From 87db46113c62e6c7e2802cbebf59fd84bd6aaca8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Mar 2024 23:28:57 +0000 Subject: [PATCH] feat(profile): cleanup common desktop files. --- apparmor.d/abstractions/audio2 | 3 ++- apparmor.d/abstractions/bwrap-app | 4 ++-- apparmor.d/abstractions/desktop | 2 +- .../abstractions/freedesktop.org.d/complete | 5 ++++- apparmor.d/groups/freedesktop/pulseaudio | 2 -- .../groups/freedesktop/update-desktop-database | 17 +++++------------ apparmor.d/groups/freedesktop/xdg-settings | 10 +--------- apparmor.d/groups/gnome/gnome-terminal-server | 3 --- apparmor.d/groups/gnome/tracker-miner | 3 --- .../groups/ubuntu/software-properties-gtk | 1 - apparmor.d/groups/ubuntu/update-manager | 2 -- apparmor.d/profiles-m-r/plank | 9 +-------- apparmor.d/profiles-s-z/system-config-printer | 10 ++-------- 13 files changed, 18 insertions(+), 53 deletions(-) diff --git a/apparmor.d/abstractions/audio2 b/apparmor.d/abstractions/audio2 index 87a00b5a..99b977c3 100644 --- a/apparmor.d/abstractions/audio2 +++ b/apparmor.d/abstractions/audio2 @@ -2,7 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Modernised version of , will be merged with it. +# Modernized version of , will be merged with it. It should +# only be used by audio servers that need direct access to device files. include diff --git a/apparmor.d/abstractions/bwrap-app b/apparmor.d/abstractions/bwrap-app index a4a64a1a..7f28ce37 100644 --- a/apparmor.d/abstractions/bwrap-app +++ b/apparmor.d/abstractions/bwrap-app @@ -5,8 +5,8 @@ # Common rules for applications sandboxed using bwrap. # This abstraction is wide on purpose. It is meant to be used by sandbox -# applications (bwrap) that have no way to restrict access depending of the -# application beeing confined. +# applications (bwrap) that have no way to restrict access depending on the +# application being confined. include include diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 44344fa8..06c2dd05 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Unified minimal abstaction for all UI application regardless of the desktop environment. +# Unified minimal abstraction for all UI application regardless of the desktop environment. # When supported in apparmor, condition will be used in this abstraction to filter # resources specific for supported DE. diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index d515e806..c9f714ac 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -6,13 +6,16 @@ @{system_share_dirs}/*ubuntu/applications/{,**} r, @{system_share_dirs}/gnome/applications/{,**} r, @{system_share_dirs}/xfce4/applications/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + + @{system_share_dirs}/glib-2.0/schemas/ r, + @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, /usr/share/mime/ r, /etc/gnome/defaults.list r, /etc/xfce4/defaults.list r, + /var/lib/snapd/desktop/applications/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/.icons/{,**} r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index c3a40b05..afc5d2ef 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -89,8 +89,6 @@ profile pulseaudio @{exec_path} { /etc/pulse/{,**} r, - /var/lib/snapd/desktop/applications/ r, - owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, owner @{desktop_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index b4d9205a..42b03061 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -11,26 +11,19 @@ include profile update-desktop-database @{exec_path} flags=(attach_disconnected) { include include + include capability dac_override, capability dac_read_search, @{exec_path} mr, - /usr/share/{,ubuntu/}applications/{,**/} r, - /usr/share/{,ubuntu/}applications/**.desktop r, - /usr/share/{,ubuntu/}applications/.mimeinfo.cache.* rw, - /usr/share/{,ubuntu/}applications/mimeinfo.cache w, + @{system_share_dirs}/*ubuntu/applications/.mimeinfo.cache.* rw, + @{system_share_dirs}/*ubuntu/applications/mimeinfo.cache w, - /usr/share/*/*.desktop r, + @{system_share_dirs}/applications/.mimeinfo.cache.* rw, + @{system_share_dirs}/applications/mimeinfo.cache w, - /var/lib/flatpak/{app/**/,}export{s,}/share/applications/{,**/} r, - /var/lib/flatpak/{app/**/,}export{s,}/share/applications/**.desktop r, - /var/lib/flatpak/{app/**/,}export{s,}/share/applications/.mimeinfo.cache.* rw, - /var/lib/flatpak/{app/**/,}export{s,}/share/applications/mimeinfo.cache w, - - /var/lib/snapd/desktop/applications/{,**/} r, - /var/lib/snapd/desktop/applications/**.desktop r, /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw, /var/lib/snapd/desktop/applications/mimeinfo.cache w, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index f5030b0d..62551f0c 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -11,6 +11,7 @@ include profile xdg-settings @{exec_path} { include include + include @{exec_path} r, @@ -41,15 +42,6 @@ profile xdg-settings @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, - /var/lib/flatpak/exports/share/applications/{,*} r, - /var/lib/snapd/desktop/applications/{,*} r, - - # freedesktop.org-strict - /usr/{,local/}share/applications/{,*} r, - /usr/{,local/}share/ubuntu/applications/ r, - owner @{user_share_dirs}/applications/ r, - owner @{user_share_dirs}/applications/*.desktop r, - owner @{HOME}/ r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index c904f5b6..94fafbcf 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -52,9 +52,6 @@ profile gnome-terminal-server @{exec_path} { /etc/shells r, - /var/lib/flatpak/exports/share/icons/{,**} r, - /var/lib/snapd/desktop/icons/{,**} r, - owner @{user_config_dirs}/*xdg-terminals.list* rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 13bba74d..f931ecaf 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -43,9 +43,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /etc/blkid.conf r, /etc/timezone r, - /var/lib/flatpak/exports/share/applications/{,mimeinfo.cache} r, - /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, - owner @{GDM_HOME}/ r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/gstreamer-*/registry.*.bin r, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 2e17c64c..6e949941 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -71,7 +71,6 @@ profile software-properties-gtk @{exec_path} { /etc/update-manager/release-upgrades r, /var/crash/*software-properties-gtk.@{uid}.crash rw, - /var/lib/snapd/desktop/icons/ r, /var/lib/ubuntu-advantage/status.json r, owner /tmp/???????? rw, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 7c57f349..14773b95 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -66,8 +66,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /var/lib/dpkg/info/*.list r, /var/lib/dpkg/updates/ r, - /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, - /var/lib/snapd/desktop/icons/{,*} r, /var/lib/update-manager/{,**} rw, owner @{user_cache_dirs}/update-manager-core/{,**} rw, diff --git a/apparmor.d/profiles-m-r/plank b/apparmor.d/profiles-m-r/plank index 0d882118..f94da07a 100644 --- a/apparmor.d/profiles-m-r/plank +++ b/apparmor.d/profiles-m-r/plank @@ -13,19 +13,12 @@ profile plank @{exec_path} { include include include + include include - include - include - include - include @{exec_path} rm, /usr/{,local/}share/plank/{,**} r, - /usr/{,local/}share/mime/mime.cache r, - - /var/lib/flatpak/exports/share/icons/{,**} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, owner @{user_config_dirs}/plank/{,**} rw, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index f6ff1f51..744851ca 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -16,13 +16,10 @@ profile system-config-printer @{exec_path} flags=(complain) { include include include + include include - include - include - include include include - include network inet stream, network inet6 stream, @@ -37,20 +34,17 @@ profile system-config-printer @{exec_path} flags=(complain) { /usr/share/cups/data/testprint r, /usr/share/system-config-printer/{,**} r, - /usr/share/X11/xkb/{,**} r, /etc/cups/cupsd.conf r, /etc/cupshelpers/preferreddrivers.xml r, /etc/fstab r, /etc/papersize r, - /var/lib/snapd/desktop/icons/ r, - owner @{HOME}/.cups/ rw, owner @{HOME}/.cups/lpoptions rw, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/cups/cups.sock rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner /tmp/* rw,