feat(abs): improve some gnome profiles.

2025-01-18 08:58:15 +01:00 · 2024-09-23 15:11:50 +01:00 · 2024-09-23 15:11:50 +01:00 · 31cadd634f
commit 31cadd634f
parent 62cb546afa
2 changed files with 15 additions and 5 deletions
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -72,7 +72,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /usr/share/language-tools/language2locale      rix,
  /usr/share/language-tools/language-options    rPUx,

-  @{open_path}                                   rPx -> child-open-browsers,
+  @{open_path}                                   rPx -> child-open-any,

  /opt/**/share/icons/{,**} r,
  /snap/*/@{int}/**.png r,
@ -124,6 +124,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
  owner @{user_share_dirs}/icc/{,edid-*} r,

+  owner @{tmp}/@{hex12}@{h} rw,
+  owner @{tmp}/@{rand8} rw,
  owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,

        @{run}/samba/ rw,
@ -160,6 +162,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
        @{PROC}/cmdline r,
        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
        @{PROC}/zoneinfo r,
+        @{PROC}/1/cgroup r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
@ -187,9 +190,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {

  profile pkexec {
    include <abstractions/base>
-  
-    @{bin}/pkexec mr,
-  
+    include <abstractions/app/pkexec>
    include if exists <local/gnome-control-center_pkexec>
  }

--- a/apparmor.d/groups/gnome/gsd-datetime
+++ b/apparmor.d/groups/gnome/gsd-datetime
@ -12,8 +12,15 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-session>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/dconf-write>
+  include <abstractions/nameservice-strict>

-  signal (receive) set=(term, hup) peer=gdm*,
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  signal receive set=(term, hup) peer=gdm*,

  #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Datetime

@ -34,6 +41,8 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {

  owner @{user_cache_dirs}/geocode-glib/* r,

+  @{run}/systemd/sessions/@{int} r,
+  @{run}/systemd/users/@{uid} r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/stat r,