /etc/debuginfod/{,*} r, /etc/default/im-config r, + /etc/manpath.config r, /etc/shells r, + /etc/sysconfig/console r, + /etc/sysconfig/displaymanager r, + /etc/sysconfig/language r, + /etc/sysconfig/mail r, + /etc/sysconfig/proxy r, + /etc/sysconfig/windowmanager r, /etc/X11/Xsession.d/*im-config_launch r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/loginuid r, + /dev/tty@{int} rw, profile flatpak { diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 94acb5a1..eacc0d17 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -50,57 +50,22 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/{,z,ba,da}sh rix, - @{bin}/env rix, - @{bin}/gnome-session rix, - @{bin}/grep rix, - @{bin}/gsettings rPx, - @{bin}/gsettings-data-convert rix, - @{bin}/mkdir rix, - @{bin}/session-migration rix, - @{bin}/touch rix, - @{bin}/xdg-user-dirs-gtk-update rix, + @{sh_path} rix, + @{bin}/dbus-daemon rPx -> dbus-session, + @{bin}/env rix, + @{bin}/gnome-session rPx, + @{bin}/gnome-shell rPx, + @{bin}/session-migration rPx, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx -> dbus-accessibility, + @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rix, - @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, @{lib}/gnome-session-check-accelerated rix, @{lib}/gnome-session-check-accelerated-gl-helper rix, @{lib}/gnome-session-check-accelerated-gles-helper rix, @{lib}/gnome-session-failed rix, - @{lib}/gsd-* rPx, - @{lib}/gio-launch-desktop rix, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix, - - @{bin}/aa-notify rPx, - @{bin}/baloo_file rPx, - @{bin}/blueman-applet rPx, - @{bin}/firewall-applet rPUx, - @{bin}/gnome-keyring-daemon rPx, - @{bin}/gnome-shell rPx, - @{bin}/gnome-software rPUx, - @{bin}/im-launch rPx, - @{bin}/keepassxc rPx, - @{bin}/parcellite rPUx, - @{bin}/pkcs11-register rPx, - @{bin}/snap rPUx, - @{bin}/snapshot-detect rPUx, - @{bin}/spice-vdagent rPx, - @{bin}/start-pulseaudio-x11 rPx, - @{bin}/ubuntu-report rPx, - @{bin}/update-notifier rPx, - @{bin}/xbrlapi rPx, - @{bin}/xdg-user-dirs-update rPx, - @{lib}/@{multiarch}/libexec/kdeconnectd rPUx, - @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx, - @{lib}/baloo_file rPx, - @{lib}/caribou/caribou rPUx, - @{lib}/deja-dup/deja-dup-monitor rPx, - @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx, - @{lib}/gsd-disk-utility-notify rPx, - @{lib}/update-notifier/ubuntu-advantage-notification rPx, - @{lib}/xapps/sn-watcher/* rPUx, - @{thunderbird_path} rPx, - /usr/share/libpam-kwallet-common/pam_kwallet_init rPUx, + @{lib}/gio-launch-desktop rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, @@ -112,17 +77,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/autostart/{,*.desktop} r, - /var/lib/gdm{3,}/.cache/gdm/Xauthority r, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, - /var/lib/gdm{3,}/.config/dconf/user rw, - /var/lib/gdm{3,}/.config/gnome-session/ rw, - /var/lib/gdm{3,}/.config/gnome-session/saved-session/ rw, - /var/lib/gdm{3,}/.local/share/applications/{,**} r, - /var/lib/gdm{3,}/greeter-dconf-defaults r, - - /var/lib/flatpak/exports/share/applications/{,**} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, + owner @{gdm_cache_dirs}/gdm/Xauthority r, + owner @{gdm_cache_dirs}/mesa_shader_cache/index rw, + owner @{gdm_config_dirs}/dconf/user rw, + owner @{gdm_config_dirs}/gnome-session/ rw, + owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, + owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_share_dirs}/applications/{,**} r, owner /tmp/dirs-@{rand6} rw, @@ -136,7 +97,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, - owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, + owner @{run}/user/@{uid}/ICEauthority rw, + owner @{run}/user/@{uid}/ICEauthority-c w, + owner @{run}/user/@{uid}/ICEauthority-l wl -> @{run}/user/@{uid}/ICEauthority-c, owner @{run}/user/@{uid}/systemd/notify w, @{sys}/devices/**/{vendor,device} r, @@ -150,6 +113,47 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/tty@{int} rw, + + profile open { + include + + @{lib}/gio-launch-desktop mr, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + + @{bin}/aa-notify rPx, + @{bin}/blueman-applet rPx, + @{bin}/firewall-applet rPx, + @{bin}/gnome-keyring-daemon rPx, + @{bin}/gnome-software rPx, + @{bin}/im-launch rPx, + @{bin}/keepassxc rPx, + @{bin}/opensuse-welcome rPx, + @{bin}/parcellite rPUx, + @{bin}/pkcs11-register rPx, + @{bin}/snap rPUx, + @{bin}/snapshot-detect rPUx, + @{bin}/spice-vdagent rPx, + @{bin}/start-pulseaudio-x11 rPx, + @{bin}/ubuntu-report rPx, + @{bin}/update-notifier rPx, + @{bin}/xbrlapi rPx, + @{bin}/xdg-user-dirs-gtk-update rPx, + @{bin}/xdg-user-dirs-update rPx, + @{lib}/@{multiarch}/libexec/kdeconnectd rPUx, + @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx, + @{lib}/baloo_file rPx, + @{lib}/caribou/caribou rPUx, + @{lib}/deja-dup/deja-dup-monitor rPx, + @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx, + @{lib}/gsd-disk-utility-notify rPx, + @{lib}/update-notifier/ubuntu-advantage-notification rPx, + @{lib}/xapps/sn-watcher/* rPUx, + @{thunderbird_path} rPx, + /usr/share/libpam-kwallet-common/pam_kwallet_init rPUx, + + include if exists + include if exists + } include if exists include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b06225c1..cdc0c609 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -250,29 +250,29 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/appstream/**/icons/** r, /var/lib/flatpak/exports/share/gnome-shell/{,**} r, - owner /var/lib/gdm{3,}/.cache/ w, - owner /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.@{md5}.@{multiarch} rwk, - owner /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl, - owner /var/lib/gdm{3,}/.cache/gstreamer-@{int}/ rw, - owner /var/lib/gdm{3,}/.cache/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, - owner /var/lib/gdm{3,}/.cache/ibus/dbus-@{rand8} rw, - owner /var/lib/gdm{3,}/.cache/libgweather/ r, - owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, - owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/ rw, - owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw, - owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk, - owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, - owner /var/lib/gdm{3,}/.config/dconf/user r, - owner /var/lib/gdm{3,}/.config/ibus/ rw, - owner /var/lib/gdm{3,}/.config/ibus/bus/ rw, - owner /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, - owner /var/lib/gdm{3,}/.config/pulse/ rw, - owner /var/lib/gdm{3,}/.config/pulse/client.conf r, - owner /var/lib/gdm{3,}/.config/pulse/cookie rwk, - owner /var/lib/gdm{3,}/.local/share/applications/{,**} r, - owner /var/lib/gdm{3,}/.local/share/gnome-shell/{,**} rw, - owner /var/lib/gdm{3,}/.local/share/icc/{,*} rw, - owner /var/lib/gdm{3,}/greeter-dconf-defaults r, + owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_cache_dirs}/ w, + owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk, + owner @{gdm_cache_dirs}/fontconfig/{,*} rwl, + owner @{gdm_cache_dirs}/gstreamer-@{int}/ rw, + owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, + owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw, + owner @{gdm_cache_dirs}/libgweather/ r, + owner @{gdm_cache_dirs}/mesa_shader_cache/ rw, + owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/ rw, + owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/@{hex} rw, + owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk, + owner @{gdm_cache_dirs}/mesa_shader_cache/index rw, + owner @{gdm_config_dirs}/dconf/user r, + owner @{gdm_config_dirs}/ibus/ rw, + owner @{gdm_config_dirs}/ibus/bus/ rw, + owner @{gdm_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, + owner @{gdm_config_dirs}/pulse/ rw, + owner @{gdm_config_dirs}/pulse/client.conf r, + owner @{gdm_config_dirs}/pulse/cookie rwk, + owner @{gdm_share_dirs}/applications/{,**} r, + owner @{gdm_share_dirs}/gnome-shell/{,**} rw, + owner @{gdm_share_dirs}/icc/{,*} rw, owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 4a21d7e2..3aea937a 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -53,6 +53,7 @@ profile gnome-software @{exec_path} { /var/cache/app-info/icons/**.png r, /var/cache/app-info/xmls/{,**} r, + /var/cache/swcatalog/xml/{,**} r, /var/lib/apt/lists/*.yml.gz r, @@ -120,6 +121,8 @@ profile gnome-software @{exec_path} { owner /tmp/ostree-gpg-*/ r, owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{run}/user/@{uid}/gnupg/ w, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 661e561a..e1c48c45 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -27,6 +27,11 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { # dbus: talk bus=system name=org.freedesktop.ColorManager label=colord + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gsd-xsettings), + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 6eef1e08..a893b9d9 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -46,6 +46,11 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { member=GetBrightness peer=(name=:*, label=upowerd), + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gsd-xsettings), + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 51564e8e..fc330bd7 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -30,6 +30,8 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/opensc.conf r, + /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan new file mode 100644 index 00000000..f396c1ca --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gsd-wwan +profile gsd-wwan @{exec_path} { + include + include + include + + # dbus: own bus=session name=org.gnome.SettingsDaemon.Wwan + + @{exec_path} mr, + + include if exists +} \ No newline at end of file