From 839f137de212fc456625815a24a5c3e6d0e033d0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 5 Apr 2024 11:59:41 +0100 Subject: [PATCH] feat(profile) add the display-manager group. - Group all display manager profile in the same group - Ensure unsuported display manager can start a DE without breaking. --- .../display-manager}/lightdm | 22 ++++---- .../display-manager}/lightdm-gtk-greeter | 7 ++- .../groups/display-manager/lightdm-xsession | 52 +++++++++++++++++++ .../display-manager}/x11-xsession | 5 +- .../{kde => display-manager}/xdm-xsession | 0 5 files changed, 70 insertions(+), 16 deletions(-) rename apparmor.d/{profiles-g-l => groups/display-manager}/lightdm (81%) rename apparmor.d/{profiles-g-l => groups/display-manager}/lightdm-gtk-greeter (90%) create mode 100644 apparmor.d/groups/display-manager/lightdm-xsession rename apparmor.d/{profiles-s-z => groups/display-manager}/x11-xsession (97%) rename apparmor.d/groups/{kde => display-manager}/xdm-xsession (100%) diff --git a/apparmor.d/profiles-g-l/lightdm b/apparmor.d/groups/display-manager/lightdm similarity index 81% rename from apparmor.d/profiles-g-l/lightdm rename to apparmor.d/groups/display-manager/lightdm index 1ac7d1bd..78ee780b 100644 --- a/apparmor.d/profiles-g-l/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -11,16 +11,14 @@ include profile lightdm @{exec_path} flags=(attach_disconnected) { include include + include include - include - include include include - include - audit capability sys_nice, capability audit_write, capability chown, + capability dac_override, capability dac_read_search, capability fowner, capability fsetid, @@ -33,23 +31,24 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (send) set=(term, kill, usr1), + signal (send) set=(term) peer=lightdm-*-greeter, signal (receive) set=(usr1) peer=xorg, @{exec_path} mrix, - @{bin}/rm rix, + @{bin}/rm rix, - @{bin}/lightdm-gtk-greeter rPx, + @{bin}/lightdm-*-greeter rPUx, @{bin}/startx rPx, @{bin}/Xorg rPx, @{bin}/plymouth rPx, @{bin}/gnome-keyring-daemon rPx, - @{lib}/security-misc/* rPUx, #aa:only whonix + @{lib}/security-misc/* rPx, #aa:only whonix @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, - /etc/X11/Xsession rPUx, + /etc/lightdm/Xsession rPx, + /etc/X11/Xsession rPx, /usr/share/lightdm/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, @@ -58,10 +57,13 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /etc/default/locale r, /etc/environment r, /etc/lightdm/{,**} r, + /etc/machine-id r, /etc/security/limits.d/{,*} r, + /etc/shells r, /var/cache/lightdm/dmrc/*.dmrc* rw, /var/lib/lightdm/{,**} rw, + /var/lib/lightdm-data/{,**} rw, /var/log/lightdm/{,**} rw, owner @{HOME}/.dmrc r, @@ -72,7 +74,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { @{run}/faillock/user rwk, @{run}/lightdm.pid rw, @{run}/lightdm/{,**} rw, - owner @{run}/systemd/sessions/@{int}.ref rw, + owner @{run}/systemd/sessions/*.ref rw, @{PROC}/1/limits r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/lightdm-gtk-greeter b/apparmor.d/groups/display-manager/lightdm-gtk-greeter similarity index 90% rename from apparmor.d/profiles-g-l/lightdm-gtk-greeter rename to apparmor.d/groups/display-manager/lightdm-gtk-greeter index 104939f2..eadd54a5 100644 --- a/apparmor.d/profiles-g-l/lightdm-gtk-greeter +++ b/apparmor.d/groups/display-manager/lightdm-gtk-greeter @@ -10,12 +10,10 @@ include @{exec_path} = @{bin}/lightdm-gtk-greeter profile lightdm-gtk-greeter @{exec_path} { include - include + include include - include - include + include include - include signal (receive) set=(term, kill) peer=lightdm, @@ -26,6 +24,7 @@ profile lightdm-gtk-greeter @{exec_path} { @{lib}/systemd/systemd rCx -> systemd, @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, + /usr/share/backgrounds/xfce/{,**} r, /usr/share/desktop-base/{,**} r, /usr/share/lightdm/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, diff --git a/apparmor.d/groups/display-manager/lightdm-xsession b/apparmor.d/groups/display-manager/lightdm-xsession new file mode 100644 index 00000000..b7bdadea --- /dev/null +++ b/apparmor.d/groups/display-manager/lightdm-xsession @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/lightdm/Xsession +profile lightdm-xsession @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/tr rix, + @{bin}/tty rix, + + @{bin}/dbus-update-activation-environment rCx -> dbus, + @{bin}/startxfce4 rPx, + @{bin}/systemctl rCx -> systemctl, + + /etc/X11/xinit/xinitrc.d/{,**} r, + /etc/debuginfod/{,**} r, + + owner @{HOME}/.xsession-errors w, + + profile systemctl { + include + include + + owner @{HOME}/.xsession-errors w, + + include if exists + } + + profile dbus { + include + + @{bin}/dbus-update-activation-environment mr, + + owner @{HOME}/.xsession-errors w, + + include if exists + } + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession similarity index 97% rename from apparmor.d/profiles-s-z/x11-xsession rename to apparmor.d/groups/display-manager/x11-xsession index 63b0d400..37d2d980 100644 --- a/apparmor.d/profiles-s-z/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -74,8 +74,9 @@ profile x11-xsession @{exec_path} { @{bin}/ssh-agent mr, - audit @{bin}/gpg-agent rPx, - @{sh_path} rix, + @{sh_path} rix, + + @{bin}/gpg-agent rPx, @{bin}/enlightenment_start rPUx, @{bin}/env rix, @{bin}/im-launch rPx, diff --git a/apparmor.d/groups/kde/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession similarity index 100% rename from apparmor.d/groups/kde/xdm-xsession rename to apparmor.d/groups/display-manager/xdm-xsession