mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-21 01:15:35 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): enable desktop user variable everywhere.

Browse source 
Also restrict access to these files.
This commit is contained in:
Alexandre Pujol 2024-03-19 11:26:57 +00:00
parent a370281e9b
commit 3787eb1745
Failed to generate hash of commit
26 changed files with 80 additions and 119 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/bus/ibus-daemon
View file

@ -46,8 +46,8 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
/usr/share/ibus/{,**} r,
/usr/share/ibus-table/{,**} r,
owner /var/lib/gdm{3,}/.cache/ibus/{,**} rw,
owner /var/lib/gdm{3,}/.config/ibus/{,**} rw,
owner @{desktop_cache_dirs}/ibus/{,**} rw,
owner @{desktop_config_dirs}/ibus/{,**} rw,
owner @{user_cache_dirs}/ibus/{,**} rw,
owner @{user_config_dirs}/ibus/ibus/{,**} rw,

4
apparmor.d/groups/bus/ibus-engine-table
View file

@ -19,8 +19,8 @@ profile ibus-engine-table @{exec_path} {
/usr/share/ibus-table/engine/{,**} r,
/usr/share/ibus-table/tables/ r,
owner /var/lib/gdm3/.cache/ibus-table/ w,
owner /var/lib/gdm3/.local/share/ibus-table/ w,
owner @{desktop_cache_dirs}/ibus-table/ w,
owner @{desktop_share_dirs}/ibus-table/ w,
owner @{user_cache_dirs}/ibus-table/ w,
owner @{user_share_dirs}/ibus-table/ w,

23
apparmor.d/groups/bus/ibus-extension-gtk3
View file

@ -13,22 +13,20 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/ibus>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
signal (receive) set=term peer=ibus-daemon,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
dbus bind bus=session name=org.freedesktop.IBus.Panel.Extension.Gtk3,
# dbus: own bus=session name=org.freedesktop.IBus.Panel.Extension.Gtk3
dbus receive bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties
@ -43,20 +41,13 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/ibus/{,**} r,
/usr/share/icons/{,**} r,
/usr/share/X11/xkb/** r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{desktop_config_dirs}/dconf/user r,
owner @{desktop_config_dirs}/ibus/bus/ r,
owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
# file inherit
/dev/tty@{int} rw,
include if exists <local/ibus-extension-gtk3>

7
apparmor.d/groups/bus/ibus-memconf
View file

@ -19,10 +19,9 @@ profile ibus-memconf @{exec_path} {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner /var/lib/gdm{3,}/.cache/ibus/dbus-@{rand8} rw,
owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
owner @{desktop_config_dirs}/ibus/bus/ r,
owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
include if exists <local/ibus-memconf>
}

12
apparmor.d/groups/bus/ibus-portal
View file

@ -28,16 +28,8 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{lib}/gio/modules/{,*} r,
@{lib}/locale/locale-archive r,
/usr/share/locale/locale.alias r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner @{desktop_config_dirs}/ibus/bus/ r,
owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner /dev/tty@{int} rw,

5
apparmor.d/groups/bus/ibus-x11
View file

@ -31,9 +31,8 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
owner @{desktop_config_dirs}/ibus/bus/ r,
owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw,

4
apparmor.d/groups/freedesktop/dconf
View file

@ -21,8 +21,8 @@ profile dconf @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/dconf/{,**} r,
/var/lib/gdm{3,}/ r,
/var/lib/gdm{3,}/greeter-dconf-defaults{,.@{rand6}} rw,
owner @{GDM_HOME}/ r,
owner @{GDM_HOME}/greeter-dconf-defaults{,.@{rand6}} rw,
owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw,

6
apparmor.d/groups/freedesktop/dconf-service
View file

@ -25,9 +25,9 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/var/lib/gdm{3,}/.config/dconf/ rw,
/var/lib/gdm{3,}/.config/dconf/user rw,
/var/lib/gdm{3,}/.config/dconf/user.* rw,
owner @{desktop_config_dirs}/dconf/ rw,
owner @{desktop_config_dirs}/dconf/user rw,
owner @{desktop_config_dirs}/dconf/user.* rw,
owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw,

2
apparmor.d/groups/freedesktop/pipewire
View file

@ -44,8 +44,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
/etc/pipewire/{,**} r,
/var/lib/gdm{3,}/.config/pulse/cookie rk,
/ r,
/.flatpak-info r,

2
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -43,7 +43,7 @@ profile pipewire-media-session @{exec_path} {
/etc/pipewire/*.conf r,
/etc/pipewire/media-session.d/*.conf r,
/var/lib/gdm{3,}/.local/state/pipewire/media-session.d/* rw,
owner @{desktop_local_dirs}/state/pipewire/media-session.d/* rw,
owner @{user_state_dirs}/ rw,
owner @{user_state_dirs}/pipewire/{,**} rw,

2
apparmor.d/groups/freedesktop/pipewire-pulse
View file

@ -31,8 +31,6 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
/ r,
/.flatpak-info r,
/var/lib/gdm{3,}/.config/pulse/cookie rwk,
owner @{run}/user/@{uid}/pulse/pid w,
owner /tmp/librnnoise-@{int}.so rm,

24
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -91,25 +91,11 @@ profile pulseaudio @{exec_path} {
/var/lib/snapd/desktop/applications/ r,
# For GDM
owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw,
owner /var/lib/gdm{[1-9],}/.config/pulse/cookie k,
owner /var/lib/gdm{[1-9],}/.config/dconf/user r,
# For SDDM
owner /var/lib/sddm/.config/pulse/ rw,
owner /var/lib/sddm/.config/pulse/*-{device,stream}-volumes.tdb rw,
owner /var/lib/sddm/.config/pulse/*-default-{sink,source} rw,
owner /var/lib/sddm/.config/pulse/*-card-database.tdb rw,
owner /var/lib/sddm/.config/pulse/cookie rwk,
# For lightdm
owner /var/lib/lightdm/.config/ w,
owner /var/lib/lightdm/.config/pulse/{,**} rw,
owner /var/lib/lightdm/.config/pulse/cookie k,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
owner @{desktop_cache_dirs}/gstreamer-1.0/ rw,
owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
owner @{desktop_config_dirs}/dconf/user r,
owner @{desktop_config_dirs}/pulse/{,**} rw,
owner @{desktop_config_dirs}/pulse/cookie k,
owner @{user_config_dirs}/ w,
owner @{user_config_dirs}/pulse/{,**} rw,

5
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -66,9 +66,8 @@ profile xdg-desktop-portal-gnome @{exec_path} {
/usr/share/dconf/profile/gdm r,
/usr/share/thumbnailers/{,**} r,
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/snapd/desktop/icons/{,**} r,
owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
owner @{HOME}/*/{,**} rw,

7
apparmor.d/groups/freedesktop/xorg
View file

@ -74,10 +74,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
owner /var/log/Xorg.@{int}.log{,.old} rw,
owner /var/log/Xorg.pid-@{pid}.log{,.old} rw,
/var/lib/gdm{3,}/.local/share/xorg/ rw,
/var/lib/gdm{3,}/.local/share/xorg/Xorg.@{int}.log{,.old} rw,
/var/lib/gdm{3,}/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
owner @{desktop_share_dirs}/xorg/ rw,
owner @{desktop_share_dirs}/xorg/Xorg.@{int}.log{,.old} rw,
owner @{desktop_share_dirs}/xorg/Xorg.pid-@{pid}.log{,.old} rw,
@{run}/nvidia-xdriver-* rw,
@{run}/sddm/{,**} rw,

2
apparmor.d/groups/freedesktop/xwayland
View file

@ -28,8 +28,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
/usr/share/fonts/{,**} r,
/usr/share/ghostscript/fonts/{,**} r,
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
owner /tmp/server-@{int}.xkm rwk,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
owner @{run}/user/@{uid}/server-@{int}.xkm rw,

2
apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
View file

@ -45,7 +45,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
@{bin}/mount rPx,
@{bin}/umount rPx,
/var/lib/gdm{3,}/.config/dconf/user r,
owner @{desktop_config_dirs}/dconf/user r,
/ r,
/etc/fstab r,

26
apparmor.d/groups/kde/kwin_wayland
View file

@ -53,21 +53,19 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
/etc/xdg/menus/applications-merged/ r,
/etc/xdg/plasmarc r,
owner /var/lib/sddm/.cache/#@{int} rwk,
owner /var/lib/sddm/.cache/fontconfig/* rwk,
owner /var/lib/sddm/.cache/fontconfig/*-le64.cache-@{int}{,TMP-@{rand6},NEW,LCK} w,
owner /var/lib/sddm/.cache/fontconfig/*-le64.cache-@{int}.LCK l -> /var/lib/sddm/.cache/fontconfig/*-le64.cache-@{int}.TMP-@{rand6},
owner /var/lib/sddm/.cache/mesa_shader_cache/** r,
owner /var/lib/sddm/.cache/mesa_shader_cache/index rw,
owner /var/lib/sddm/.cache/ksycoca{5,6}_* rwkl -> /var/lib/sddm/.cache/#@{int},
owner @{sddm_cache_dirs}/#@{int} rwk,
owner @{sddm_cache_dirs}/fontconfig/* rwk,
owner @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.LCK l -> @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.TMP-@{rand6},
owner @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}{,TMP-@{rand6},NEW,LCK} w,
owner @{sddm_cache_dirs}/ksycoca{5,6}_* rwkl -> @{sddm_cache_dirs}/#@{int},
owner /var/lib/sddm/.config/#@{int} rw,
owner /var/lib/sddm/.config/kcminputrc r,
owner /var/lib/sddm/.config/kdeglobals r,
owner /var/lib/sddm/.config/kglobalshortcutsrc.lock rwk,
owner /var/lib/sddm/.config/kglobalshortcutsrc{,.@{rand6}} rwl -> /var/lib/sddm/.config/#@{int},
owner /var/lib/sddm/.config/kwinrc.lock rwk,
owner /var/lib/sddm/.config/kwinrc{,.@{rand6}} rwl -> /var/lib/sddm/.config/#@{int},
owner @{sddm_config_dirs}/#@{int} rw,
owner @{sddm_config_dirs}/kcminputrc r,
owner @{sddm_config_dirs}/kdeglobals r,
owner @{sddm_config_dirs}/kglobalshortcutsrc.lock rwk,
owner @{sddm_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{sddm_config_dirs}/#@{int},
owner @{sddm_config_dirs}/kwinrc.lock rwk,
owner @{sddm_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{sddm_config_dirs}/#@{int},
owner @{user_cache_dirs}/ r,
owner @{user_cache_dirs}/#@{int} rw,

8
apparmor.d/groups/kde/sddm
View file

@ -144,10 +144,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/var/lib/wtmpdb/ r,
/var/lib/wtmpdb/* rwk,
/var/lib/sddm/state.conf rw,
owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.jsc mrw,
owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.qmlc mrw,
owner /var/lib/sddm/** rw,
@{SDDM_HOME}/state.conf rw,
owner @{SDDM_HOME}/** rw,
owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.jsc mrw,
owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.qmlc mrw,
owner @{HOME}/.local/ w,
owner @{HOME}/.Xauthority rw,

8
apparmor.d/groups/kde/sddm-greeter
View file

@ -44,10 +44,10 @@ profile sddm-greeter @{exec_path} {
/var/lib/AccountsService/icons/*.icon r,
/var/lib/dbus/machine-id r,
owner /var/lib/sddm/** rw,
owner /var/lib/sddm/#@{int} mrw,
owner /var/lib/sddm/.cache/** mrwkl -> /var/lib/sddm/.cache/**,
/var/lib/sddm/state.conf r,
@{SDDM_HOME}/state.conf r,
owner @{SDDM_HOME}/** rw,
owner @{SDDM_HOME}/#@{int} mrw,
owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,

7
apparmor.d/groups/ubuntu/check-new-release-gtk
View file

@ -42,12 +42,13 @@ profile check-new-release-gtk @{exec_path} {
/etc/update-manager/{,**} r,
/var/lib/update-manager/{,**} rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.cache/update-manager-core/meta-release-lts rw,
/var/lib/gdm{3,}/.cache/update-manager-core/ rwk,
/var/cache/apt/ rw,
owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
owner @{desktop_cache_dirs}/update-manager-core/ rwk,
owner @{desktop_cache_dirs}/update-manager-core/meta-release-lts rw,
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
@{PROC}/@{pids}/mountinfo r,

6
apparmor.d/profiles-g-l/gsettings
View file

@ -18,9 +18,9 @@ profile gsettings @{exec_path} {
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.cache/dconf/user rw,
/var/lib/gdm{3,}/.config/dconf/user rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{desktop_cache_dirs}/dconf/user rw,
owner @{desktop_config_dirs}/dconf/user rw,
owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
/dev/tty@{int} rw,

2
apparmor.d/profiles-m-r/pactl
View file

@ -20,8 +20,6 @@ profile pactl @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/var/lib/gdm{3,}/.config/pulse/cookie rk,
owner @{HOME}/.Xauthority r,
# file_inherit

2
apparmor.d/profiles-s-z/snap
View file

@ -58,9 +58,9 @@ profile snap @{exec_path} {
/var/cache/snapd/commands.db rwk,
/var/cache/snapd/names r,
@{DESKTOP_HOME}/snap/{,**} rw,
@{HOME}/snap/{,**} rw,
/snap/{,**} rw,
/var/lib/gdm{,3}/snap/{,**} rw,
owner /tmp/snapd-auto-import-mount-@{int}/ rw,

4
apparmor.d/profiles-s-z/spice-vdagent
View file

@ -36,11 +36,9 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/var/lib/gdm{3,}/.config/pulse/cookie rk,
/var/lib/gdm{3,}/.config/user-dirs.dirs r,
/var/lib/nscd/passwd r,
owner @{desktop_config_dirs}/user-dirs.dirs r,
owner @{user_config_dirs}/user-dirs.dirs r,
@{run}/spice-vdagentd/spice-vdagent-sock rw,

6
apparmor.d/profiles-s-z/wireplumber
View file

@ -41,9 +41,9 @@ profile wireplumber @{exec_path} {
/etc/machine-id r,
/var/lib/gdm{3,}/.local/state/ w,
/var/lib/gdm{3,}/.local/ w,
/var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
owner @{desktop_local_dirs}/ w,
owner @{desktop_local_dirs}/state/ w,
owner @{desktop_local_dirs}/state/wireplumber/{,**} rw,
owner @{HOME}/.local/ w,
owner @{user_state_dirs}/ w,

19
apparmor.d/tunables/multiarch.d/system-users
View file

@ -15,12 +15,19 @@
@{SDDM_HOME}=/var/lib/sddm/
@{sddm_cache_dirs}=@{SDDM_HOME}/.cache/
@{sddm_config_dirs}=@{SDDM_HOME}/.config/
@{sddm__local_dirs}=@{SDDM_HOME}/.local/
@{sddm_local_dirs}=@{SDDM_HOME}/.local/
@{sddm_share_dirs}=@{SDDM_HOME}/.local/share/
# Full path of the LIGHTDM configuration directories
@{LIGHTDM_HOME}=/var/lib/lightdm/
@{lightdm_cache_dirs}=@{LIGHTDM_HOME}/.cache/
@{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/
@{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/
@{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/
# Full path of all DE configuration directories
@{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME}
@{desktop_cache_dirs}=@{gdm_cache_dirs} @{sddm_cache_dirs}
@{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs}
@{desktop_local_dirs}=@{gdm_local_dirs} @{sddm__local_dirs}
@{desktop_share_dirs}=@{gdm_share_dirs} @{gdm_share_dirs}
@{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME}
@{desktop_cache_dirs}=@{gdm_cache_dirs} @{sddm_cache_dirs} @{lightdm_cache_dirs}
@{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs}
@{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs}
@{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs}