From 6898bac12f4efa3eff8d048cacdf1e5498ab4f13 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 21:38:14 +0100 Subject: [PATCH] feat(profiles): add some missing dbus, MOUNTS and dconf rules. --- apparmor.d/groups/apps/telegram-desktop | 5 +---- apparmor.d/groups/apt/apt-cdrom | 10 +++++----- apparmor.d/groups/bus/ibus-x11 | 5 +---- apparmor.d/groups/freedesktop/xdg-desktop-portal | 1 + apparmor.d/groups/gnome/gdm-x-session | 2 ++ .../groups/gnome/gnome-control-center-print-renderer | 2 ++ apparmor.d/groups/gnome/gnome-disk-image-mounter | 2 +- apparmor.d/groups/gnome/gnome-music | 2 +- apparmor.d/groups/gnome/gnome-photos-thumbnailer | 2 +- apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer | 1 - apparmor.d/groups/gnome/gnome-system-monitor | 5 ++--- apparmor.d/groups/gnome/tracker-extract | 2 +- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/profiles-g-l/light-locker | 5 +---- 14 files changed, 20 insertions(+), 26 deletions(-) diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index 943b9811..00fa0bcd 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -12,6 +12,7 @@ include profile telegram-desktop @{exec_path} { include include + include include include include @@ -74,10 +75,6 @@ profile telegram-desktop @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Needed when saving files as, or otherwise the app crashes /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index 3dcdf22d..90e96c33 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) { /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r, # For pendrives - @{MOUNTS}/*/ r, - @{MOUNTS}/*/**/ r, - @{MOUNTS}/*/.disk/info r, - @{MOUNTS}/*/dists/**/binary-*/Packages{,.gz} r, - @{MOUNTS}/*/dists/**/i18n/Translation-en{,.gz} r, + @{MOUNTS}/ r, + @{MOUNTS}/**/ r, + @{MOUNTS}/.disk/info r, + @{MOUNTS}/dists/**/binary-*/Packages{,.gz} r, + @{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r, /var/lib/apt/lists/** rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 791e78fa..ee1c9726 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -22,16 +23,12 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index fd3deefa..3741b43b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index 5992fe6f..7fafce5a 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/gdm-x-session profile gdm-x-session @{exec_path} flags=(attach_disconnected) { include + include + include signal (receive) set=term peer=gdm{,-session-worker}, # signal (send) set=term peer=unconfined, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index b109d9c4..ee7cddc9 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include + include include include include @@ -34,6 +35,7 @@ profile gnome-control-center-print-renderer @{exec_path} { owner @{user_share_dirs}/icons/{,**} r, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index e034e54a..853c4a1c 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -21,7 +21,7 @@ profile gnome-disk-image-mounter @{exec_path} { # Allow to mount user files owner @{HOME}/{,**} r, - owner @{MOUNTS}/*/{,**} r, + owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 2fe0625a..3fbaa6b4 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -39,7 +39,7 @@ profile gnome-music @{exec_path} { /etc/machine-id r, owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-music/{,**} rwk, owner @{user_cache_dirs}/media-art/album-*.jpeg rw, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index c58fc245..b2e371b9 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -16,7 +16,7 @@ profile gnome-photos-thumbnailer @{exec_path} { /usr/share/mime/mime.cache r, owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, owner @{user_cache_dirs}/gegl-*/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 6769ca2f..94abd03f 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -14,7 +14,6 @@ profile gnome-shell-hotplug-sniffer @{exec_path} { /usr/share/mime/mime.cache r, - owner @{MOUNTS}/*/ r, owner @{MOUNTS}/**/ r, owner @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 1053f8bd..47b27808 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,7 +9,8 @@ include @{exec_path} = /{usr/,}bin/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include + include + include include include @@ -35,8 +36,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/doc/ rw, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 2deea030..24b5d340 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -40,7 +40,7 @@ profile tracker-extract @{exec_path} { # Allow to search user files owner @{HOME}/{,**} r, - owner @{MOUNTS}/*/{,**} r, + owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, owner /tmp/tracker-extract-3-files.*/{,*} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 397e03ea..8191ba33 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -44,7 +44,7 @@ profile tracker-miner @{exec_path} { # Allow to search user files owner @{HOME}/{,**} r, - owner @{MOUNTS}/*/{,**} r, + owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, owner @{user_config_dirs}/tracker3/{,**} rwk, diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 85c9dbd5..b5f78f2c 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/light-locker profile light-locker @{exec_path} { include + include include include include @@ -27,10 +28,6 @@ profile light-locker @{exec_path} { # when locking the screen and switching/closing sessions @{run}/systemd/sessions/* r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{sys}/devices/pci[0-9]*/**/uevent r, @{sys}/devices/pci[0-9]*/**/vendor r, @{sys}/devices/pci[0-9]*/**/device r,