From 69f9e8464f7ed74667d4541e4575ac83f8f02a60 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 25 Sep 2024 00:14:02 +0100 Subject: [PATCH] feat(profile): update profiles for gnome 47. --- apparmor.d/abstractions/common/gnome | 1 + apparmor.d/abstractions/desktop | 8 +++----- apparmor.d/abstractions/gnome-strict | 6 ++---- apparmor.d/abstractions/kde-strict | 6 +----- apparmor.d/abstractions/vulkan-strict | 2 ++ apparmor.d/groups/freedesktop/xdg-desktop-portal | 6 +++++- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 6 ++++-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 9 +++++++-- apparmor.d/groups/gnome/gnome-control-center | 2 ++ .../groups/gnome/gnome-control-center-print-renderer | 1 + apparmor.d/groups/gnome/gnome-shell | 2 ++ apparmor.d/groups/gnome/loupe | 1 + apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gvfs/gvfsd | 2 ++ apparmor.d/profiles-a-f/appstreamcli | 1 + 15 files changed, 35 insertions(+), 19 deletions(-) diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index c93f9bc0..8fe4d97c 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -23,6 +23,7 @@ owner @{user_share_dirs}/@{profile_name}/** rwlk, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 50244b3a..ae585999 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -13,6 +13,7 @@ include include include + include # if @{DE} == gnome @@ -30,6 +31,8 @@ /var/cache/gio-@{version}/gnome-mimeapps.list r, + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + # else if @{DE} == kde @{lib}/kde{,3,4}/*.so mr, @@ -71,11 +74,6 @@ /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - owner @{HOME}/.local/ rw, - owner @{user_cache_dirs}/ rw, - owner @{user_config_dirs}/ rw, - owner @{user_share_dirs}/ rw, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 74df8734..833aaa59 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -7,6 +7,7 @@ include include include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -26,10 +27,7 @@ /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, - owner @{HOME}/.local/ rw, - owner @{user_cache_dirs}/ rw, - owner @{user_config_dirs}/ rw, - owner @{user_share_dirs}/ rw, + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index f31a3861..11e897ab 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -7,6 +7,7 @@ include include include + include @{lib}/kde{,3,4}/*.so mr, @{lib}/kde{,3,4}/plugins/*/ r, @@ -22,11 +23,6 @@ /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - owner @{HOME}/.local/ rw, - owner @{user_cache_dirs}/ rw, - owner @{user_config_dirs}/ rw, - owner @{user_share_dirs}/ rw, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index 5210a48e..7dbb8f42 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -14,6 +14,8 @@ /etc/vulkan/icd.d/{,*.json} r, /etc/vulkan/implicit_layer.d/{,*.json} r, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw, owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache owner @{user_share_dirs}/vulkan/ rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index d8929cfb..720d794b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -21,13 +21,16 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, network netlink raw, - ptrace (read), + ptrace read, + + signal receive set=term peer=gdm, #aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}} dbus receive bus=session path=/org/freedesktop/portal/desktop @@ -63,6 +66,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, + /usr/share/gdm/greeter-dconf-defaults r, /etc/sysconfig/proxy r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 586828ee..02cf99b0 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -38,13 +38,15 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { / r, @{bin}/ r, @{bin}/* r, - /opt/*/* r, + /opt/** r, /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, /usr/share/thumbnailers/{,**} r, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, + owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, owner @{HOME}/* r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index c21b955d..9eaea73a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/xdg-desktop-portal-gtk -profile xdg-desktop-portal-gtk @{exec_path} { +profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include @@ -27,7 +27,8 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include - include + + signal receive set=term peer=gdm, unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), @@ -53,10 +54,14 @@ profile xdg-desktop-portal-gtk @{exec_path} { @{exec_path} mr, + /usr/share/gdm/greeter-dconf-defaults r, + / r, owner /var/lib/xkb/server-@{int}.xkm rw, + owner @{gdm_config_dirs}/dconf/user r, + owner @{tmp}/runtime-*/xauth_@{rand6} r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 154aff58..b0006d77 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -103,6 +103,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /var/cache/samba/ rw, /var/lib/AccountsService/icons/* r, + / r, + owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/.cert/nm-openvpn/*.pem r, owner @{HOME}/.face r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 22784f1d..db68c40b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -24,6 +24,7 @@ profile gnome-control-center-print-renderer @{exec_path} { / r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index c7265206..c492cf3f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -409,6 +409,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/local/bin/** PUx, /usr/games/** PUx, + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index a90f8664..56c4a2c5 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -40,6 +40,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 3e597c15..f9be02d9 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -110,6 +110,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 710abbba..c31c1038 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -13,6 +13,8 @@ profile gvfsd @{exec_path} { include include + signal receive set=usr1 peer=pacman, + #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 6b6bad8d..25f4ff40 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -24,6 +24,7 @@ profile appstreamcli @{exec_path} flags=(complain) { /usr/share/app-info/{,**} r, /usr/share/appdata/ r, + /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/metainfo/ r, /usr/share/metainfo/*.{metainfo,appdata}.xml r, /usr/share/swcatalog/{,**} r,