From 2acd7d8a10f71f95188a6cabe82473a4687a2296 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Mar 2024 22:34:35 +0000 Subject: [PATCH] feat(profile): rewrite how gdm starts gnome. --- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gdm-wayland-session | 54 +++++++++++++------- apparmor.d/groups/gnome/gdm-x-session | 26 +++++++--- apparmor.d/groups/gnome/gnome-session-binary | 6 +-- 4 files changed, 58 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 122ab167..dd15a5b1 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -33,6 +33,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=gdm, signal (receive) set=hup peer=@{systemd}, + signal (send) set=(hup term) peer=gdm-{x,wayland}-session, signal (send) set=hup peer=at-spi*, signal (send) set=hup peer=dbus-daemon, signal (send) set=hup peer=dbus-run-session, @@ -45,7 +46,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (send) set=hup peer=xdg-permission-store, signal (send) set=hup peer=xorg, signal (send) set=hup peer=xwayland, - signal (send) set=term peer=gdm-*-session, unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index e1ad3f5e..50efa58d 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -19,10 +19,12 @@ profile gdm-wayland-session @{exec_path} { include include + signal (receive) set=(hup term) peer=gdm-session-worker, signal (receive) set=(hup) peer=@{systemd}, - signal (receive) set=term peer=gdm{,-session-worker}, - signal (send) set=(term) peer=dbus-run-session, + signal (receive) set=(term) peer=gdm, + signal (send) set=(kill) peer=xdg-permission-store, signal (send) set=(term) peer=dbus-daemon, + signal (send) set=(term) peer=dbus-run-session, signal (send) set=(term) peer=gnome-session-binary, dbus receive bus=session @@ -35,11 +37,7 @@ profile gdm-wayland-session @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/env rix, - @{bin}/gettext rix, - @{bin}/gettext.sh r, - @{bin}/gnome-session rix, @{bin}/grep rix, - @{bin}/gsettings rPx, @{bin}/head rix, @{bin}/id rix, @{bin}/locale rix, @@ -52,20 +50,29 @@ profile gdm-wayland-session @{exec_path} { @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, - @{bin}/zsh rix, - @{lib}/gnome-session-binary rPx, - @{bin}/dbus-daemon rPx, - @{bin}/dbus-run-session rPx, - @{bin}/dpkg-query rpx, - @{bin}/flatpak rPUx, + @{bin}/{true,false} rix, + @{bin}/dbus-daemon rix, + @{bin}/dbus-run-session rix, + @{bin}/dpkg-query rpx, + @{bin}/flatpak rPUx, + @{bin}/gjs-console rPx, + @{bin}/gnome-session rix, + @{bin}/gsettings rPx, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, + @{lib}/at-spi2-registryd rix, + @{lib}/dconf-service rPx, + @{lib}/gnome-session-binary rPx, + @{lib}/xdg-permission-store rPx, - /usr/share/bash-completion/{,**} r, - /usr/share/gdm/gdm.schemas r, + /usr/share/dbus-1/{,**} r, + /usr/share/dconf/profile/gdm r, + /usr/share/defaults/at-spi2/accessibility.conf r, + /usr/share/gdm{3,}/gdm.schemas r, + /usr/share/gdm{3,}/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/{,**} r, /usr/share/libdebuginfod-common/debuginfod.sh r, - /usr/share/xsessions/gnome.desktop r, @{etc_ro}/profile.d/{,*} r, /etc/debuginfod/{,*} r, @@ -81,14 +88,25 @@ profile gdm-wayland-session @{exec_path} { /etc/sysconfig/mail r, /etc/sysconfig/proxy r, /etc/sysconfig/windowmanager r, - /etc/X11/xinit/xinputrc r, - /etc/X11/Xsession.d/*im-config_launch r, + + /var/lib/gdm{3,}/.config/dconf/user r, owner @{HOME}/.alias r, owner @{HOME}/.i18n r, - @{run}/gdm{3,}/custom.conf r, + @{run}/gdm{3,}/custom.conf r, + @{run}/systemd/userdb/ r, + @{run}/systemd/users/@{uid} r, + @{run}/user/@{uid}/at-spi/ w, + @{run}/user/@{uid}/at-spi/bus w, + owner @{run}/user/@{uid}/dbus-1/ rw, + owner @{run}/user/@{uid}/dbus-1/services/ rw, + owner /tmp/dbus-@{rand10} w, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pids}/oom_score_adj rw, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index ffd1bb0d..3d4a2583 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -14,11 +14,11 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=term peer=gdm{,-session-worker}, - # signal (send) set=term peer=unconfined, + signal (receive) set=(hup term) peer=gdm-session-worker, + signal (receive) set=(term) peer=gdm, signal (send) set=term peer=dbus-run-session, - signal (send) set=term peer=xorg, signal (send) set=term peer=gnome-session-binary, + signal (send) set=term peer=xorg, dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -27,11 +27,21 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/dbus-daemon rPx, - @{bin}/dbus-run-session rPx, - @{bin}/Xorg rPx, - /etc/gdm{3,}/Prime/Default rix, - /etc/gdm{3,}/Xsession rPx, + @{bin}/{true,false} rix, + @{bin}/dbus-daemon rix, + @{bin}/dbus-run-session rix, + @{bin}/gjs-console rPx, + @{bin}/gnome-session rix, + @{bin}/gsettings rPx, + @{bin}/Xorg rPx, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, + @{lib}/at-spi2-registryd rix, + @{lib}/dconf-service rPx, + @{lib}/gnome-session-binary rPx, + @{lib}/xdg-permission-store rPx, + + /etc/gdm{3,}/Prime/Default rix, + /etc/gdm{3,}/Xsession rPx, /usr/share/gdm/gdm.schemas r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 8b9a6394..9d460d73 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -64,7 +64,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{bin}/xdg-user-dirs-gtk-update rix, @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rix, - @{lib}/at-spi-bus-launcher rPx, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, @{lib}/gnome-session-check-accelerated rix, @{lib}/gnome-session-check-accelerated-gl-helper rix, @{lib}/gnome-session-check-accelerated-gles-helper rix, @@ -100,10 +100,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{lib}/deja-dup/deja-dup-monitor rPUx, @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx, @{lib}/gsd-disk-utility-notify rPx, - @{lib}/thunderbird/thunderbird rPx, @{lib}/update-notifier/ubuntu-advantage-notification rPx, @{lib}/xapps/sn-watcher/* rPUx, - /{usr/,}share/libpam-kwallet-common/pam_kwallet_init rPUx, + @{thunderbird_path} rPx, + /usr/share/libpam-kwallet-common/pam_kwallet_init rPUx, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r,