diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes new file mode 100644 index 00000000..9d82ad36 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -0,0 +1,94 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-boxes +profile gnome-boxes @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{open_path} rPx -> child-open, + + @{bin}/virtqemud rPUx, + @{bin}/virsh rCx -> virsh, + + /usr/share/osinfo/{,**} r, + /usr/share/gnome-boxes/{,**} r, + /usr/share/hwdata/*.ids r, + + /etc/qemu/bridge.conf r, + + @{MOUNTS}/ r, + owner @{HOME}/ r, + + # For disk images + owner @{user_img_dirs}/{,**} rw, + owner @{user_vm_dirs}/{,**} rw, + + owner @{user_cache_dirs}/gnome-boxes/ rw, + owner @{user_cache_dirs}/gnome-boxes/** rwk, + owner @{user_cache_dirs}/libvirt/qemu/log/*.log r, + + owner @{user_config_dirs}/gnome-boxes/ rw, + owner @{user_config_dirs}/gnome-boxes/** rwk, + + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/*.iso-@{rand6} rw, + owner @{tmp}/*.svg-@{rand6} rw, + + owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + + @{run}/mount/utab r, + + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r, + + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + profile virsh { + include + include + + @{bin}/virsh mr, + @{bin}/pkttyagent r, + + owner @{run}/user/@{uid}/libvirt/ r, + owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + + @{sys}/devices/system/node/ r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 53782aa9..e051078a 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -125,6 +125,7 @@ gdm-runtime-config complain gdm-session attach_disconnected,complain gdm-xsession complain gmenudbusmenuproxy complain +gnome-boxes complain gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain