diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index a88e294a..d08d6a7e 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -2,11 +2,15 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# TODO: GNOME JavaScript interpreter. It's used to run extensions. Therefore, +# by default, some extension are confined under this profile. The resulting profile +# is quite broard. The architecture of this needs to be rethinked. + abi , include -@{exec_path} = @{bin}/gjs-console +@{exec_path} = @{bin}/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include include @@ -78,6 +82,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { @{bin}/[a-z0-9]* rPUx, @{lib}/** rPUx, + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + /etc/openni2/OpenNI.ini r, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect new file mode 100644 index 00000000..c4353f48 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -0,0 +1,77 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/ +@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/ + +@{exec_path} = @{share_dirs}/service/daemon.js +profile gnome-extension-gsconnect @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{bin}/env rix, + @{bin}/gjs-console rix, + @{bin}/openssl rix, + @{bin}/{,ba,da}sh rix, + @{bin}/ssh-add rix, + + @{bin}/ssh-keygen rPx, + @{bin}/xdg-screensaver rPx, + + @{lib}/gio/modules/*.so* rm, + @{lib}/girepository-1.0/* r, + + @{share_dirs}/{,**} r, + @{share_dirs}/gsconnect-preferences rix, + + /usr/share/X11/{,**} r, + + /etc/machine-id r, + + owner @{user_cache_dirs}/gsconnect/{,**} rw, + + owner @{user_config_dirs}/ r, + + owner @{user_config_dirs}/gsconnect/{,**} rw, + owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, + owner @{user_config_dirs}/pulse/client.conf r, + owner @{user_config_dirs}/pulse/cookie rk, + + owner @{run}/user/@{uid}/gsconnect/ w, + owner @{run}/user/@{uid}/pulse/ r, + + @{sys}/devices/virtual/dmi/id/chassis_type r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/shm/ r, + + include if exists +} diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 22fd04b8..042c16cf 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -119,6 +119,7 @@ gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain gnome-disks complain +gnome-extension-gsconnect complain gnome-extension-manager complain gnome-music complain gnome-photos-thumbnailer complain