feat(abs): add iceauth to X-strict.

2024-11-14 23:43:56 +01:00 · 2024-09-18 17:06:04 +01:00 · 2024-09-18 17:06:04 +01:00 · 619aa709f1
commit 619aa709f1
parent 02d8aaee7f
14 changed files with 1 additions and 22 deletions
--- a/apparmor.d/abstractions/X-strict
+++ b/apparmor.d/abstractions/X-strict
@ -24,6 +24,7 @@

  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,  # Xwayland
  owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
  owner @{run}/user/@{uid}/ICEauthority r,
  owner @{run}/user/@{uid}/X11/Xauthority r,
  owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int},
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@ -105,7 +105,6 @@
  owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,

-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,

  @{run}/mount/utab r,
--- a/apparmor.d/groups/akonadi/akonadi_control
+++ b/apparmor.d/groups/akonadi/akonadi_control
@ -30,8 +30,6 @@ profile akonadi_control @{exec_path} {
  owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk,

  owner @{user_share_dirs}/akonadi/{,**} rwl,
-  
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,

  /dev/tty r,

--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@ -47,8 +47,6 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
  owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
  # owner /tmp/xauth_@{rand6} r,

-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
  /dev/shm/#@{int} rw,

  @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -93,7 +93,6 @@ profile pulseaudio @{exec_path} {
  owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r,

  owner @{run}/user/@{uid}/ rw,
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
  owner @{run}/user/@{uid}/pulse/ rw,
  owner @{run}/user/@{uid}/pulse/** rwk,
  owner @{run}/user/@{uid}/systemd/notify rw,
--- a/apparmor.d/groups/kde/DiscoverNotifier
+++ b/apparmor.d/groups/kde/DiscoverNotifier
@ -59,8 +59,6 @@ profile DiscoverNotifier @{exec_path} {
  owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw,
  owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw,

-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
  /dev/tty r,

  profile gpg {
--- a/apparmor.d/groups/kde/gmenudbusmenuproxy
+++ b/apparmor.d/groups/kde/gmenudbusmenuproxy
@ -25,8 +25,6 @@ profile gmenudbusmenuproxy @{exec_path} {
  owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl,
  owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk,

-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
  include if exists <local/gmenudbusmenuproxy>
 }

--- a/apparmor.d/groups/kde/kalendarac
+++ b/apparmor.d/groups/kde/kalendarac
@ -36,8 +36,6 @@ profile kalendarac @{exec_path} {
  owner @{user_config_dirs}/kalendaracrc.lock rwk,
  owner @{user_config_dirs}/kmail2rc r,

-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
  /dev/tty r,

  include if exists <local/kalendarac>
--- a/apparmor.d/groups/kde/konsole
+++ b/apparmor.d/groups/kde/konsole
@ -80,8 +80,6 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/konsole.@{rand6} rw,

-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
  @{PROC}/@{pid}/cmdline r,
  @{PROC}/@{pid}/stat r,

--- a/apparmor.d/groups/kde/kwalletd
+++ b/apparmor.d/groups/kde/kwalletd
@ -43,8 +43,6 @@ profile kwalletd @{exec_path} {

  owner @{tmp}/kwalletd5.* rw,

-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,

--- a/apparmor.d/groups/kde/okular
+++ b/apparmor.d/groups/kde/okular
@ -89,7 +89,6 @@ profile okular @{exec_path} {
  owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, 

  owner @{run}/user/@{uid}/#@{int} rw,
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
  owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},

  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@ -189,7 +189,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
        @{run}/user/@{uid}/gvfs/ r,
  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
  owner @{run}/user/@{uid}/kdesud_:@{int} w,
  owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},

--- a/apparmor.d/groups/kde/xembedsniproxy
+++ b/apparmor.d/groups/kde/xembedsniproxy
@ -20,8 +20,6 @@ profile xembedsniproxy @{exec_path} {

  owner @{tmp}/xauth_@{rand6} r,

-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
  @{run}/user/@{uid}/xauth_@{rand6} rl,

  include if exists <local/xembedsniproxy>
--- a/apparmor.d/groups/kde/xwaylandvideobridge
+++ b/apparmor.d/groups/kde/xwaylandvideobridge
@ -20,8 +20,6 @@ profile xwaylandvideobridge @{exec_path} {
  owner @{user_cache_dirs}/xwaylandvideobridge/ rw,
  owner @{user_cache_dirs}/xwaylandvideobridge/** rwk,

-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
  include if exists <local/xwaylandvideobridge>
 }