mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): update profiles for gnome 47.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-09-25 00:14:02 +01:00
parent 457953876a
commit 69f9e8464f
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
15 changed files with 35 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
apparmor.d/abstractions/common/gnome
View File

@ -23,6 +23,7 @@
owner @{user_share_dirs}/@{profile_name}/** rwlk,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <abstractions/common/gnome.d>

8
apparmor.d/abstractions/desktop
View File

@ -13,6 +13,7 @@
include <abstractions/qt5>
include <abstractions/wayland>
include <abstractions/X-strict>
include <abstractions/xdg-desktop>
# if @{DE} == gnome
@ -30,6 +31,8 @@
/var/cache/gio-@{version}/gnome-mimeapps.list r,
owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
# else if @{DE} == kde
@{lib}/kde{,3,4}/*.so mr,
@ -71,11 +74,6 @@
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
owner @{HOME}/.local/ rw,
owner @{user_cache_dirs}/ rw,
owner @{user_config_dirs}/ rw,
owner @{user_share_dirs}/ rw,
include if exists <abstractions/desktop.d>
# vim:syntax=apparmor

6
apparmor.d/abstractions/gnome-strict
View File

@ -7,6 +7,7 @@
include <abstractions/gtk>
include <abstractions/wayland>
include <abstractions/X-strict>
include <abstractions/xdg-desktop>
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
@ -26,10 +27,7 @@
/var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
owner @{HOME}/.local/ rw,
owner @{user_cache_dirs}/ rw,
owner @{user_config_dirs}/ rw,
owner @{user_share_dirs}/ rw,
owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
include if exists <abstractions/gnome-strict.d>

6
apparmor.d/abstractions/kde-strict
View File

@ -7,6 +7,7 @@
include <abstractions/qt5>
include <abstractions/wayland>
include <abstractions/X-strict>
include <abstractions/xdg-desktop>
@{lib}/kde{,3,4}/*.so mr,
@{lib}/kde{,3,4}/plugins/*/ r,
@ -22,11 +23,6 @@
/etc/xdg/kdeglobals r,
/etc/xdg/kwinrc r,
owner @{HOME}/.local/ rw,
owner @{user_cache_dirs}/ rw,
owner @{user_config_dirs}/ rw,
owner @{user_share_dirs}/ rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk,

2
apparmor.d/abstractions/vulkan-strict
View File

@ -14,6 +14,8 @@
/etc/vulkan/icd.d/{,*.json} r,
/etc/vulkan/implicit_layer.d/{,*.json} r,
owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw,
owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw,
owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache
owner @{user_share_dirs}/vulkan/ rw,

6
apparmor.d/groups/freedesktop/xdg-desktop-portal
View File

@ -21,13 +21,16 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/trash-strict>
include <abstractions/user-download-strict>
capability sys_ptrace,
network netlink raw,
ptrace (read),
ptrace read,
signal receive set=term peer=gdm,
#aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}}
dbus receive bus=session path=/org/freedesktop/portal/desktop
@ -63,6 +66,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r,
/usr/share/xdg-desktop-portal/** r,
/usr/share/gdm/greeter-dconf-defaults r,
/etc/sysconfig/proxy r,

6
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View File

@ -38,13 +38,15 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
/ r,
@{bin}/ r,
@{bin}/* r,
/opt/*/* r,
/opt/** r,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/thumbnailers/{,**} r,
owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
owner @{desktop_cache_dirs}/dconf/user r,
owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
owner @{HOME}/ r,
owner @{HOME}/* r,

9
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/xdg-desktop-portal-gtk
profile xdg-desktop-portal-gtk @{exec_path} {
profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
@ -27,7 +27,8 @@ profile xdg-desktop-portal-gtk @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/user-write>
signal receive set=term peer=gdm,
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
@ -53,10 +54,14 @@ profile xdg-desktop-portal-gtk @{exec_path} {
@{exec_path} mr,
/usr/share/gdm/greeter-dconf-defaults r,
/ r,
owner /var/lib/xkb/server-@{int}.xkm rw,
owner @{gdm_config_dirs}/dconf/user r,
owner @{tmp}/runtime-*/xauth_@{rand6} r,
@{run}/mount/utab r,

2
apparmor.d/groups/gnome/gnome-control-center
View File

@ -103,6 +103,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/var/cache/samba/ rw,
/var/lib/AccountsService/icons/* r,
/ r,
owner @{HOME}/.cat_installer/ca.pem r,
owner @{HOME}/.cert/nm-openvpn/*.pem r,
owner @{HOME}/.face r,

1
apparmor.d/groups/gnome/gnome-control-center-print-renderer
View File

@ -24,6 +24,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
/ r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <local/gnome-control-center-print-renderer>
}

2
apparmor.d/groups/gnome/gnome-shell
View File

@ -409,6 +409,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/usr/local/bin/** PUx,
/usr/games/** PUx,
owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
deny @{user_share_dirs}/gvfs-metadata/* r,

1
apparmor.d/groups/gnome/loupe
View File

@ -40,6 +40,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny @{user_share_dirs}/gvfs-metadata/* r,

1
apparmor.d/groups/gnome/nautilus
View File

@ -110,6 +110,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/tty rw,

2
apparmor.d/groups/gvfs/gvfsd
View File

@ -13,6 +13,8 @@ profile gvfsd @{exec_path} {
include <abstractions/bus-session>
include <abstractions/nameservice-strict>
signal receive set=usr1 peer=pacman,
#aa:dbus own bus=session name=org.gtk.vfs.Daemon
#aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker

1
apparmor.d/profiles-a-f/appstreamcli
View File

@ -24,6 +24,7 @@ profile appstreamcli @{exec_path} flags=(complain) {
/usr/share/app-info/{,**} r,
/usr/share/appdata/ r,
/usr/share/gvfs/remote-volume-monitors/{,**} r,
/usr/share/metainfo/ r,
/usr/share/metainfo/*.{metainfo,appdata}.xml r,
/usr/share/swcatalog/{,**} r,