diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write new file mode 100644 index 00000000..348eb6c9 --- /dev/null +++ b/apparmor.d/abstractions/dconf-write @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Permissions for querying dconf settings with write access; use the dconf +# abstraction first, and dconf-write only for specific application's profile. + + /etc/dconf/** r, + + owner @{user_config_dirs}/dconf/user r, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + + include if exists diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index 13afe288..65d29290 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom profile atom @{exec_path} { include + include include include include @@ -94,10 +95,6 @@ profile atom @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or atom gets crash with the following error: diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index e2bd477c..0ece93b0 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code profile code @{exec_path} { include + include include include include @@ -71,10 +72,6 @@ profile code @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or code gets crash with the following error: diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/groups/apps/freetube index 2cafcf3f..17512fec 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/groups/apps/freetube @@ -15,6 +15,7 @@ include profile freetube @{exec_path} { include include + include include include include @@ -67,10 +68,6 @@ profile freetube @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs} r, diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird index 93e4ec2f..020fc8a2 100644 --- a/apparmor.d/groups/apps/thunderbird +++ b/apparmor.d/groups/apps/thunderbird @@ -18,6 +18,7 @@ include profile thunderbird @{exec_path} { include include + include include include include @@ -91,10 +92,6 @@ profile thunderbird @{exec_path} { owner @{HOME}/Mail/ rw, owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Fix error in libglib while saving files as /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index ac196d38..ad0867c9 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/reportbug profile reportbug @{exec_path} { include + include include include include @@ -63,10 +64,6 @@ profile reportbug @{exec_path} { /{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/gpg rCx -> gpg, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # For sending additional information /etc/** r, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 00541513..870bbd13 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -14,6 +14,7 @@ include profile brave @{exec_path} { include include + include include include include @@ -105,10 +106,6 @@ profile brave @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or Brave crash with the following error: diff --git a/apparmor.d/groups/browsers/chrome-gnome-shell b/apparmor.d/groups/browsers/chrome-gnome-shell index 83947a43..2c1ac4ef 100644 --- a/apparmor.d/groups/browsers/chrome-gnome-shell +++ b/apparmor.d/groups/browsers/chrome-gnome-shell @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/chrome-gnome-shell profile chrome-gnome-shell @{exec_path} { include - include + include include include include @@ -26,9 +26,6 @@ profile chrome-gnome-shell @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index d4c4e6bf..1b98b251 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -14,7 +14,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -106,9 +106,6 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, # owner @{HOME}/.mozilla/firefox/*/logins.json r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner /tmp/tmp.*/ rw, owner /tmp/tmp.*/** rwk, owner /tmp/scoped_dir*/{,**} rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 3915d065..eee27864 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -15,7 +15,7 @@ include profile firefox @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -131,9 +131,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/tmp/ r, /tmp/ r, owner /tmp/* rw, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 68105d12..1359d53f 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -12,7 +12,7 @@ include @{exec_path} = /{usr/,}lib/firefox/crashreporter profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -51,9 +51,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/mozilla/firefox/*.*/** r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /tmp/ r, /var/tmp/ r, owner /tmp/[0-9a-f]*.{dmp,extra} rw, diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 9727e24c..01e1bf9b 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -13,6 +13,7 @@ include @{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer} profile opera @{exec_path} { include + include include include include @@ -83,10 +84,6 @@ profile opera @{exec_path} { /etc/fstab r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or opera crashes with the following error: diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session index 80b7e6f1..4becf5e7 100644 --- a/apparmor.d/groups/bus/dbus-run-session +++ b/apparmor.d/groups/bus/dbus-run-session @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/dbus-run-session profile dbus-run-session @{exec_path} { include - include + include signal (receive) set=(term, kill, hup) peer=gdm*, signal (send) set=term peer=dbus-daemon, @@ -26,8 +26,6 @@ profile dbus-run-session @{exec_path} { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/dconf/profile/gdm r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.cache/dconf/ rw, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 131ec117..9e3ebd25 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -10,7 +10,7 @@ include @{exec_path} += @{libexec}/ibus-dconf profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include - include + include include signal (receive) set=term peer=ibus-daemon, @@ -29,8 +29,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, /var/lib/gdm/.cache/dconf/ w, /var/lib/gdm/.cache/dconf/user rw, /var/lib/gdm/.config/dconf/user rw, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index ae392bd4..b1166f43 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -11,7 +11,7 @@ include profile ibus-extension-gtk3 @{exec_path} { include include - include + include include include include @@ -42,8 +42,6 @@ profile ibus-extension-gtk3 @{exec_path} { owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, /var/lib/gdm/.config/dconf/user r, include if exists diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 34134f6b..41fbc9ef 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -12,7 +12,7 @@ include profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { include include - include + include include signal (receive) set=(term hup kill) peer=dbus-daemon, @@ -35,8 +35,6 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xsession-errors w, owner @{run}/user/@{uid}/at-spi/{,bus} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, /var/lib/lightdm/.Xauthority r, diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index 16212294..536080df 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -9,17 +9,14 @@ include @{exec_path} = /{usr/,}bin/dconf profile dconf @{exec_path} flags=(attach_disconnected) { include + include capability sys_nice, @{exec_path} mr, - /etc/dconf/{,**} r, /etc/dconf/db/** rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/user{,.*} rw, diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor index d219dc27..5a8c60e9 100644 --- a/apparmor.d/groups/freedesktop/dconf-editor +++ b/apparmor.d/groups/freedesktop/dconf-editor @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,16 +10,15 @@ include @{exec_path} = /{usr/,}bin/dconf-editor profile dconf-editor @{exec_path} { include - include - include + include include + include include - include + include @{exec_path} mr, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + /usr/share/glib-2.0/schemas/{,*} r, # When GSETTINGS_BACKEND=keyfile owner @{user_config_dirs}/glib-2.0/ rw, @@ -26,11 +26,7 @@ profile dconf-editor @{exec_path} { owner @{user_config_dirs}/glib-2.0/settings/keyfile rw, owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw, - /usr/share/glib-2.0/schemas/{,*} r, - owner @{HOME}/.Xauthority r, - - # file_inherit owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index b44496f7..a0a3e09d 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -10,15 +10,13 @@ include profile dconf-service @{exec_path} flags=(attach_disconnected) { include include + include signal (receive) set=(term kill hup) peer=dbus-daemon, signal (receive) set=(term hup) peer=gdm*, @{exec_path} mr, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/user{,.*} rw, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 1025fc33..f1d9cac6 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -14,6 +14,7 @@ profile pulseaudio @{exec_path} { include include include + include include include include @@ -114,18 +115,12 @@ profile pulseaudio @{exec_path} { owner /var/lib/lightdm/.config/pulse/{,**} rw, owner /var/lib/lightdm/.config/pulse/cookie k, - owner @{HOME}/.Xauthority r, - owner @{HOME}/.ICEauthority r, - owner @{user_config_dirs}/pulse/{,**} rw, - owner @{user_config_dirs}/dconf/user r, owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, owner @{run}/user/@{uid}/ICEauthority r, owner @{run}/user/@{uid}/pulse/{,*} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index cc260c50..f83f6ea0 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -11,7 +11,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include - include + include include include @@ -57,8 +57,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/applications/{**,} r, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index cb2c7337..3b1e4a55 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -11,7 +11,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include include - include + include include include include @@ -39,7 +39,6 @@ profile xdg-desktop-portal-gnome @{exec_path} { owner @{user_share_dirs}/ r, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 1d95d895..27d663d1 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -11,7 +11,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include - include + include include include include @@ -41,7 +41,6 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index a4ccf153..57972147 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -12,7 +12,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include include include @@ -47,9 +47,6 @@ profile evolution-addressbook-factory @{exec_path} { owner @{user_share_dirs}/evolution/{,**} rwk, owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 0a7c3adf..0a246ada 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -10,7 +10,7 @@ include profile evolution-alarm-notify @{exec_path} { include include - include + include include include include @@ -25,8 +25,6 @@ profile evolution-alarm-notify @{exec_path} { /usr/share/zoneinfo-icu/{,**} r, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, include if exists } diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 4172e513..7576ba23 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,7 +12,7 @@ profile evolution-calendar-factory @{exec_path} { include include include - include + include include include include @@ -37,9 +37,6 @@ profile evolution-calendar-factory @{exec_path} { owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 61ab2e0b..0280ccf3 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,7 +10,7 @@ include profile evolution-source-registry @{exec_path} { include include - include + include include include include @@ -30,9 +30,6 @@ profile evolution-source-registry @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_cache_dirs}/evolution/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index be6fc046..1805b763 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -12,7 +12,7 @@ profile gdm-wayland-session @{exec_path} { include include include - include + include include include @@ -62,8 +62,6 @@ profile gdm-wayland-session @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, @{run}/gdm/custom.conf r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 02e9834f..5f3e7745 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,7 +11,7 @@ profile gdm-xsession @{exec_path} { include include include - include + include include @{exec_path} mr, @@ -34,9 +34,6 @@ profile gdm-xsession @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/X11/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # file_inherit /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 1d385bb4..a77327c0 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -10,7 +10,7 @@ include profile gjs-console @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -46,8 +46,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/user/@{uid}/wayland-cursor-shared-* rw, diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 00a762b6..f34ebb82 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -9,7 +9,7 @@ include @{exec_path} = @{libexec}/gnome-calculator-search-provider profile gnome-calculator-search-provider @{exec_path} { include - include + include include include @@ -22,8 +22,6 @@ profile gnome-calculator-search-provider @{exec_path} { /usr/share/X11/xkb/{,**} r, /usr/share/icons/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 8af7526e..7274e317 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-calendar profile gnome-calendar @{exec_path} { include - include + include include include include @@ -26,8 +26,6 @@ profile gnome-calendar @{exec_path} { /usr/share/libgweather/Locations.xml r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index ed46dfb1..0ddcf07b 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-contacts profile gnome-contacts @{exec_path} { include - include + include include include include @@ -32,8 +32,5 @@ profile gnome-contacts @{exec_path} { owner @{user_config_dirs}/gnome-contacts/{,**} rw, owner @{user_share_dirs}/folks/relationships.ini r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index a926614e..cb8a473a 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/gnome-contacts-search-provider profile gnome-contacts-search-provider @{exec_path} { include - include + include include include @@ -22,9 +22,6 @@ profile gnome-contacts-search-provider @{exec_path} { owner @{user_share_dirs}/folks/relationships.ini r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 435d438f..2b498d8b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,7 +10,7 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -78,8 +78,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index ebfb36aa..1c02e938 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include - include + include include include include @@ -43,7 +43,6 @@ profile gnome-control-center-goa-helper @{exec_path} { owner @{user_share_dirs}/webkitgtk/{,**} rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Settings-[0-9]*.scope/memory.* r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 4da0a80b..b109d9c4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,7 +9,7 @@ include @{exec_path} = @{libexec}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include - include + include include include include @@ -33,8 +33,6 @@ profile gnome-control-center-print-renderer @{exec_path} { owner @{user_share_dirs}/icons/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 692de63e..247eeeac 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -9,7 +9,7 @@ include @{exec_path} = @{libexec}/gnome-control-center-search-provider profile gnome-control-center-search-provider @{exec_path} { include - include + include include include include @@ -18,9 +18,7 @@ profile gnome-control-center-search-provider @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, - - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index cccd460e..e034e54a 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include - include + include include include include @@ -24,9 +24,6 @@ profile gnome-disk-image-mounter @{exec_path} { owner @{MOUNTS}/*/{,**} r, owner /tmp/*/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/mountinfo r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index a1b86d6e..204e198d 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/gnome-disks profile gnome-disks @{exec_path} { include - include + include include @{exec_path} mr, @@ -17,9 +17,6 @@ profile gnome-disks @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index a3ddf738..1eab85dc 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -11,7 +11,7 @@ profile gnome-extension-ding @{exec_path} { include include include - include + include include include include @@ -54,8 +54,6 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/home-*.log r, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 2d291652..2fe0625a 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -10,7 +10,7 @@ include profile gnome-music @{exec_path} { include include - include + include include include include @@ -48,8 +48,6 @@ profile gnome-music @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r, owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 4101886e..fb3abe8d 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -10,6 +10,7 @@ include profile gnome-remote-desktop-daemon @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index f9d5260e..bb3dabec 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -11,7 +11,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -119,8 +119,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/session_migration-ubuntu r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 2b77f2dc..3633a210 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -13,7 +13,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -171,8 +171,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/vlc/**/*.jpg r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index b50bfcb6..560fbeb9 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -10,7 +10,7 @@ include profile gnome-shell-calendar-server @{exec_path} { include include - include + include include @{exec_path} mr, @@ -20,8 +20,5 @@ profile gnome-shell-calendar-server @{exec_path} { /etc/timezone r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 6b47c216..51cd8765 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,7 +10,7 @@ include profile gnome-terminal-server @{exec_path} { include include - include + include include include include @@ -32,8 +32,6 @@ profile gnome-terminal-server @{exec_path} { owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 4ca8818b..cfe4e9d6 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -10,7 +10,7 @@ include profile gnome-tweaks @{exec_path} { include include - include + include include include include @@ -37,9 +37,6 @@ profile gnome-tweaks @{exec_path} { owner @{user_share_dirs}/recently-used.xbel* rw, owner @{user_share_dirs}/sounds/ r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index d181eff2..6236a78c 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -12,7 +12,7 @@ profile goa-daemon @{exec_path} { include include include - include + include include include include @@ -35,8 +35,5 @@ profile goa-daemon @{exec_path} { owner @{user_config_dirs}/goa-1.0/accounts.conf r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index a1388d9f..b6a01c29 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -10,7 +10,7 @@ include profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -20,9 +20,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index f5fdbcee..223e6243 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -11,7 +11,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -49,8 +49,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/icc/edid-*.icc rw, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 41df5db4..119998b7 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -10,7 +10,7 @@ include profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -20,9 +20,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index e5ce47c2..c1508ef7 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,7 +11,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=(term, hup) peer=gdm*, @@ -28,9 +28,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_share_dirs}/applications/ rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 6a2037a2..12ed0972 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -11,7 +11,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -33,8 +33,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-settings-daemon/ rw, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 654541e0..e6c67b24 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -12,7 +12,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -58,8 +58,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/pulse/cookie rk, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 29bcd906..cd1a4826 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -12,7 +12,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -61,8 +61,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/pulse/client.conf r, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index dc5c2d99..9ccb637f 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -12,7 +12,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -26,9 +26,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 31e0cf77..c542accb 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -10,7 +10,7 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include - include + include include signal (receive) set=(term, hup) peer=gdm*, @@ -21,9 +21,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index e64fbb8b..9d604545 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -11,7 +11,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -29,9 +29,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/sounds/ rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index f461d904..4ab3a39e 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -9,14 +9,11 @@ include @{exec_path} = @{libexec}/gsd-usb-protection profile gsd-usb-protection @{exec_path} { include - include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index c723369b..24dd5a3c 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -10,7 +10,7 @@ include profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -30,8 +30,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 0b9f3fa8..16aeb9ab 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -11,7 +11,7 @@ profile gsd-xsettings @{exec_path} { include include include - include + include include include include @@ -60,8 +60,6 @@ profile gsd-xsettings @{exec_path} { owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 045b12e5..c612512d 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -11,7 +11,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -50,9 +50,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/nautilus/{,**} rwk, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{run}/mount/utab r, @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index a9a36e9b..7e120cf6 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/seahorse profile seahorse @{exec_path} { include - include + include include include include @@ -25,9 +25,6 @@ profile seahorse @{exec_path} { # Seahorse and SSH keys owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 070db186..2deea030 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -9,7 +9,7 @@ include @{exec_path} = @{libexec}/tracker-extract-3 profile tracker-extract @{exec_path} { include - include + include include include include @@ -48,8 +48,6 @@ profile tracker-extract @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/** r, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, @{run}/blkid/blkid.tab r, @{run}/udev/data/c235:* r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 57435eb6..fe296d94 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,7 +11,7 @@ profile tracker-miner @{exec_path} { include include include - include + include include include include @@ -54,8 +54,6 @@ profile tracker-miner @{exec_path} { owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, @{run}/blkid/blkid.tab r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index dc3aff19..e09eb006 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -13,7 +13,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { include include include - include + include include include include @@ -48,9 +48,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { owner @{MOUNTS}/**/ r, owner @{HOME}/**/ r, - owner @{run}/user/@{uid}/dconf/ w, - owner @{run}/user/@{uid}/dconf/user rw, - @{run}/mount/utab r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 6238d434..8b46a207 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-dav profile gvfsd-dav @{exec_path} { include - include + include include include include @@ -28,8 +28,6 @@ profile gvfsd-dav @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mime/mime.cache r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index a700e838..8fca7c25 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-ftp profile gvfsd-ftp @{exec_path} { include - include + include include include @@ -25,8 +25,5 @@ profile gvfsd-ftp @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index bc61b9de..dfdbdd96 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-http profile gvfsd-http @{exec_path} { include - include + include include include include @@ -27,8 +27,6 @@ profile gvfsd-http @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index d5483993..2e83b079 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-mtp profile gvfsd-mtp @{exec_path} { include - include + include include include include @@ -26,8 +26,6 @@ profile gvfsd-mtp @{exec_path} { owner @{HOME}/{,**} rw, owner @{MOUNTS}/*/{,**} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index df617a47..c57d71de 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,14 +11,12 @@ include @{exec_path} += @{libexec}/gvfsd-network profile gvfsd-network @{exec_path} { include - include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 989a9ad2..10fd9199 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-smb profile gvfsd-smb @{exec_path} { include - include + include include network netlink raw, @@ -26,8 +26,6 @@ profile gvfsd-smb @{exec_path} { /etc/samba/smb.conf r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 6ec204d0..b289ed55 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,7 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-smb-browse profile gvfsd-smb-browse @{exec_path} { include - include + include include network netlink raw, @@ -27,8 +27,6 @@ profile gvfsd-smb-browse @{exec_path} { /etc/samba/smb.conf r, owner @{run}/samba/ rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, include if exists diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 79f3b2f9..079a6fa4 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -11,7 +11,7 @@ profile check-new-release-gtk @{exec_path} { include include include - include + include include include include @@ -41,7 +41,6 @@ profile check-new-release-gtk @{exec_path} { owner @{user_cache_dirs}/update-manager-core/{,**} rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/wayland-[0-9] rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 863cccfe..ece827ff 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include - include + include include @{exec_path} mr, @@ -20,8 +20,6 @@ profile livepatch-notification @{exec_path} { owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index d8f01e8e..d3424c64 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -10,7 +10,7 @@ include profile ubuntu-advantage-notification @{exec_path} { include include - include + include include @{exec_path} mr, @@ -20,8 +20,6 @@ profile ubuntu-advantage-notification @{exec_path} { /usr/share/X11/xkb/{,**} r, owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index a17b3a6a..4ce92cf6 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -10,7 +10,7 @@ include profile update-notifier @{exec_path} { include include - include + include include include include @@ -58,8 +58,6 @@ profile update-notifier @{exec_path} { owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/update-notifier.pid rwk, owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index a7af4d7c..60fe89ff 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -10,6 +10,7 @@ include profile arduino @{exec_path} { include include + include include include include @@ -51,9 +52,6 @@ profile arduino @{exec_path} { owner @{HOME}/.java/fonts/*/fcinfo[0-9]*.tmp rw, owner @{HOME}/.java/fonts/*/fcinfo-*.properties rw, - include - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/arduino/{,**} r, /usr/share/arduino-builder/{,**} r, diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 3eb4b452..bc7b93e8 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -18,6 +18,7 @@ include @{exec_path} = /{usr/,}bin/atril{,-*} profile atril @{exec_path} { include + include include include include @@ -52,10 +53,6 @@ profile atril @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index d3527585..f0e4c92f 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/blueman-* profile blueman @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -63,10 +64,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/cmdline r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index 7bef336b..3696fd26 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/cawbird profile cawbird @{exec_path} { include + include include include include @@ -42,11 +43,6 @@ profile cawbird @{exec_path} { /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, - # This is needed as cawbird stores its settings in the dconf database. - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index fe89bcb7..774208fb 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/czkawka_gui profile czkawka-gui @{exec_path} { include + include include include include @@ -38,11 +39,6 @@ profile czkawka-gui @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - profile open { include include diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index ce8e9646..e63a799a 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -16,6 +16,7 @@ include profile deltachat-desktop @{exec_path} { include include + include include include include @@ -46,10 +47,6 @@ profile deltachat-desktop @{exec_path} { owner @{HOME}/.config/DeltaChat/ rw, owner @{HOME}/.config/DeltaChat/** rwk, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner /tmp/[0-9a-f]*/ rw, diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im index 692ba3b2..b3dcf12c 100644 --- a/apparmor.d/profiles-a-f/dino-im +++ b/apparmor.d/profiles-a-f/dino-im @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/dino-im profile dino-im @{exec_path} { include + include include include include @@ -29,10 +30,6 @@ profile dino-im @{exec_path} { /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, - include - owner @{run}/user/@{uid}/dconf/ w, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_share_dirs}/dino/ rw, owner @{user_share_dirs}/dino/** rwk, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 33acd41f..6d73f41a 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/engrampa profile engrampa @{exec_path} { include + include include include include @@ -43,10 +44,6 @@ profile engrampa @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, /{usr/,}bin/xdg-open rCx -> open, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/engrampa/ rw, / r, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 01509248..6f6b9e29 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/evince /{usr/,}bin/evinced profile evince @{exec_path} { include - include + include include include include @@ -33,8 +33,6 @@ profile evince @{exec_path} { owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/evince/{,*} rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner /tmp/evince-*/{,**} rw, /tmp/gtkprint* rw, /tmp/*.pdf r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index a215d61a..bda09990 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/font-manager profile font-manager @{exec_path} { include + include include include include @@ -59,10 +60,6 @@ profile font-manager @{exec_path} { @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/{,**} r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Silencer owner /var/cache/fontconfig/ w, deny /var/cache/fontconfig/ w, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6c75dc05..c3adcd6e 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -11,7 +11,7 @@ include profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include include - include + include include include include @@ -38,9 +38,6 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { owner @{user_cache_dirs}/fwupd/ rw, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 8fe3789b..24f97a78 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/gajim profile gajim @{exec_path} { include + include include include include @@ -92,10 +93,6 @@ profile gajim @{exec_path} { /tmp/ r, owner /tmp/* rw, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Silencer deny /usr/share/gajim/** w, deny /usr/lib/python3/dist-packages/** w, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 6db45327..42e6f0ca 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gpartedbin profile gpartedbin @{exec_path} { include + include include include include @@ -130,10 +131,6 @@ profile gpartedbin @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{run}/mount/utab r, # For fsck of the btrfs filesystem diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index 5bc7cdfc..e913cee3 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -15,6 +15,7 @@ include @{exec_path} += /{usr/,}lib/hypnotix/hypnotix.py profile hypnotix @{exec_path} { include + include include include include @@ -62,11 +63,6 @@ profile hypnotix @{exec_path} { owner @{MOUNTS}/**/ r, owner /{home,media}/**.@{hypnotix_ext} r, - # To be able to store settings - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/hypnotix/{,**} r, owner @{HOME}/.hypnotix/ rw, diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome index f94e21e4..1948827e 100644 --- a/apparmor.d/profiles-g-l/jami-gnome +++ b/apparmor.d/profiles-g-l/jami-gnome @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/jami-gnome profile jami-gnome @{exec_path} { include + include include include include @@ -40,10 +41,6 @@ profile jami-gnome @{exec_path} { /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/ring/{,**} r, diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 21f54328..3337a719 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -34,6 +34,7 @@ include @{exec_path} = /{usr/,}bin/mediainfo-gui profile mediainfo-gui @{exec_path} { include + include include include include @@ -56,11 +57,6 @@ profile mediainfo-gui @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - profile open { include include diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index 1e528126..d50ad958 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/telepathy/mission-control-5 profile mission-control @{exec_path} { include - include + include network netlink raw, @@ -21,7 +21,6 @@ profile mission-control @{exec_path} { owner @{user_share_dirs}/telepathy/mission-control/*.cfg r, - @{run}/user/@{uid}/dconf/user rw, @{run}/systemd/inhibit/[0-9]*.ref rw, include if exists diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index 9ad55666..75d4cbc7 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/obconf profile obconf @{exec_path} { include + include include include include @@ -33,10 +34,6 @@ profile obconf @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects index e2f983bf..b6af6191 100644 --- a/apparmor.d/profiles-m-r/pulseeffects +++ b/apparmor.d/profiles-m-r/pulseeffects @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/pulseeffects profile pulseeffects @{exec_path} { include + include include include include @@ -33,10 +34,6 @@ profile pulseeffects @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 0ec27039..96560c7c 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -24,7 +24,7 @@ profile qbittorrent @{exec_path} { include include include - include + include include include include @@ -108,8 +108,6 @@ profile qbittorrent @{exec_path} { # file_inherit owner /dev/tty[0-9]* rw, - # dconf write - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/ICEauthority r, # DBus diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 1d798642..0dfade79 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -11,7 +11,7 @@ include @{exec_path} += /usr/share/system-config-printer/system-config-printer.py profile system-config-printer @{exec_path} flags=(complain) { include - include + include include include include @@ -42,8 +42,6 @@ profile system-config-printer @{exec_path} flags=(complain) { owner @{HOME}/.cups/ rw, owner @{HOME}/.cups/lpoptions rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner /tmp/* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie index 593d9923..009a5c1f 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/profiles-s-z/udiskie @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/udiskie profile udiskie @{exec_path} { include + include include include include @@ -37,10 +38,6 @@ profile udiskie @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Allowed apps to open /{usr/,}bin/spacefm rPx, diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox index a758d8d0..6b7244bd 100644 --- a/apparmor.d/profiles-s-z/utox +++ b/apparmor.d/profiles-s-z/utox @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/utox profile utox @{exec_path} { include + include include include include @@ -39,11 +40,6 @@ profile utox @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - profile open { include include diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 7bc9bd7b..377581d2 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -34,6 +34,7 @@ include @{exec_path} = /{usr/,}bin/vidcutter profile vidcutter @{exec_path} { include + include include include include @@ -91,10 +92,6 @@ profile vidcutter @{exec_path} { owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index d197e1a3..b2c1583c 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,7 +12,7 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include + include include include include @@ -88,8 +88,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, @{run}/mount/utab r, @{run}/udev/data/c51[0-9]:[0-9]* r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 64447750..05f7a3db 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/xarchiver profile xarchiver @{exec_path} { include + include include include include @@ -42,10 +43,6 @@ profile xarchiver @{exec_path} { /{usr/,}bin/xdg-open rCx -> open, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/xarchiver/ rw, owner @{user_config_dirs}/xarchiver/xarchiverrc{,.*} rw,