From 80e85769ce83098c88a64be3e0cbe1ba4b61a718 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 22:09:19 +0100 Subject: [PATCH] feat(profile): improve gnome profiles. --- apparmor.d/groups/freedesktop/xorg | 1 + apparmor.d/groups/gnome/deja-dup-monitor | 3 ++- apparmor.d/groups/gnome/gdm-generate-config | 4 ++-- apparmor.d/groups/gnome/gnome-calculator | 2 ++ apparmor.d/groups/gnome/gnome-clocks | 4 ++-- apparmor.d/groups/gnome/gnome-control-center | 2 ++ .../groups/gnome/gnome-extension-gsconnect | 9 ++++++-- apparmor.d/groups/gnome/gnome-initial-setup | 1 + .../groups/gnome/gnome-remote-desktop-daemon | 1 + apparmor.d/groups/gnome/gnome-session-check | 22 +++++++++++++++++++ apparmor.d/groups/gnome/gnome-shell | 3 +++ apparmor.d/groups/gnome/mutter-x11-frames | 2 +- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/session-migration | 1 + apparmor.d/groups/gnome/yelp | 2 +- 15 files changed, 49 insertions(+), 10 deletions(-) create mode 100644 apparmor.d/groups/gnome/gnome-session-check diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 90016a8e..00e277f1 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -121,6 +121,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/resource@{int} rw, @{sys}/devices/**/{uevent,name,id,config} r, @{sys}/devices/**/hid r, @{sys}/devices/**/power_supply/**/{type,online} r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index b7fc6a5b..90a5b0f6 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -15,12 +15,13 @@ profile deja-dup-monitor @{exec_path} { include include include + include include network netlink raw, #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor - #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup + #aa:dbus talk bus=session name=org.gnome.DejaDup interface+=org.gtk.Actions label=deja-dup dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index dc11e816..6d621f18 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -32,8 +32,7 @@ profile gdm-generate-config @{exec_path} { /usr/share/gdm{3,}/{,**} r, /var/lib/ r, - @{GDM_HOME}/ r, - owner @{GDM_HOME}/ rw, + @{GDM_HOME}/ rw, owner @{GDM_HOME}/greeter-dconf-defaults rw, owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} rw, @@ -44,6 +43,7 @@ profile gdm-generate-config @{exec_path} { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2e553d9f..3f2290e6 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -23,6 +23,8 @@ profile gnome-calculator @{exec_path} { @{open_path} rPx -> child-open-help, + owner @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index fd6ded04..13f161df 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -10,7 +10,7 @@ include profile gnome-clocks @{exec_path} { include include - include + include include include include @@ -19,7 +19,7 @@ profile gnome-clocks @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gnome.clocks + #aa:dbus own bus=session name=org.gnome.clocks interface+=org.gtk.Actions @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index cfb40f5c..74b0cb04 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -38,7 +38,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), #aa:dbus own bus=session name=org.gnome.Settings + #aa:dbus own bus=session name=org.bluez.obex.Agent1 + #aa:dbus talk bus=session name=org.bluez.obex label=obexd #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 7bb34e52..c0f131dd 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -36,8 +36,9 @@ profile gnome-extension-gsconnect @{exec_path} { @{bin}/openssl rix, @{bin}/ssh-add rix, - @{bin}/ssh-keygen rPx, - @{bin}/xdg-screensaver rPx, + @{bin}/dconf rPx, + @{bin}/ssh-keygen rPx, + @{bin}/xdg-screensaver rPx, @{lib}/gio/modules/*.so* rm, @{lib}/girepository-1.0/* r, @@ -53,6 +54,10 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, + owner @{HOME}/.mozilla/firefox/firefox-mpris/@{word}.png r, + + owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + owner @{run}/user/@{uid}/gsconnect/{,**} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 89769477..be73974c 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -41,6 +41,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, + @{lib}/@{multiarch}/ld-linux-*.so* rix, /usr/share/dconf/profile/gdm r, /usr/share/gnome-initial-setup/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 19e448b1..c092f937 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -15,6 +15,7 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check new file mode 100644 index 00000000..2a0b4965 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session-check @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-session-check-* +profile gnome-session-check @{exec_path} { + include + include + + @{exec_path} mr, + + @{lib}/gnome-session-check-accelerated-gl-helper ix, + @{lib}/gnome-session-check-accelerated-gles-helper ix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f8888f95..f2ff71f0 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -242,6 +242,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, + owner @{HOME}/.mozilla/native-messaging-hosts/ r, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/.var/app/**/ r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 8a48b97a..d41ba2c7 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -28,7 +28,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rw, owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 3a7fdd4f..016a41bd 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,7 +28,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} + #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index c2df9789..ac3009fc 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index f172eac2..b3f27187 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -15,7 +15,7 @@ profile yelp @{exec_path} { network netlink raw, #aa:dbus own bus=accessibility name=org.gnome.Yelp - #aa:dbus own bus=session name=org.gnome.Yelp + #aa:dbus own bus=session name=org.gnome.Yelp interface+=org.gtk.Actions @{exec_path} mr, @{open_path} rPx -> child-open-help,