From 69f90c5a11582693b22177de3b909f202ae6b216 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 9 Apr 2024 23:42:03 +0100 Subject: [PATCH] feat(profile): use gnome abs in common gnome app. --- apparmor.d/groups/gnome/gnome-calendar | 9 +-------- apparmor.d/groups/gnome/gnome-characters | 11 +++-------- apparmor.d/groups/gnome/gnome-contacts | 8 +------- apparmor.d/groups/gnome/gnome-extensions-app | 6 +----- apparmor.d/groups/gnome/gnome-music | 12 +++++------- apparmor.d/groups/gnome/gnome-recipes | 12 +++--------- apparmor.d/groups/gnome/gnome-tour | 6 +----- apparmor.d/profiles-a-f/file-roller | 7 +------ 8 files changed, 16 insertions(+), 55 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index b5d630ce..8442aacc 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -10,16 +10,13 @@ include profile gnome-calendar @{exec_path} { include include - include include include include include include include - include - include - include + include include include include @@ -39,12 +36,8 @@ profile gnome-calendar @{exec_path} { @{exec_path} mr, - @{open_path} rPx -> child-open-help, - /usr/share/evolution-data-server/{,**} r, /usr/share/libgweather/Locations.xml r, - owner @{PROC}/@{pid}/cmdline r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index de5e7637..5900c39f 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -6,16 +6,13 @@ abi , include -@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters +@{exec_path} = @{bin}/gnome-characters /usr/share/org.gnome.Characters/org.gnome.Characters profile gnome-characters @{exec_path} { include - include include include - include + include include - include - include include #aa:dbus own bus=session name=org.gnome.Characters @@ -30,10 +27,8 @@ profile gnome-characters @{exec_path} { @{open_path} rPx -> child-open-help, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r, - /usr/share/nvidia/nvidia-application-profiles-*-rc r, + /usr/share/org.gnome.Characters/{,**} r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/status r, diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index b3dc05ee..a52425f5 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -10,12 +10,9 @@ include profile gnome-contacts @{exec_path} { include include - include include include - include - include - include + include include include include @@ -29,10 +26,7 @@ profile gnome-contacts @{exec_path} { @{exec_path} mr, - @{open_path} rPx -> child-open-help, - owner @{user_cache_dirs}/evolution/addressbook/{,**} r, - owner @{user_config_dirs}/gnome-contacts/{,**} rw, owner @{user_share_dirs}/folks/relationships.ini r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index d4c7c65a..6ef702b0 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/gnome-extensions-app profile gnome-extensions-app @{exec_path} { include - include - include - include + include include @{exec_path} mr, @@ -19,8 +17,6 @@ profile gnome-extensions-app @{exec_path} { @{sh_path} rix, @{bin}/gjs-console rix, - @{open_path} rPx -> child-open-help, - /usr/share/gnome-shell/org.gnome.Extensions* r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 4b5eb10a..bdf96a84 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -10,9 +10,9 @@ include profile gnome-music @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include + include include include include @@ -25,14 +25,14 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + #aa:dbus talk bus=session name=org.freedesktop.Tracker3.Writeback label=tracker-writeback + @{exec_path} mr, @{bin}/ r, @{bin}/env r, @{bin}/python3.@{int} rix, @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw, - @{open_path} rPx -> child-open-help, - /usr/share/grilo-plugins/grl-lua-factory/{,*} r, /usr/share/org.gnome.Music/{,**} r, /usr/share/tracker3/{,**} r, @@ -41,7 +41,6 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { owner @{user_music_dirs}/{,**} r, - owner @{user_cache_dirs}/gnome-music/{,**} rwk, owner @{user_cache_dirs}/media-art/{,*} rw, owner @{user_share_dirs}/grilo-plugins/ rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, @@ -52,7 +51,6 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { owner /var/tmp/etilqs_@{hex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-recipes b/apparmor.d/groups/gnome/gnome-recipes index fa79fcb7..c77623c1 100644 --- a/apparmor.d/groups/gnome/gnome-recipes +++ b/apparmor.d/groups/gnome/gnome-recipes @@ -9,11 +9,11 @@ include @{exec_path} = @{bin}/gnome-recipes profile gnome-recipes @{exec_path} { include - include - include + include + include include - include include + include network inet dgram, network inet6 dgram, @@ -25,11 +25,5 @@ profile gnome-recipes @{exec_path} { @{bin}/tar rix, - @{open_path} rPx -> child-open-help, - - /usr/share/gnome-recipes/{,**} r, - - owner @{user_cache_dirs}/gnome-recipes/{,**} rw, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-tour b/apparmor.d/groups/gnome/gnome-tour index 3a31be36..af15782b 100644 --- a/apparmor.d/groups/gnome/gnome-tour +++ b/apparmor.d/groups/gnome/gnome-tour @@ -9,14 +9,10 @@ include @{exec_path} = @{bin}/gnome-tour profile gnome-tour @{exec_path} { include - include - include - include + include include @{exec_path} mr, - /usr/share/gnome-tour/{,**} r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 66510610..de0479a3 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -10,12 +10,9 @@ include profile file-roller @{exec_path} { include include - include include include - include - include - include + include include include include @@ -40,8 +37,6 @@ profile file-roller @{exec_path} { @{bin}/zstd rix, @{lib}/p7zip/7z rix, - @{open_path} rPx -> child-open, - @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r,