From 35fcb6fc7190fab60fba703fe616b13a6d5ebcc4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 4 Feb 2023 23:43:18 +0000 Subject: [PATCH] feat(opensuse): desktop integration. --- apparmor.d/abstractions/gnome.d/complete | 2 ++ apparmor.d/abstractions/nameservice-strict | 4 ++++ apparmor.d/groups/freedesktop/accounts-daemon | 3 ++- .../groups/freedesktop/at-spi-bus-launcher | 5 ++++- apparmor.d/groups/freedesktop/colord | 3 +-- apparmor.d/groups/freedesktop/colord-session | 4 ++-- apparmor.d/groups/freedesktop/plymouthd | 9 ++++++++- apparmor.d/groups/freedesktop/polkitd | 5 +++-- .../freedesktop/xdg-desktop-portal-gnome | 1 + .../groups/freedesktop/xdg-icon-resource | 2 +- apparmor.d/groups/freedesktop/xorg | 5 +++-- apparmor.d/groups/freedesktop/xwayland | 5 +++-- apparmor.d/groups/network/ModemManager | 1 + apparmor.d/groups/network/NetworkManager | 9 +++++---- apparmor.d/groups/network/nm-daemon-helper | 20 +++++++++++++++++++ apparmor.d/groups/network/nm-dispatcher | 17 ++++++++++++++-- 16 files changed, 75 insertions(+), 20 deletions(-) create mode 100644 apparmor.d/groups/network/nm-daemon-helper diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 2921a557..db93e52b 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -3,3 +3,5 @@ # SPDX-License-Identifier: GPL-2.0-only include + + /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index a0306e00..b3876bf8 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -16,6 +16,10 @@ @{etc_ro}/resolv.conf r, @{etc_ro}/services r, + /var/lib/nscd/group r, + /var/lib/nscd/passwd r, + + @{run}/nscd/db* r, @{run}/systemd/resolve/stub-resolv.conf r, # NSS records from systemd-userdbd.service diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 746fe6bf..5d73a6d8 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -57,11 +57,12 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { /etc/default/locale r, /etc/gdm{3,}/ r, - /etc/gdm{3,}/daemon.conf{,.??????} rw, /etc/gdm{3,}/custom.conf{,.??????} rw, + /etc/gdm{3,}/daemon.conf{,.??????} rw, /etc/machine-id r, /etc/shadow r, /etc/shells r, + /etc/sysconfig/displaymanager r, owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/** rw, diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 6de1b307..759f0583 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -21,8 +21,11 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg), - network inet stream, + network inet stream, network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 98b3ffbf..008771dc 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -7,8 +7,7 @@ abi , include -@{exec_path} = /{usr/,}lib/colord/colord -@{exec_path} += @{libexec}/colord +@{exec_path} = @{libexec}/{,colord/}colord profile colord @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/freedesktop/colord-session b/apparmor.d/groups/freedesktop/colord-session index 3c57adf2..4f71d055 100644 --- a/apparmor.d/groups/freedesktop/colord-session +++ b/apparmor.d/groups/freedesktop/colord-session @@ -1,13 +1,13 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}lib/colord/colord-session -@{exec_path} += @{libexec}/colord-session +@{exec_path} = @{libexec}/{,colord/}colord-session profile colord-session @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index e4047f54..a0b05cab 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -20,12 +20,15 @@ profile plymouthd @{exec_path} { signal (send) peer=unconfined, + ptrace (read) peer=plymouth, + unix type=stream addr="@/org/freedesktop/plymouthd", unix type=stream peer=(addr="@/org/freedesktop/plymouthd"), @{exec_path} mr, /usr/share/plymouth/{,**} r, + /usr/share/pixmaps/distribution-logos/* r, /etc/default/keyboard r, /etc/plymouth/plymouthd.conf r, @@ -43,13 +46,17 @@ profile plymouthd @{exec_path} { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/graphics/ r, + @{sys}/devices/pci[0-9]*/**/{,uevent,vendor.device} r, @{sys}/devices/pci[0-9]*/**/{,uevent} r, @{sys}/devices/virtual/graphics/fbcon/uevent r, @{sys}/devices/virtual/tty/console/active r, @{sys}/firmware/acpi/bgrt/{,*} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - @{PROC}/cmdline r, + @{PROC}/cmdline r, + @{PROC}/1/cmdline r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, /dev/ptmx rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 9c8420d3..a1493d48 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -41,6 +41,7 @@ profile polkitd @{exec_path} { /etc/polkit-1/rules.d/[0-9][0-9]-*.rules r, /etc/polkit-1/localauthority/{,**} r, /etc/polkit-1/localauthority.conf.d/{,**} r, + /etc/polkit-1/actions/{,*.policy} r, # Vendor rules /usr/share/polkit-1/rules.d/ r, @@ -51,8 +52,8 @@ profile polkitd @{exec_path} { /usr/share/polkit-1/actions/*.policy r, /usr/share/polkit-1/actions/*.policy.choice r, - owner /var/lib/polkit-1/.cache/ rw, - /var/lib/polkit-1/localauthority/{,**} r, + owner /var/lib/polkit{,-1}/.cache/ rw, + /var/lib/polkit{,-1}/localauthority/{,**} r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 432b8745..6b8a460d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -121,6 +121,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { /etc/gnome/defaults.list r, + /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/*/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index acc10b69..28b009c3 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -25,7 +25,7 @@ profile xdg-icon-resource @{exec_path} flags=(complain) { /{usr/,}bin/readlink rix, /{usr/,}bin/touch rix, - /{usr/,}bin/gtk-update-icon-cache rPx, + /{usr/,}bin/gtk{,4}-update-icon-cache rPx, /usr/share/**/icons/**.png r, /usr/share/icons/**.png rw, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 519be293..e71b988c 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -66,8 +66,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /var/lib/xkb/server-[0-9]*.xkm rw, /usr/share/egl/{,**} rw, - /usr/share/libinput/ r, - /usr/share/libinput/[0-9][0-9]-*.quirks r, + /usr/share/libinput*/ r, + /usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r, + /usr/share/libinput*/libinput/ r, /etc/X11/{,**} r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index c10b3de0..2bb5bfa7 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -13,7 +13,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=(term hup) peer=gdm*, @@ -28,7 +28,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xkbcomp rPx, /usr/share/egl/{,**} r, - /usr/share/fonts/X11/{,**} r, + /usr/share/fonts/{,**} r, + /usr/share/ghostscript/fonts/{,**} r, /usr/share/libdrm/*.ids r, /usr/share/X11/xkb/rules/evdev r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index ed875f65..2cc6ce1d 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -12,6 +12,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include + network qipcrtr dgram, network netlink raw, dbus send bus=system path=/org/freedesktop/DBus diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 5e2d5ce3..dbd6e498 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -119,18 +119,19 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/class/ r, - @{sys}/class/rfkill/ r, @{sys}/class/net/ r, @{sys}/class/net/rfkill/ r, + @{sys}/class/rfkill/ r, @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, + @{run}/nscd/db* rwl, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, - @{run}/udev/data/n[0-9]* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+platform* r, @{run}/udev/data/+pci* r, + @{run}/udev/data/+platform* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/n[0-9]* r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/net/{,**} r, diff --git a/apparmor.d/groups/network/nm-daemon-helper b/apparmor.d/groups/network/nm-daemon-helper new file mode 100644 index 00000000..4419955e --- /dev/null +++ b/apparmor.d/groups/network/nm-daemon-helper @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/nm-daemon-helper +profile nm-daemon-helper @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index a109edb2..79ad69aa 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -27,24 +27,37 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/chronyc rPUx, /{usr/,}bin/date rix, /{usr/,}bin/gawk rix, /{usr/,}bin/grep rix, /{usr/,}bin/id rix, + /{usr/,}bin/mkdir rix, /{usr/,}bin/mktemp rix, /{usr/,}bin/nmcli rix, /{usr/,}bin/readlink rix, /{usr/,}bin/rm rix, /{usr/,}bin/run-parts rPx, + /{usr/,}bin/sed rix, + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/systemd-cat rPx, + /{usr/,}bin/tr rix, /usr/share/tlp/tlp-readconfs rPUx, - /usr/share/tlp/{,**} rw, - + /{usr/,}lib/NetworkManager/dispatcher.d/ r, + /{usr/,}lib/NetworkManager/dispatcher.d/* rix, /etc/NetworkManager/dispatcher.d/ r, /etc/NetworkManager/dispatcher.d/** rix, + /usr/share/tlp/{,**} rw, + + /etc/sysconfig/network/config r, + /etc/fstab r, + @{run}/systemd/notify rw, @{run}/tlp/{,*} rw, + @{run}/chrony-dhcp/ rw, owner @{PROC}/@{pid}/fd/ r,