From 538d708ec0e1f7f27b4571ce424240267f2c5638 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 24 Apr 2023 15:15:40 +0100 Subject: [PATCH] feat(profiles): improve integration with xfce and small fixes. See: #137 --- apparmor.d/abstractions/freedesktop.org.d/complete | 2 +- apparmor.d/groups/browsers/brave | 2 +- apparmor.d/groups/bus/dbus-daemon | 8 +++++--- apparmor.d/profiles-s-z/xfconfd | 12 ++++++++++-- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 9a64741b..924eceb5 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -3,7 +3,7 @@ # Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - owner @{HOME}/.icons/default/index.theme r, + owner @{HOME}/.icons/{,**} r, @{system_share_dirs}/*ubuntu/applications/{**,} r, @{system_share_dirs}/gnome/applications/{**,} r, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 530ad8c6..1b2c57e4 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -13,7 +13,7 @@ include @{chromium_config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{chromium_cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} -@{exec_path} = /{usr/,}bin/@{chromium_name} @{chromium_lib_dirs}/@{chromium_name} +@{exec_path} = /{usr/,}bin/@{q} @{chromium_lib_dirs}/@{chromium_name} profile brave @{exec_path} { include include diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index a729b7a6..5583f58c 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -38,18 +38,20 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /{usr/,}bin/ r, + @{libexec}/{,at-spi2{,-core}/}at-spi2-registryd rPx, @{libexec}/* rPUx, @{libexec}/gnome-shell/gnome-shell-calendar-server rPx, @{libexec}/kf5/kiod5 rPUx, - /{usr/,}bin/ r, + @{libexec}/xfce[0-9]/xfconf/xfconfd rPx, /{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper rPx, /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx, - /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx, + /{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx, + /{usr/,}lib/atril/atrild rPx, /{usr/,}lib/ibus/ibus-* rPx, /{usr/,}lib/telepathy/mission-control-5 rPx, - /{usr/,}lib/atril/atrild rPx, /usr/share/gnome-documents/org.gnome.Documents rPx, /usr/share/org.gnome.Characters/org.gnome.Characters rPx, /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, diff --git a/apparmor.d/profiles-s-z/xfconfd b/apparmor.d/profiles-s-z/xfconfd index 40409f6e..d01c43ad 100644 --- a/apparmor.d/profiles-s-z/xfconfd +++ b/apparmor.d/profiles-s-z/xfconfd @@ -1,12 +1,14 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd +@{exec_path} = @{libexec}/xfce[0-9]/xfconf/xfconfd +@{exec_path} += /{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd profile xfconfd @{exec_path} { include @@ -14,7 +16,13 @@ profile xfconfd @{exec_path} { /etc/xdg/xfce4/xfconf/*/*.xml r, - owner @{HOME}/.config/xfce4/xfconf/*/*.xml{,.new} rw, + owner @{HOME}/ r, + + owner @{user_cache_dirs}/ r, + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/xfce4/ r, + owner @{user_config_dirs}/xfce4/xfconf/*/*.xml{,.new} rw, + owner @{user_share_dirs}/ r, # file_inherit owner /dev/tty[0-9]* rw,