mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-20 17:05:36 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: better wayland client integration.

Browse source
This commit is contained in:
Alexandre Pujol 2023-05-27 23:54:53 +01:00
parent 55da5276dd
commit 3c41453591
Failed to generate hash of commit
29 changed files with 36 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/abstractions/chromium
View file

@ -29,6 +29,7 @@
include <abstractions/user-download-strict>
include <abstractions/user-read>
include <abstractions/vulkan>
include <abstractions/wayland>
capability setgid,
capability setuid,
@ -132,8 +133,6 @@
# owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
# owner @{HOME}/.mozilla/firefox/*/logins.json r,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
/tmp/ r,
/var/tmp/ r,
owner /tmp/.@{chromium_domain}.* rw,

4
apparmor.d/groups/bus/ibus-extension-gtk3
View file

@ -10,14 +10,15 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-extension-gtk3
profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/ibus>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
signal (receive) set=term peer=ibus-daemon,
@ -74,7 +75,6 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
/var/lib/gdm{3,}/.config/ibus/bus/*-unix{,-wayland}-[0-9]* r,
/var/lib/gdm{3,}/.config/dconf/user r,

3
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -22,6 +22,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/mesa>
include <abstractions/user-download>
include <abstractions/vulkan>
include <abstractions/wayland>
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
@ -124,8 +125,6 @@ profile xdg-desktop-portal-gnome @{exec_path} {
owner @{user_share_dirs}/ r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/mount/utab r,

3
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View file

@ -24,6 +24,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download>
include <abstractions/user-write>
include <abstractions/wayland>
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
@ -169,8 +170,6 @@ profile xdg-desktop-portal-gtk @{exec_path} {
@{run}/user/@{uid}/xauth_* rl,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner @{PROC}/@{pid}/mountinfo r,

3
apparmor.d/groups/gnome/gjs-console
View file

@ -21,6 +21,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
include <abstractions/opencl-nvidia>
include <abstractions/openssl>
include <abstractions/vulkan>
include <abstractions/wayland>
network netlink raw,
@ -99,9 +100,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/gstreamer-1.0/ rw,
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,

2
apparmor.d/groups/gnome/gnome-calculator-search-provider
View file

@ -17,6 +17,7 @@ profile gnome-calculator-search-provider @{exec_path} {
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/vulkan>
include <abstractions/wayland>
signal (send) set=kill peer=unconfined,
@ -28,7 +29,6 @@ profile gnome-calculator-search-provider @{exec_path} {
/usr/share/icons/{,**} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pids}/cmdline r,

5
apparmor.d/groups/gnome/gnome-characters-backgroudservice
View file

@ -9,8 +9,9 @@ include <tunables/global>
@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService
profile gnome-characters-backgroudservice @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/wayland>
@{exec_path} mr,
@ -24,8 +25,6 @@ profile gnome-characters-backgroudservice @{exec_path} {
/etc/gtk-3.0/settings.ini r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,

4
apparmor.d/groups/gnome/gnome-control-center-print-renderer
View file

@ -9,8 +9,8 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-control-center-print-renderer
profile gnome-control-center-print-renderer @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
@ -20,6 +20,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia>
include <abstractions/vulkan>
include <abstractions/wayland>
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
@ -44,7 +45,6 @@ profile gnome-control-center-print-renderer @{exec_path} {
owner @{user_share_dirs}/icons/{,**} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,

2
apparmor.d/groups/gnome/gnome-control-center-search-provider
View file

@ -18,6 +18,7 @@ profile gnome-control-center-search-provider @{exec_path} {
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/vulkan>
include <abstractions/wayland>
@{exec_path} mr,
@ -26,7 +27,6 @@ profile gnome-control-center-search-provider @{exec_path} {
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
include if exists <local/gnome-control-center-search-provider>
}

6
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -9,17 +9,18 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-session-binary
profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/vulkan>
include <abstractions/nameservice-strict>
include <abstractions/vulkan>
include <abstractions/wayland>
include <abstractions/X-strict>
network inet stream,
@ -230,7 +231,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
owner @{run}/user/@{uid}/systemd/notify w,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@{sys}/devices/**/{vendor,device} r,

2
apparmor.d/groups/gnome/gnome-shell
View file

@ -32,6 +32,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
include <abstractions/thumbnails-cache-read>
include <abstractions/video>
include <abstractions/vulkan>
include <abstractions/wayland>
include <abstractions/X-strict>
capability sys_nice,
@ -589,7 +590,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/systemd/notify rw,
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
owner /dev/shm/.org.chromium.Chromium.* rw,
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,

3
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -15,6 +15,7 @@ profile gnome-terminal-server @{exec_path} {
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/wayland>
signal (send) set=(term hup kill) peer=unconfined,
ptrace (read) peer=unconfined,
@ -47,8 +48,6 @@ profile gnome-terminal-server @{exec_path} {
owner @{user_config_dirs}/*xdg-terminals.list* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner /tmp/#[0-9]* rw,

3
apparmor.d/groups/gnome/gsd-color
View file

@ -17,6 +17,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
signal (receive) set=(term, hup) peer=gdm*,
@ -134,8 +135,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/icc/edid-*.icc rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner /dev/tty[0-9]* rw,

3
apparmor.d/groups/gnome/gsd-keyboard
View file

@ -17,6 +17,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
signal (receive) set=(term, hup) peer=gdm*,
@ -108,8 +109,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner /dev/tty[0-9]* rw,

3
apparmor.d/groups/gnome/gsd-media-keys
View file

@ -19,6 +19,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
signal (receive) set=(term, hup) peer=gdm*,
@ -183,8 +184,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner /dev/tty[0-9]* rw,

3
apparmor.d/groups/gnome/gsd-power
View file

@ -18,6 +18,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
network netlink raw,
@ -183,8 +184,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+leds:*backlight* r,

7
apparmor.d/groups/gnome/gsd-wacom
View file

@ -9,13 +9,14 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-wacom
profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
signal (receive) set=(term, hup) peer=gdm*,
@ -107,8 +108,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
/usr/share/mime/mime.cache r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,

3
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -20,6 +20,7 @@ profile gsd-xsettings @{exec_path} {
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/wayland>
network inet stream,
network inet6 stream,
@ -143,8 +144,6 @@ profile gsd-xsettings @{exec_path} {
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
@{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r,

2
apparmor.d/groups/ubuntu/apport-gtk
View file

@ -18,6 +18,7 @@ profile apport-gtk @{exec_path} {
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/wayland>
capability fowner,
capability sys_ptrace,
@ -76,7 +77,6 @@ profile apport-gtk @{exec_path} {
/var/log/installer/media-info r,
@{run}/snapd.socket rw,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{run}/user/.mutter-Xwaylandauth.* rw,
/tmp/[a-z0-9]* rw,

3
apparmor.d/groups/ubuntu/check-new-release-gtk
View file

@ -18,6 +18,7 @@ profile check-new-release-gtk @{exec_path} {
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/wayland>
network inet dgram,
network inet6 dgram,
@ -53,8 +54,6 @@ profile check-new-release-gtk @{exec_path} {
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/mounts r,
owner @{PROC}/@{pid}/fd/ r,

2
apparmor.d/groups/ubuntu/livepatch-notification
View file

@ -12,6 +12,7 @@ profile livepatch-notification @{exec_path} {
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/gtk>
include <abstractions/wayland>
@{exec_path} mr,
@ -21,7 +22,6 @@ profile livepatch-notification @{exec_path} {
owner @{run}/user/@{uid}/at-spi/bus rw,
owner @{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@{run}/user/@{uid}/gdm/Xauthority r,

1
apparmor.d/groups/ubuntu/software-properties-gtk
View file

@ -17,6 +17,7 @@ profile software-properties-gtk @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/wayland>
dbus (send,receive) bus=system path=/com/canonical/UbuntuAdvantage/{,**}
interface=org.freedesktop.DBus.Introspectable

3
apparmor.d/groups/ubuntu/ubuntu-advantage-notification
View file

@ -12,6 +12,7 @@ profile ubuntu-advantage-notification @{exec_path} {
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/gtk>
include <abstractions/wayland>
@{exec_path} mr,
@ -19,7 +20,5 @@ profile ubuntu-advantage-notification @{exec_path} {
/usr/share/icons/{,**} r,
/usr/share/X11/xkb/{,**} r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
include if exists <local/ubuntu-advantage-notification>
}

3
apparmor.d/groups/ubuntu/update-manager
View file

@ -21,6 +21,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/wayland>
network inet dgram,
network inet6 dgram,
@ -85,8 +86,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@{run}/systemd/inhibit/*.ref w,
owner @{PROC}/@{pid}/fd/ r,

2
apparmor.d/groups/ubuntu/update-notifier
View file

@ -19,6 +19,7 @@ profile update-notifier @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/wayland>
dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
@ -69,7 +70,6 @@ profile update-notifier @{exec_path} {
owner @{run}/user/@{uid}/at-spi/bus rw,
owner @{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/update-notifier.pid rwk,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner /tmp/#[0-9]* rw,

2
apparmor.d/profiles-a-f/blueman
View file

@ -20,6 +20,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
include <abstractions/python>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/wayland>
network inet stream,
network inet6 stream,
@ -58,7 +59,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/obexd/* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,

3
apparmor.d/profiles-a-f/file-roller
View file

@ -14,6 +14,7 @@ profile file-roller @{exec_path} {
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/user-write>
include <abstractions/wayland>
@{exec_path} mr,
@ -35,7 +36,5 @@ profile file-roller @{exec_path} {
/etc/gtk-3.0/settings.ini r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
include if exists <local/file-roller>
}

2
apparmor.d/profiles-s-z/system-config-printer
View file

@ -21,6 +21,7 @@ profile system-config-printer @{exec_path} flags=(complain) {
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/wayland>
network inet stream,
network inet6 stream,
@ -59,7 +60,6 @@ profile system-config-printer @{exec_path} flags=(complain) {
owner @{HOME}/.cups/ rw,
owner @{HOME}/.cups/lpoptions rw,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
@{run}/cups/cups.sock rw,

2
apparmor.d/profiles-s-z/virt-manager
View file

@ -28,6 +28,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/vulkan>
include <abstractions/wayland>
network inet stream,
network inet6 stream,
@ -86,7 +87,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
@{run}/mount/utab r,
@{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511