feat(profile): improve gnome profiles.

apparmor.d/groups/freedesktop/xorg

@@ -121,6 +121,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r,
   @{sys}/devices/@{pci}/backlight/**/brightness rw,
   @{sys}/devices/@{pci}/boot_vga r,
+  @{sys}/devices/@{pci}/resource@{int} rw,
   @{sys}/devices/**/{uevent,name,id,config} r,
   @{sys}/devices/**/hid r,
   @{sys}/devices/**/power_supply/**/{type,online} r,

apparmor.d/groups/gnome/deja-dup-monitor

@@ -15,12 +15,13 @@ profile deja-dup-monitor @{exec_path} {
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
   include <abstractions/bus/org.gtk.vfs.Daemon>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
 
   network netlink raw,
 
   #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor
-  #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup
+  #aa:dbus talk bus=session name=org.gnome.DejaDup interface+=org.gtk.Actions label=deja-dup
 
   dbus send bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.DBus.Properties

apparmor.d/groups/gnome/gdm-generate-config

@@ -32,8 +32,7 @@ profile gdm-generate-config @{exec_path} {
   /usr/share/gdm{3,}/{,**} r,
 
         /var/lib/ r,
-        @{GDM_HOME}/ r,
+        @{GDM_HOME}/ rw,
-  owner @{GDM_HOME}/ rw,
   owner @{GDM_HOME}/greeter-dconf-defaults rw,
   owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} rw,
 
@@ -44,6 +43,7 @@ profile gdm-generate-config @{exec_path} {
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/@{pid}/cmdline r,
   @{PROC}/@{pid}/stat r,
+  @{PROC}/tty/drivers r,
   @{PROC}/uptime r,
 
   include if exists <local/gdm-generate-config>

apparmor.d/groups/gnome/gnome-calculator

@@ -23,6 +23,8 @@ profile gnome-calculator @{exec_path} {
 
   @{open_path}  rPx -> child-open-help,
 
+  owner @{PROC}/@{pid}/stat r,
+
   include if exists <local/gnome-calculator>
 }
 

apparmor.d/groups/gnome/gnome-clocks

@@ -10,7 +10,7 @@ include <tunables/global>
 profile gnome-clocks @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
-  include <abstractions/bus-session>
+  include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/common/gnome>
@@ -19,7 +19,7 @@ profile gnome-clocks @{exec_path} {
 
   network netlink raw,
 
-  #aa:dbus own bus=session name=org.gnome.clocks
+  #aa:dbus own bus=session name=org.gnome.clocks interface+=org.gtk.Actions
 
   @{exec_path} mr,
   @{open_path}  rPx -> child-open-help,

apparmor.d/groups/gnome/gnome-control-center

@@ -38,7 +38,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon),
 
   #aa:dbus own bus=session name=org.gnome.Settings
+  #aa:dbus own bus=session name=org.bluez.obex.Agent1
 
+  #aa:dbus talk bus=session name=org.bluez.obex label=obexd
   #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
   #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
   #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell

apparmor.d/groups/gnome/gnome-extension-gsconnect

@@ -36,8 +36,9 @@ profile gnome-extension-gsconnect @{exec_path} {
   @{bin}/openssl      rix,
   @{bin}/ssh-add      rix,
 
-  @{bin}/ssh-keygen rPx,
+  @{bin}/dconf            rPx,
-  @{bin}/xdg-screensaver rPx,
+  @{bin}/ssh-keygen       rPx,
+  @{bin}/xdg-screensaver  rPx,
 
   @{lib}/gio/modules/*.so* rm,
   @{lib}/girepository-1.0/* r,
@@ -53,6 +54,10 @@ profile gnome-extension-gsconnect @{exec_path} {
   owner @{user_config_dirs}/mimeapps.list w,
   owner @{user_config_dirs}/mimeapps.list.@{rand6} rw,
 
+  owner @{HOME}/.mozilla/firefox/firefox-mpris/@{word}.png r,
+
+  owner @{tmp}/.org.chromium.Chromium.@{rand6} r,
+
   owner @{run}/user/@{uid}/gsconnect/{,**} rw,
 
   @{sys}/devices/virtual/dmi/id/chassis_type r,

apparmor.d/groups/gnome/gnome-initial-setup

@@ -41,6 +41,7 @@ profile gnome-initial-setup @{exec_path} {
   @{bin}/xrandr  rPx,
 
   @{lib}/gnome-initial-setup-goa-helper rix,
+  @{lib}/@{multiarch}/ld-linux-*.so* rix,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gnome-initial-setup/{,**} r,

apparmor.d/groups/gnome/gnome-remote-desktop-daemon

@@ -15,6 +15,7 @@ profile gnome-remote-desktop-daemon @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
 
   network inet stream,
   network inet6 stream,

apparmor.d/groups/gnome/gnome-session-check

@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/gnome-session-check-*
+profile gnome-session-check @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/graphics>
+
+  @{exec_path} mr,
+
+  @{lib}/gnome-session-check-accelerated-gl-helper   ix,
+  @{lib}/gnome-session-check-accelerated-gles-helper ix,
+
+  include if exists <local/gnome-session-check>
+}
+
+# vim:syntax=apparmor

apparmor.d/groups/gnome/gnome-shell

@@ -242,6 +242,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   owner @{HOME}/.face r,
   owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
+  owner @{HOME}/.mozilla/native-messaging-hosts/ r,
+  owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw,
+  owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw,
   owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
   owner @{HOME}/.var/app/**.{png,jpg,svg} r,
   owner @{HOME}/.var/app/**/ r,

apparmor.d/groups/gnome/mutter-x11-frames

@@ -28,7 +28,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
   /usr/share/gdm/greeter-dconf-defaults r,
 
   owner @{GDM_HOME}/greeter-dconf-defaults r,
-  owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
+  owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rw,
   owner @{gdm_config_dirs}/dconf/user r,
 
   @{sys}/devices/@{pci}/boot_vga r,

apparmor.d/groups/gnome/nautilus

@@ -28,7 +28,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
 
   mqueue r type=posix /,
 
-  #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions}
+  #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}"
   #aa:dbus own bus=session name=org.freedesktop.FileManager1
 
   #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell

apparmor.d/groups/gnome/session-migration

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/session-migration
 profile session-migration @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
   include <abstractions/python>
 
   @{exec_path} mr,

apparmor.d/groups/gnome/yelp

@@ -15,7 +15,7 @@ profile yelp @{exec_path} {
   network netlink raw,
 
   #aa:dbus own bus=accessibility name=org.gnome.Yelp
-  #aa:dbus own bus=session name=org.gnome.Yelp
+  #aa:dbus own bus=session name=org.gnome.Yelp interface+=org.gtk.Actions
 
   @{exec_path} mr,
   @{open_path}  rPx -> child-open-help,