feat(opensuse): desktop integration.

2024-11-15 07:54:17 +01:00 · 2023-02-04 23:43:18 +00:00 · 2023-02-04 23:43:18 +00:00 · 35fcb6fc71
commit 35fcb6fc71
parent ff76602843
16 changed files with 75 additions and 20 deletions
--- a/apparmor.d/abstractions/gnome.d/complete
+++ b/apparmor.d/abstractions/gnome.d/complete
@ -3,3 +3,5 @@
 # SPDX-License-Identifier: GPL-2.0-only

  include <abstractions/gtk>
+
+  /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
--- a/apparmor.d/abstractions/nameservice-strict
+++ b/apparmor.d/abstractions/nameservice-strict
@ -16,6 +16,10 @@
  @{etc_ro}/resolv.conf r,
  @{etc_ro}/services r,

+  /var/lib/nscd/group r,
+  /var/lib/nscd/passwd r,
+
+  @{run}/nscd/db* r,
  @{run}/systemd/resolve/stub-resolv.conf r,

  # NSS records from systemd-userdbd.service
--- a/apparmor.d/groups/freedesktop/accounts-daemon
+++ b/apparmor.d/groups/freedesktop/accounts-daemon
@ -57,11 +57,12 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {

  /etc/default/locale r,
  /etc/gdm{3,}/ r,
-  /etc/gdm{3,}/daemon.conf{,.??????} rw,
  /etc/gdm{3,}/custom.conf{,.??????} rw,
+  /etc/gdm{3,}/daemon.conf{,.??????} rw,
  /etc/machine-id r,
  /etc/shadow r,
  /etc/shells r,
+  /etc/sysconfig/displaymanager r,

  owner /var/lib/AccountsService/ r,
  owner /var/lib/AccountsService/** rw,
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@ -23,6 +23,9 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {

  network inet  stream,
  network inet6 stream,
+  network inet  dgram,
+  network inet6 dgram,
+  network netlink raw,

  @{exec_path} mr,

--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -7,8 +7,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{usr/,}lib/colord/colord
-@{exec_path} += @{libexec}/colord
+@{exec_path} = @{libexec}/{,colord/}colord
 profile colord @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
--- a/apparmor.d/groups/freedesktop/colord-session
+++ b/apparmor.d/groups/freedesktop/colord-session
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{usr/,}lib/colord/colord-session
-@{exec_path} += @{libexec}/colord-session
+@{exec_path} = @{libexec}/{,colord/}colord-session
 profile colord-session @{exec_path} flags=(complain) {
  include <abstractions/base>

--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -20,12 +20,15 @@ profile plymouthd @{exec_path} {

  signal (send) peer=unconfined,

+  ptrace (read) peer=plymouth,
+
  unix type=stream addr="@/org/freedesktop/plymouthd",
  unix type=stream peer=(addr="@/org/freedesktop/plymouthd"),

  @{exec_path} mr,

  /usr/share/plymouth/{,**} r,
+  /usr/share/pixmaps/distribution-logos/* r,

  /etc/default/keyboard r,
  /etc/plymouth/plymouthd.conf r,
@ -43,6 +46,7 @@ profile plymouthd @{exec_path} {
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
  @{sys}/class/graphics/ r,
+  @{sys}/devices/pci[0-9]*/**/{,uevent,vendor.device} r,
  @{sys}/devices/pci[0-9]*/**/{,uevent} r,
  @{sys}/devices/virtual/graphics/fbcon/uevent r,
  @{sys}/devices/virtual/tty/console/active r,
@ -50,6 +54,9 @@ profile plymouthd @{exec_path} {
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

        @{PROC}/cmdline r,
+        @{PROC}/1/cmdline r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/stat r,

  /dev/ptmx rw,
  /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -41,6 +41,7 @@ profile polkitd @{exec_path} {
  /etc/polkit-1/rules.d/[0-9][0-9]-*.rules r,
  /etc/polkit-1/localauthority/{,**} r,
  /etc/polkit-1/localauthority.conf.d/{,**} r,
+  /etc/polkit-1/actions/{,*.policy} r,

  # Vendor rules
  /usr/share/polkit-1/rules.d/ r,
@ -51,8 +52,8 @@ profile polkitd @{exec_path} {
  /usr/share/polkit-1/actions/*.policy r,
  /usr/share/polkit-1/actions/*.policy.choice r,

-  owner /var/lib/polkit-1/.cache/ rw,
-        /var/lib/polkit-1/localauthority/{,**} r,
+  owner /var/lib/polkit{,-1}/.cache/ rw,
+        /var/lib/polkit{,-1}/localauthority/{,**} r,

  @{run}/systemd/sessions/* r,
  @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -121,6 +121,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {

  /etc/gnome/defaults.list r,

+  /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
  /var/lib/snapd/desktop/icons/{,**} r,

  owner @{HOME}/*/{,**} rw,
--- a/apparmor.d/groups/freedesktop/xdg-icon-resource
+++ b/apparmor.d/groups/freedesktop/xdg-icon-resource
@ -25,7 +25,7 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
  /{usr/,}bin/readlink   rix,
  /{usr/,}bin/touch      rix,

-  /{usr/,}bin/gtk-update-icon-cache rPx,
+  /{usr/,}bin/gtk{,4}-update-icon-cache rPx,

  /usr/share/**/icons/**.png r,
  /usr/share/icons/**.png rw,
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -66,8 +66,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  /var/lib/xkb/server-[0-9]*.xkm rw,

  /usr/share/egl/{,**} rw,
-  /usr/share/libinput/ r,
-  /usr/share/libinput/[0-9][0-9]-*.quirks r,
+  /usr/share/libinput*/ r,
+  /usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r,
+  /usr/share/libinput*/libinput/ r,

  /etc/X11/{,**} r,

--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@ -13,7 +13,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
-  include <abstractions/opencl-nvidia>
+  include <abstractions/opencl>
  include <abstractions/vulkan>

  signal (receive) set=(term hup) peer=gdm*,
@ -28,7 +28,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/xkbcomp    rPx,

  /usr/share/egl/{,**} r,
-  /usr/share/fonts/X11/{,**} r,
+  /usr/share/fonts/{,**} r,
+  /usr/share/ghostscript/fonts/{,**} r,
  /usr/share/libdrm/*.ids r,
  /usr/share/X11/xkb/rules/evdev r,

--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@ -12,6 +12,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>
  include <abstractions/dbus-strict>

+  network qipcrtr dgram,
  network netlink raw,

  dbus send bus=system path=/org/freedesktop/DBus
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -119,18 +119,19 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {

  @{sys}/bus/ r,
  @{sys}/class/ r,
-  @{sys}/class/rfkill/ r,
  @{sys}/class/net/ r,
  @{sys}/class/net/rfkill/ r,
+  @{sys}/class/rfkill/ r,

  @{run}/network/ifstate r,
  @{run}/NetworkManager/{,**} rw,
+  @{run}/nscd/db* rwl,
  @{run}/systemd/inhibit/[0-9]*.ref rw,
  @{run}/systemd/users/@{uid} r,
-  @{run}/udev/data/n[0-9]* r,
-  @{run}/udev/data/+rfkill:* r,
-  @{run}/udev/data/+platform* r,
  @{run}/udev/data/+pci* r,
+  @{run}/udev/data/+platform* r,
+  @{run}/udev/data/+rfkill:* r,
+  @{run}/udev/data/n[0-9]* r,

  @{sys}/devices/**/uevent r,
  @{sys}/devices/virtual/net/{,**} r,
--- a/apparmor.d/groups/network/nm-daemon-helper
+++ b/apparmor.d/groups/network/nm-daemon-helper
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{libexec}/nm-daemon-helper
+profile nm-daemon-helper @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet6 dgram,
+
+  @{exec_path} mr,
+
+  include if exists <local/nm-daemon-helper>
+}
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@ -27,24 +27,37 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh         rix,
+  /{usr/,}bin/basename           rix,
+  /{usr/,}bin/chronyc           rPUx,
  /{usr/,}bin/date               rix,
  /{usr/,}bin/gawk               rix,
  /{usr/,}bin/grep               rix,
  /{usr/,}bin/id                 rix,
+  /{usr/,}bin/mkdir              rix,
  /{usr/,}bin/mktemp             rix,
  /{usr/,}bin/nmcli              rix,
  /{usr/,}bin/readlink           rix,
  /{usr/,}bin/rm                 rix,
  /{usr/,}bin/run-parts          rPx,
+  /{usr/,}bin/sed                rix,
+  /{usr/,}bin/systemctl          rPx -> child-systemctl,
+  /{usr/,}bin/systemd-cat        rPx,
+  /{usr/,}bin/tr                 rix,
  /usr/share/tlp/tlp-readconfs  rPUx,

-  /usr/share/tlp/{,**} rw,
-
+  /{usr/,}lib/NetworkManager/dispatcher.d/ r,
+  /{usr/,}lib/NetworkManager/dispatcher.d/* rix,
  /etc/NetworkManager/dispatcher.d/ r,
  /etc/NetworkManager/dispatcher.d/** rix,

+  /usr/share/tlp/{,**} rw,
+
+  /etc/sysconfig/network/config r,
+  /etc/fstab r,
+
  @{run}/systemd/notify rw,
  @{run}/tlp/{,*} rw,
+  @{run}/chrony-dhcp/ rw,

  owner @{PROC}/@{pid}/fd/ r,