From 3787eb1745c54dd0758a49551cbaa858e9e52aba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Mar 2024 11:26:57 +0000 Subject: [PATCH] feat(profile): enable desktop user variable everywhere. Also restrict access to these files. --- apparmor.d/groups/bus/ibus-daemon | 4 +-- apparmor.d/groups/bus/ibus-engine-table | 4 +-- apparmor.d/groups/bus/ibus-extension-gtk3 | 23 +++++----------- apparmor.d/groups/bus/ibus-memconf | 7 +++-- apparmor.d/groups/bus/ibus-portal | 12 ++------- apparmor.d/groups/bus/ibus-x11 | 5 ++-- apparmor.d/groups/freedesktop/dconf | 4 +-- apparmor.d/groups/freedesktop/dconf-service | 6 ++--- apparmor.d/groups/freedesktop/pipewire | 2 -- .../groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/freedesktop/pipewire-pulse | 2 -- apparmor.d/groups/freedesktop/pulseaudio | 24 ++++------------- .../freedesktop/xdg-desktop-portal-gnome | 5 ++-- apparmor.d/groups/freedesktop/xorg | 7 +++-- apparmor.d/groups/freedesktop/xwayland | 2 -- .../groups/gvfs/gvfs-udisks2-volume-monitor | 2 +- apparmor.d/groups/kde/kwin_wayland | 26 +++++++++---------- apparmor.d/groups/kde/sddm | 8 +++--- apparmor.d/groups/kde/sddm-greeter | 8 +++--- .../groups/ubuntu/check-new-release-gtk | 7 ++--- apparmor.d/profiles-g-l/gsettings | 6 ++--- apparmor.d/profiles-m-r/pactl | 2 -- apparmor.d/profiles-s-z/snap | 2 +- apparmor.d/profiles-s-z/spice-vdagent | 4 +-- apparmor.d/profiles-s-z/wireplumber | 6 ++--- apparmor.d/tunables/multiarch.d/system-users | 19 +++++++++----- 26 files changed, 80 insertions(+), 119 deletions(-) diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 4381538e..f0ea6ac6 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -46,8 +46,8 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { /usr/share/ibus/{,**} r, /usr/share/ibus-table/{,**} r, - owner /var/lib/gdm{3,}/.cache/ibus/{,**} rw, - owner /var/lib/gdm{3,}/.config/ibus/{,**} rw, + owner @{desktop_cache_dirs}/ibus/{,**} rw, + owner @{desktop_config_dirs}/ibus/{,**} rw, owner @{user_cache_dirs}/ibus/{,**} rw, owner @{user_config_dirs}/ibus/ibus/{,**} rw, diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table index 4addd158..ee3a6ef7 100644 --- a/apparmor.d/groups/bus/ibus-engine-table +++ b/apparmor.d/groups/bus/ibus-engine-table @@ -19,8 +19,8 @@ profile ibus-engine-table @{exec_path} { /usr/share/ibus-table/engine/{,**} r, /usr/share/ibus-table/tables/ r, - owner /var/lib/gdm3/.cache/ibus-table/ w, - owner /var/lib/gdm3/.local/share/ibus-table/ w, + owner @{desktop_cache_dirs}/ibus-table/ w, + owner @{desktop_share_dirs}/ibus-table/ w, owner @{user_cache_dirs}/ibus-table/ w, owner @{user_share_dirs}/ibus-table/ w, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index c3042a75..a05e968e 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -13,22 +13,20 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include include include + include include - include - include include include - include signal (receive) set=term peer=ibus-daemon, - + network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, - dbus bind bus=session name=org.freedesktop.IBus.Panel.Extension.Gtk3, + # dbus: own bus=session name=org.freedesktop.IBus.Panel.Extension.Gtk3 dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties @@ -43,20 +41,13 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /usr/share/dconf/profile/gdm r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/ibus/{,**} r, - /usr/share/icons/{,**} r, - /usr/share/X11/xkb/** r, - /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, - /var/lib/gdm{3,}/.config/dconf/user r, - /var/lib/gdm{3,}/greeter-dconf-defaults r, - /var/lib/gdm{3,}/.config/ibus/bus/ r, + owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/ibus/bus/ r, + owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, - owner @{run}/user/@{uid}/gdm/Xauthority r, - - # file inherit /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 1ff09fc6..0ca28bb0 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -19,10 +19,9 @@ profile ibus-memconf @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, - /var/lib/gdm{3,}/.config/ibus/bus/ r, - /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, - - owner /var/lib/gdm{3,}/.cache/ibus/dbus-@{rand8} rw, + owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw, + owner @{desktop_config_dirs}/ibus/bus/ r, + owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, include if exists } diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index d350422b..782716a7 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -28,16 +28,8 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{lib}/gio/modules/{,*} r, - @{lib}/locale/locale-archive r, - - /usr/share/locale/locale.alias r, - - /etc/machine-id r, - - /var/lib/dbus/machine-id r, - /var/lib/gdm{3,}/.config/ibus/bus/ r, - /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, + owner @{desktop_config_dirs}/ibus/bus/ r, + owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index ddde2eb0..c3476f6a 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -31,9 +31,8 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /var/lib/gdm{3,}/.config/ibus/bus/ r, - /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, + owner @{desktop_config_dirs}/ibus/bus/ r, + owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index 6b47bb2c..5d6f1f6c 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -21,8 +21,8 @@ profile dconf @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/dconf/{,**} r, - /var/lib/gdm{3,}/ r, - /var/lib/gdm{3,}/greeter-dconf-defaults{,.@{rand6}} rw, + owner @{GDM_HOME}/ r, + owner @{GDM_HOME}/greeter-dconf-defaults{,.@{rand6}} rw, owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/user{,.*} rw, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index b8ac1273..dd2dae6b 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -25,9 +25,9 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /var/lib/gdm{3,}/.config/dconf/ rw, - /var/lib/gdm{3,}/.config/dconf/user rw, - /var/lib/gdm{3,}/.config/dconf/user.* rw, + owner @{desktop_config_dirs}/dconf/ rw, + owner @{desktop_config_dirs}/dconf/user rw, + owner @{desktop_config_dirs}/dconf/user.* rw, owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/user{,.*} rw, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index c6c9de71..f882a690 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -44,8 +44,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/{,**} r, - /var/lib/gdm{3,}/.config/pulse/cookie rk, - / r, /.flatpak-info r, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 7a7fa24a..478bdc65 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -43,7 +43,7 @@ profile pipewire-media-session @{exec_path} { /etc/pipewire/*.conf r, /etc/pipewire/media-session.d/*.conf r, - /var/lib/gdm{3,}/.local/state/pipewire/media-session.d/* rw, + owner @{desktop_local_dirs}/state/pipewire/media-session.d/* rw, owner @{user_state_dirs}/ rw, owner @{user_state_dirs}/pipewire/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index 874ecbcd..13331e33 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -31,8 +31,6 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { / r, /.flatpak-info r, - /var/lib/gdm{3,}/.config/pulse/cookie rwk, - owner @{run}/user/@{uid}/pulse/pid w, owner /tmp/librnnoise-@{int}.so rm, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 31445ea8..e2e22bc8 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -91,25 +91,11 @@ profile pulseaudio @{exec_path} { /var/lib/snapd/desktop/applications/ r, - # For GDM - owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw, - owner /var/lib/gdm{[1-9],}/.config/pulse/cookie k, - owner /var/lib/gdm{[1-9],}/.config/dconf/user r, - - # For SDDM - owner /var/lib/sddm/.config/pulse/ rw, - owner /var/lib/sddm/.config/pulse/*-{device,stream}-volumes.tdb rw, - owner /var/lib/sddm/.config/pulse/*-default-{sink,source} rw, - owner /var/lib/sddm/.config/pulse/*-card-database.tdb rw, - owner /var/lib/sddm/.config/pulse/cookie rwk, - - # For lightdm - owner /var/lib/lightdm/.config/ w, - owner /var/lib/lightdm/.config/pulse/{,**} rw, - owner /var/lib/lightdm/.config/pulse/cookie k, - - /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, - /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, + owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/pulse/{,**} rw, + owner @{desktop_config_dirs}/pulse/cookie k, owner @{user_config_dirs}/ w, owner @{user_config_dirs}/pulse/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index b04cc743..e1ffc64d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -66,9 +66,8 @@ profile xdg-desktop-portal-gnome @{exec_path} { /usr/share/dconf/profile/gdm r, /usr/share/thumbnailers/{,**} r, - /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, - /var/lib/gdm{3,}/greeter-dconf-defaults r, - /var/lib/snapd/desktop/icons/{,**} r, + owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{HOME}/*/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 7ff8a164..3a263948 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -74,10 +74,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner /var/log/Xorg.@{int}.log{,.old} rw, owner /var/log/Xorg.pid-@{pid}.log{,.old} rw, - /var/lib/gdm{3,}/.local/share/xorg/ rw, - /var/lib/gdm{3,}/.local/share/xorg/Xorg.@{int}.log{,.old} rw, - /var/lib/gdm{3,}/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, + owner @{desktop_share_dirs}/xorg/ rw, + owner @{desktop_share_dirs}/xorg/Xorg.@{int}.log{,.old} rw, + owner @{desktop_share_dirs}/xorg/Xorg.pid-@{pid}.log{,.old} rw, @{run}/nvidia-xdriver-* rw, @{run}/sddm/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index bba6a6ab..e7f6416a 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -28,8 +28,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, - owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, - owner /tmp/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 5aebd01c..0445f1ab 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -45,7 +45,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/mount rPx, @{bin}/umount rPx, - /var/lib/gdm{3,}/.config/dconf/user r, + owner @{desktop_config_dirs}/dconf/user r, / r, /etc/fstab r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 2c0b24a8..908deb23 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -53,21 +53,19 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /etc/xdg/menus/applications-merged/ r, /etc/xdg/plasmarc r, - owner /var/lib/sddm/.cache/#@{int} rwk, - owner /var/lib/sddm/.cache/fontconfig/* rwk, - owner /var/lib/sddm/.cache/fontconfig/*-le64.cache-@{int}{,TMP-@{rand6},NEW,LCK} w, - owner /var/lib/sddm/.cache/fontconfig/*-le64.cache-@{int}.LCK l -> /var/lib/sddm/.cache/fontconfig/*-le64.cache-@{int}.TMP-@{rand6}, - owner /var/lib/sddm/.cache/mesa_shader_cache/** r, - owner /var/lib/sddm/.cache/mesa_shader_cache/index rw, - owner /var/lib/sddm/.cache/ksycoca{5,6}_* rwkl -> /var/lib/sddm/.cache/#@{int}, + owner @{sddm_cache_dirs}/#@{int} rwk, + owner @{sddm_cache_dirs}/fontconfig/* rwk, + owner @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.LCK l -> @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.TMP-@{rand6}, + owner @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}{,TMP-@{rand6},NEW,LCK} w, + owner @{sddm_cache_dirs}/ksycoca{5,6}_* rwkl -> @{sddm_cache_dirs}/#@{int}, - owner /var/lib/sddm/.config/#@{int} rw, - owner /var/lib/sddm/.config/kcminputrc r, - owner /var/lib/sddm/.config/kdeglobals r, - owner /var/lib/sddm/.config/kglobalshortcutsrc.lock rwk, - owner /var/lib/sddm/.config/kglobalshortcutsrc{,.@{rand6}} rwl -> /var/lib/sddm/.config/#@{int}, - owner /var/lib/sddm/.config/kwinrc.lock rwk, - owner /var/lib/sddm/.config/kwinrc{,.@{rand6}} rwl -> /var/lib/sddm/.config/#@{int}, + owner @{sddm_config_dirs}/#@{int} rw, + owner @{sddm_config_dirs}/kcminputrc r, + owner @{sddm_config_dirs}/kdeglobals r, + owner @{sddm_config_dirs}/kglobalshortcutsrc.lock rwk, + owner @{sddm_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{sddm_config_dirs}/#@{int}, + owner @{sddm_config_dirs}/kwinrc.lock rwk, + owner @{sddm_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{sddm_config_dirs}/#@{int}, owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 492b623f..a7d94520 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -144,10 +144,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /var/lib/wtmpdb/ r, /var/lib/wtmpdb/* rwk, - /var/lib/sddm/state.conf rw, - owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.jsc mrw, - owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.qmlc mrw, - owner /var/lib/sddm/** rw, + @{SDDM_HOME}/state.conf rw, + owner @{SDDM_HOME}/** rw, + owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.jsc mrw, + owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.qmlc mrw, owner @{HOME}/.local/ w, owner @{HOME}/.Xauthority rw, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 5f298c74..8fad5ed7 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -44,10 +44,10 @@ profile sddm-greeter @{exec_path} { /var/lib/AccountsService/icons/*.icon r, /var/lib/dbus/machine-id r, - owner /var/lib/sddm/** rw, - owner /var/lib/sddm/#@{int} mrw, - owner /var/lib/sddm/.cache/** mrwkl -> /var/lib/sddm/.cache/**, - /var/lib/sddm/state.conf r, + @{SDDM_HOME}/state.conf r, + owner @{SDDM_HOME}/** rw, + owner @{SDDM_HOME}/#@{int} mrw, + owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/icon-cache.kcache rw, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 7d7bc961..0b4043fd 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -42,12 +42,13 @@ profile check-new-release-gtk @{exec_path} { /etc/update-manager/{,**} r, /var/lib/update-manager/{,**} rw, - /var/lib/gdm{3,}/greeter-dconf-defaults r, - /var/lib/gdm{3,}/.cache/update-manager-core/meta-release-lts rw, - /var/lib/gdm{3,}/.cache/update-manager-core/ rwk, /var/cache/apt/ rw, + owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + owner @{desktop_cache_dirs}/update-manager-core/ rwk, + owner @{desktop_cache_dirs}/update-manager-core/meta-release-lts rw, + owner @{user_cache_dirs}/update-manager-core/{,**} rw, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index bdc14eeb..17671f73 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -18,9 +18,9 @@ profile gsettings @{exec_path} { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /var/lib/gdm{3,}/.cache/dconf/user rw, - /var/lib/gdm{3,}/.config/dconf/user rw, - /var/lib/gdm{3,}/greeter-dconf-defaults r, + owner @{desktop_cache_dirs}/dconf/user rw, + owner @{desktop_config_dirs}/dconf/user rw, + owner @{DESKTOP_HOME}/greeter-dconf-defaults r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 8b38ab16..551dc7a9 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -20,8 +20,6 @@ profile pactl @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - /var/lib/gdm{3,}/.config/pulse/cookie rk, - owner @{HOME}/.Xauthority r, # file_inherit diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 76ab62e2..b24f1671 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -58,9 +58,9 @@ profile snap @{exec_path} { /var/cache/snapd/commands.db rwk, /var/cache/snapd/names r, + @{DESKTOP_HOME}/snap/{,**} rw, @{HOME}/snap/{,**} rw, /snap/{,**} rw, - /var/lib/gdm{,3}/snap/{,**} rw, owner /tmp/snapd-auto-import-mount-@{int}/ rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index c8b79dbb..d62f74de 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -36,11 +36,9 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /var/lib/gdm{3,}/.config/pulse/cookie rk, - /var/lib/gdm{3,}/.config/user-dirs.dirs r, - /var/lib/nscd/passwd r, + owner @{desktop_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index b7c7a73d..935e686c 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -41,9 +41,9 @@ profile wireplumber @{exec_path} { /etc/machine-id r, - /var/lib/gdm{3,}/.local/state/ w, - /var/lib/gdm{3,}/.local/ w, - /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw, + owner @{desktop_local_dirs}/ w, + owner @{desktop_local_dirs}/state/ w, + owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 379936ed..f39013de 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -15,12 +15,19 @@ @{SDDM_HOME}=/var/lib/sddm/ @{sddm_cache_dirs}=@{SDDM_HOME}/.cache/ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ -@{sddm__local_dirs}=@{SDDM_HOME}/.local/ +@{sddm_local_dirs}=@{SDDM_HOME}/.local/ @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ +# Full path of the LIGHTDM configuration directories +@{LIGHTDM_HOME}=/var/lib/lightdm/ +@{lightdm_cache_dirs}=@{LIGHTDM_HOME}/.cache/ +@{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ +@{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ +@{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ + # Full path of all DE configuration directories -@{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} -@{desktop_cache_dirs}=@{gdm_cache_dirs} @{sddm_cache_dirs} -@{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} -@{desktop_local_dirs}=@{gdm_local_dirs} @{sddm__local_dirs} -@{desktop_share_dirs}=@{gdm_share_dirs} @{gdm_share_dirs} +@{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} +@{desktop_cache_dirs}=@{gdm_cache_dirs} @{sddm_cache_dirs} @{lightdm_cache_dirs} +@{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} +@{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} +@{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs}