mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
feat(profile): update profiles for gnome 47.
This commit is contained in:
parent
457953876a
commit
69f9e8464f
@ -23,6 +23,7 @@
|
|||||||
owner @{user_share_dirs}/@{profile_name}/** rwlk,
|
owner @{user_share_dirs}/@{profile_name}/** rwlk,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
include if exists <abstractions/common/gnome.d>
|
include if exists <abstractions/common/gnome.d>
|
||||||
|
|
||||||
|
@ -13,6 +13,7 @@
|
|||||||
include <abstractions/qt5>
|
include <abstractions/qt5>
|
||||||
include <abstractions/wayland>
|
include <abstractions/wayland>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
include <abstractions/xdg-desktop>
|
||||||
|
|
||||||
# if @{DE} == gnome
|
# if @{DE} == gnome
|
||||||
|
|
||||||
@ -30,6 +31,8 @@
|
|||||||
|
|
||||||
/var/cache/gio-@{version}/gnome-mimeapps.list r,
|
/var/cache/gio-@{version}/gnome-mimeapps.list r,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
|
||||||
|
|
||||||
# else if @{DE} == kde
|
# else if @{DE} == kde
|
||||||
|
|
||||||
@{lib}/kde{,3,4}/*.so mr,
|
@{lib}/kde{,3,4}/*.so mr,
|
||||||
@ -71,11 +74,6 @@
|
|||||||
/usr/share/hwdata/*.ids r,
|
/usr/share/hwdata/*.ids r,
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||||
|
|
||||||
owner @{HOME}/.local/ rw,
|
|
||||||
owner @{user_cache_dirs}/ rw,
|
|
||||||
owner @{user_config_dirs}/ rw,
|
|
||||||
owner @{user_share_dirs}/ rw,
|
|
||||||
|
|
||||||
include if exists <abstractions/desktop.d>
|
include if exists <abstractions/desktop.d>
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
@ -7,6 +7,7 @@
|
|||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
include <abstractions/wayland>
|
include <abstractions/wayland>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
include <abstractions/xdg-desktop>
|
||||||
|
|
||||||
dbus receive bus=session
|
dbus receive bus=session
|
||||||
interface=org.freedesktop.DBus.Introspectable
|
interface=org.freedesktop.DBus.Introspectable
|
||||||
@ -26,10 +27,7 @@
|
|||||||
|
|
||||||
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
|
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
|
||||||
|
|
||||||
owner @{HOME}/.local/ rw,
|
owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
|
||||||
owner @{user_cache_dirs}/ rw,
|
|
||||||
owner @{user_config_dirs}/ rw,
|
|
||||||
owner @{user_share_dirs}/ rw,
|
|
||||||
|
|
||||||
include if exists <abstractions/gnome-strict.d>
|
include if exists <abstractions/gnome-strict.d>
|
||||||
|
|
||||||
|
@ -7,6 +7,7 @@
|
|||||||
include <abstractions/qt5>
|
include <abstractions/qt5>
|
||||||
include <abstractions/wayland>
|
include <abstractions/wayland>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
include <abstractions/xdg-desktop>
|
||||||
|
|
||||||
@{lib}/kde{,3,4}/*.so mr,
|
@{lib}/kde{,3,4}/*.so mr,
|
||||||
@{lib}/kde{,3,4}/plugins/*/ r,
|
@{lib}/kde{,3,4}/plugins/*/ r,
|
||||||
@ -22,11 +23,6 @@
|
|||||||
/etc/xdg/kdeglobals r,
|
/etc/xdg/kdeglobals r,
|
||||||
/etc/xdg/kwinrc r,
|
/etc/xdg/kwinrc r,
|
||||||
|
|
||||||
owner @{HOME}/.local/ rw,
|
|
||||||
owner @{user_cache_dirs}/ rw,
|
|
||||||
owner @{user_config_dirs}/ rw,
|
|
||||||
owner @{user_share_dirs}/ rw,
|
|
||||||
|
|
||||||
owner @{user_cache_dirs}/#@{int} rw,
|
owner @{user_cache_dirs}/#@{int} rw,
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk,
|
owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk,
|
||||||
|
@ -14,6 +14,8 @@
|
|||||||
/etc/vulkan/icd.d/{,*.json} r,
|
/etc/vulkan/icd.d/{,*.json} r,
|
||||||
/etc/vulkan/implicit_layer.d/{,*.json} r,
|
/etc/vulkan/implicit_layer.d/{,*.json} r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw,
|
||||||
|
owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw,
|
||||||
owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache
|
owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache
|
||||||
|
|
||||||
owner @{user_share_dirs}/vulkan/ rw,
|
owner @{user_share_dirs}/vulkan/ rw,
|
||||||
|
@ -21,13 +21,16 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-read>
|
||||||
|
include <abstractions/trash-strict>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
|
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
ptrace (read),
|
ptrace read,
|
||||||
|
|
||||||
|
signal receive set=term peer=gdm,
|
||||||
|
|
||||||
#aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}}
|
#aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}}
|
||||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||||
@ -63,6 +66,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||||||
|
|
||||||
/usr/share/dconf/profile/gdm r,
|
/usr/share/dconf/profile/gdm r,
|
||||||
/usr/share/xdg-desktop-portal/** r,
|
/usr/share/xdg-desktop-portal/** r,
|
||||||
|
/usr/share/gdm/greeter-dconf-defaults r,
|
||||||
|
|
||||||
/etc/sysconfig/proxy r,
|
/etc/sysconfig/proxy r,
|
||||||
|
|
||||||
|
@ -38,13 +38,15 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
|
|||||||
/ r,
|
/ r,
|
||||||
@{bin}/ r,
|
@{bin}/ r,
|
||||||
@{bin}/* r,
|
@{bin}/* r,
|
||||||
/opt/*/* r,
|
/opt/** r,
|
||||||
|
|
||||||
/usr/share/dconf/profile/gdm r,
|
/usr/share/dconf/profile/gdm r,
|
||||||
|
/usr/share/gdm/greeter-dconf-defaults r,
|
||||||
/usr/share/thumbnailers/{,**} r,
|
/usr/share/thumbnailers/{,**} r,
|
||||||
|
|
||||||
owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
|
owner @{desktop_cache_dirs}/dconf/user r,
|
||||||
owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
|
owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
|
||||||
|
owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
|
||||||
|
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
owner @{HOME}/* r,
|
owner @{HOME}/* r,
|
||||||
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{lib}/xdg-desktop-portal-gtk
|
@{exec_path} = @{lib}/xdg-desktop-portal-gtk
|
||||||
profile xdg-desktop-portal-gtk @{exec_path} {
|
profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/bus-accessibility>
|
include <abstractions/bus-accessibility>
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
@ -27,7 +27,8 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-read>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
include <abstractions/user-write>
|
|
||||||
|
signal receive set=term peer=gdm,
|
||||||
|
|
||||||
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
|
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
|
||||||
|
|
||||||
@ -53,10 +54,14 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/usr/share/gdm/greeter-dconf-defaults r,
|
||||||
|
|
||||||
/ r,
|
/ r,
|
||||||
|
|
||||||
owner /var/lib/xkb/server-@{int}.xkm rw,
|
owner /var/lib/xkb/server-@{int}.xkm rw,
|
||||||
|
|
||||||
|
owner @{gdm_config_dirs}/dconf/user r,
|
||||||
|
|
||||||
owner @{tmp}/runtime-*/xauth_@{rand6} r,
|
owner @{tmp}/runtime-*/xauth_@{rand6} r,
|
||||||
|
|
||||||
@{run}/mount/utab r,
|
@{run}/mount/utab r,
|
||||||
|
@ -103,6 +103,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||||||
/var/cache/samba/ rw,
|
/var/cache/samba/ rw,
|
||||||
/var/lib/AccountsService/icons/* r,
|
/var/lib/AccountsService/icons/* r,
|
||||||
|
|
||||||
|
/ r,
|
||||||
|
|
||||||
owner @{HOME}/.cat_installer/ca.pem r,
|
owner @{HOME}/.cat_installer/ca.pem r,
|
||||||
owner @{HOME}/.cert/nm-openvpn/*.pem r,
|
owner @{HOME}/.cert/nm-openvpn/*.pem r,
|
||||||
owner @{HOME}/.face r,
|
owner @{HOME}/.face r,
|
||||||
|
@ -24,6 +24,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
|||||||
/ r,
|
/ r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
include if exists <local/gnome-control-center-print-renderer>
|
include if exists <local/gnome-control-center-print-renderer>
|
||||||
}
|
}
|
||||||
|
@ -409,6 +409,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||||||
/usr/local/bin/** PUx,
|
/usr/local/bin/** PUx,
|
||||||
/usr/games/** PUx,
|
/usr/games/** PUx,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
||||||
|
|
||||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
@ -40,6 +40,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner @{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
|
|
||||||
|
@ -110,6 +110,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
|
@ -13,6 +13,8 @@ profile gvfsd @{exec_path} {
|
|||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
signal receive set=usr1 peer=pacman,
|
||||||
|
|
||||||
#aa:dbus own bus=session name=org.gtk.vfs.Daemon
|
#aa:dbus own bus=session name=org.gtk.vfs.Daemon
|
||||||
#aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker
|
#aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker
|
||||||
|
|
||||||
|
@ -24,6 +24,7 @@ profile appstreamcli @{exec_path} flags=(complain) {
|
|||||||
|
|
||||||
/usr/share/app-info/{,**} r,
|
/usr/share/app-info/{,**} r,
|
||||||
/usr/share/appdata/ r,
|
/usr/share/appdata/ r,
|
||||||
|
/usr/share/gvfs/remote-volume-monitors/{,**} r,
|
||||||
/usr/share/metainfo/ r,
|
/usr/share/metainfo/ r,
|
||||||
/usr/share/metainfo/*.{metainfo,appdata}.xml r,
|
/usr/share/metainfo/*.{metainfo,appdata}.xml r,
|
||||||
/usr/share/swcatalog/{,**} r,
|
/usr/share/swcatalog/{,**} r,
|
||||||
|
Loading…
Reference in New Issue
Block a user