From 8c0e0a9de10b54d0d5f49fcef7556ccaccb8d477 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Sat, 25 Feb 2023 18:44:21 +0000 Subject: [PATCH] freedesktop --- apparmor.d/abstractions/chromium | 1 - apparmor.d/abstractions/freedesktop.org.d/complete | 2 ++ apparmor.d/groups/apps/android-studio | 1 - apparmor.d/groups/apps/atom | 1 - apparmor.d/groups/apps/code | 1 - apparmor.d/groups/apps/discord | 1 - apparmor.d/groups/apps/freetube | 1 - apparmor.d/groups/apps/signal-desktop | 1 - apparmor.d/groups/apps/telegram-desktop | 1 - apparmor.d/groups/apps/thunderbird | 1 - apparmor.d/groups/apps/vlc | 1 - apparmor.d/groups/apt/reportbug | 1 - apparmor.d/groups/apt/synaptic | 1 - apparmor.d/groups/browsers/firefox | 1 - apparmor.d/groups/browsers/firefox-crashreporter | 1 - .../freedesktop/polkit-mate-authentication-agent | 1 - apparmor.d/groups/freedesktop/pulseaudio | 1 - apparmor.d/groups/freedesktop/xdg-desktop-portal | 1 - .../groups/freedesktop/xdg-desktop-portal-gnome | 4 ---- .../groups/freedesktop/xdg-desktop-portal-gtk | 1 - apparmor.d/groups/freedesktop/xdg-mime | 3 --- apparmor.d/groups/freedesktop/xdg-open | 4 ++-- apparmor.d/groups/freedesktop/xdg-settings | 11 ++++++----- apparmor.d/groups/gnome/evolution-alarm-notify | 6 ++++-- apparmor.d/groups/gnome/gio-launch-desktop | 1 - apparmor.d/groups/gnome/gjs-console | 1 - apparmor.d/groups/gnome/gnome-control-center | 6 ++++-- .../gnome/gnome-control-center-search-provider | 6 +----- apparmor.d/groups/gnome/gnome-disk-image-mounter | 1 - apparmor.d/groups/gnome/gnome-extension-ding | 4 ---- apparmor.d/groups/gnome/gnome-extension-manager | 1 - apparmor.d/groups/gnome/gnome-extensions-app | 1 - apparmor.d/groups/gnome/gnome-session-binary | 14 +------------- apparmor.d/groups/gnome/gnome-shell | 6 ++++-- apparmor.d/groups/gnome/gnome-software | 1 - apparmor.d/groups/gnome/gnome-system-monitor | 6 ++++-- apparmor.d/groups/gnome/gnome-terminal-server | 1 - apparmor.d/groups/gnome/gsd-media-keys | 1 - apparmor.d/groups/gnome/gsd-wacom | 8 +++++--- apparmor.d/groups/gnome/seahorse | 3 ++- apparmor.d/groups/gnome/tracker-extract | 1 - apparmor.d/groups/gnome/tracker-miner | 1 - apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor | 1 - apparmor.d/groups/gvfs/gvfsd-ftp | 1 - apparmor.d/groups/gvfs/gvfsd-http | 1 - apparmor.d/groups/gvfs/gvfsd-mtp | 1 - apparmor.d/groups/gvfs/gvfsd-smb | 1 - apparmor.d/groups/network/mullvad-gui | 1 - apparmor.d/groups/ubuntu/apport-gtk | 2 -- apparmor.d/groups/ubuntu/update-manager | 5 +---- apparmor.d/groups/ubuntu/update-notifier | 8 +------- apparmor.d/profiles-a-f/appstreamcli | 8 +++++--- apparmor.d/profiles-a-f/arduino | 1 - apparmor.d/profiles-a-f/atril | 1 - apparmor.d/profiles-a-f/blueman | 1 - apparmor.d/profiles-a-f/cawbird | 1 - apparmor.d/profiles-a-f/claws-mail | 1 - apparmor.d/profiles-a-f/czkawka-gui | 1 - apparmor.d/profiles-a-f/deltachat-desktop | 1 - apparmor.d/profiles-a-f/dino-im | 1 - apparmor.d/profiles-a-f/engrampa | 1 - apparmor.d/profiles-a-f/exo-helper | 1 - apparmor.d/profiles-a-f/file-roller | 1 - apparmor.d/profiles-a-f/firecfg | 5 +++-- apparmor.d/profiles-a-f/font-manager | 1 - apparmor.d/profiles-g-l/gajim | 1 - apparmor.d/profiles-g-l/ganyremote | 1 - apparmor.d/profiles-g-l/gpartedbin | 1 - apparmor.d/profiles-g-l/gpodder | 1 - apparmor.d/profiles-g-l/gsmartcontrol | 1 - apparmor.d/profiles-g-l/hypnotix | 1 - apparmor.d/profiles-g-l/jami-gnome | 1 - apparmor.d/profiles-g-l/keepassxc | 1 - apparmor.d/profiles-g-l/light-locker | 1 - apparmor.d/profiles-m-r/mediainfo-gui | 1 - apparmor.d/profiles-m-r/obamenu | 4 +++- apparmor.d/profiles-m-r/obconf | 1 - apparmor.d/profiles-m-r/pulseeffects | 1 - apparmor.d/profiles-m-r/qbittorrent | 1 - apparmor.d/profiles-m-r/remmina | 1 - apparmor.d/profiles-m-r/rpi-imager | 1 - apparmor.d/profiles-m-r/rustdesk | 1 - apparmor.d/profiles-s-z/steam | 1 - apparmor.d/profiles-s-z/system-config-printer | 1 - apparmor.d/profiles-s-z/udiskie | 1 - apparmor.d/profiles-s-z/utox | 1 - apparmor.d/profiles-s-z/virt-manager | 1 - apparmor.d/profiles-s-z/volumeicon | 1 - apparmor.d/profiles-s-z/wireshark | 1 - apparmor.d/profiles-s-z/xarchiver | 1 - 90 files changed, 48 insertions(+), 137 deletions(-) diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index d16e9a8c..23224bcd 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -89,7 +89,6 @@ /usr/share/@{chromium_name}/{,**} r, /usr/share/chromium/extensions/{,**} r, /usr/share/egl/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/libdrm/*.ids r, /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index a6be314d..9a64741b 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -11,3 +11,5 @@ /etc/gnome/defaults.list r, /etc/xfce4/defaults.list r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/apps/android-studio b/apparmor.d/groups/apps/android-studio index 17ee0cf3..5d542009 100644 --- a/apparmor.d/groups/apps/android-studio +++ b/apparmor.d/groups/apps/android-studio @@ -209,7 +209,6 @@ profile android-studio @{exec_path} { /usr/share/hwdata/pnp.ids r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index 710549d6..def04032 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -95,7 +95,6 @@ profile atom @{exec_path} { /etc/fstab r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or atom gets crash with the following error: # FATAL:proc_util.cc(36)] : Permission denied (13) diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index 2a07614d..a432df3d 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -69,7 +69,6 @@ profile code @{exec_path} { /etc/fstab r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Needed or code gets crash with the following error: # FATAL:proc_util.cc(36)] : Permission denied (13) diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/groups/apps/discord index afed0b7c..76147a62 100644 --- a/apparmor.d/groups/apps/discord +++ b/apparmor.d/groups/apps/discord @@ -92,7 +92,6 @@ profile discord @{exec_path} { # To avoid the following error: # kernel: traps: Discord[] trap int3 ip:7fa5b7541885 sp:7ffff5539c40 error:0 # in libglib-2.0.so.0.6000.6[7fa5b7508000+80000] - /usr/share/glib-2.0/schemas/gschemas.compiled r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, deny @{sys}/devices/virtual/tty/tty[0-9]/active r, diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/groups/apps/freetube index cdfa5269..8a10f408 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/groups/apps/freetube @@ -68,7 +68,6 @@ profile freetube @{exec_path} { /etc/fstab r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs} r, diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/groups/apps/signal-desktop index de35eb22..cf0ff5a3 100644 --- a/apparmor.d/groups/apps/signal-desktop +++ b/apparmor.d/groups/apps/signal-desktop @@ -75,7 +75,6 @@ profile signal-desktop @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # No new privs /{usr/,}bin/xdg-settings rPx, diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index 39f7072d..73966ecc 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -76,7 +76,6 @@ profile telegram-desktop @{exec_path} { /etc/machine-id r, # Needed when saving files as, or otherwise the app crashes - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/hwdata/pnp.ids r, diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird index fb61f02a..b24ca3ad 100644 --- a/apparmor.d/groups/apps/thunderbird +++ b/apparmor.d/groups/apps/thunderbird @@ -146,7 +146,6 @@ profile thunderbird @{exec_path} { owner @{user_share_dirs}/ r, # Fix error in libglib while saving files as - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Spellcheck /{usr/,}bin/locale rix, diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index adddbb90..72260997 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -147,7 +147,6 @@ profile vlc @{exec_path} { /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/hwdata/pnp.ids r, /usr/share/qt5ct/** r, /usr/share/vlc/{,**} r, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index 8c594c7c..32133ae6 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -65,7 +65,6 @@ profile reportbug @{exec_path} { /{usr/,}lib/python3/dist-packages/pylocales/locales.db rk, /usr/share/bug/*/{control,presubj} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/** r, /etc/** r, diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 57d7e1b0..a04ed89e 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -147,7 +147,6 @@ profile synaptic @{exec_path} { # errorcode: 2 /dev/ptmx rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/fstab r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 33916fd0..0cc32ac1 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -157,7 +157,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /usr/share/doc/{,**} r, /usr/share/egl/{,**} r, /usr/share/@{firefox_name}/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/libdrm/*.ids r, /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index dac93e95..1ad1d44e 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -37,7 +37,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/mv rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/** r, owner "@{firefox_config_dirs}/firefox/Crash Reports/{,**}" rw, diff --git a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent index 687664b4..8a6cbf85 100644 --- a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent @@ -26,7 +26,6 @@ profile polkit-mate-authentication-agent @{exec_path} { /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/** r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index a87a7ee7..d32be3ca 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -114,7 +114,6 @@ profile pulseaudio @{exec_path} { /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, /{usr/,}lib/pulse-*/modules/*.so mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/pulseaudio/{,**} r, /var/lib/snapd/desktop/applications/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 8441b5e8..9a08abeb 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -118,7 +118,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { / r, /.flatpak-info r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/pipewire/client.conf r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 6b8a460d..36db492f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -115,12 +115,8 @@ profile xdg-desktop-portal-gnome @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/ubuntu/applications/ r, /usr/share/X11/xkb/{,**} r, - /etc/gnome/defaults.list r, - /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 6b76865e..7642f66b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -149,7 +149,6 @@ profile xdg-desktop-portal-gtk @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, / r, diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 771679da..dd504f54 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -33,9 +33,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xprop rPx, /usr/share/terminfo/x/xterm-256color r, - /usr/share/ubuntu/applications/ r, - - /etc/gnome/defaults.list r, owner @{HOME}/.Xauthority r, owner @{user_config_dirs}/mimeapps.list{,.new} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open index 96a8e67b..9d87d7ae 100644 --- a/apparmor.d/groups/freedesktop/xdg-open +++ b/apparmor.d/groups/freedesktop/xdg-open @@ -33,12 +33,12 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/dbus-launch rCx -> dbus, /{usr/,}bin/dbus-send rCx -> dbus, - /usr/share/applications/*.desktop r, - /** r, owner /** rw, + # freedesktop.org-strict owner @{user_share_dirs}/applications/ r, + /usr/share/applications/*.desktop r, /dev/tty rw, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 0c9212bb..6dd8e228 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -33,9 +33,7 @@ profile xdg-settings @{exec_path} { /{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xprop rPx, - /usr/share/applications/{,*} r, /usr/share/terminfo/x/xterm-256color r, - /usr/share/ubuntu/applications/ r, /etc/xdg/xfce4/helpers.rc r, /etc/machine-id r, @@ -44,14 +42,17 @@ profile xdg-settings @{exec_path} { /var/lib/flatpak/exports/share/applications/{,*} r, /var/lib/snapd/desktop/applications/{,*} r, + # freedesktop.org-strict + /usr/share/applications/{,*} r, + /usr/share/ubuntu/applications/ r, + owner @{user_share_dirs}/applications/ r, + owner @{user_share_dirs}/applications/*.desktop r, + owner @{HOME}/ r, owner @{HOME}/.Xauthority r, owner @{user_config_dirs}/xfce4/helpers.rc{,.*} rw, - owner @{user_share_dirs}/applications/ r, - owner @{user_share_dirs}/applications/*.desktop r, - owner @{run}/user/@{uid}/ r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 3e69147a..41bf99c3 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -20,9 +20,11 @@ profile evolution-alarm-notify @{exec_path} { @{exec_path} mr, /usr/share/evolution-data-server/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/ubuntu/applications/ r, /usr/share/{,zoneinfo-}icu/{,**} r, + # freedesktop.org-strict + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/*ubuntu/applications/ r, + include if exists } diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 3b0c3494..d87a3dee 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -23,7 +23,6 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/gio-launch-desktop rix, # System files - /etc/gnome/defaults.list r, /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, # User files diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index cb789bc8..7f812cda 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -82,7 +82,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/egl/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/icu/{,**} r, /usr/share/X11/xkb/** r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index adcf3654..c114ca1a 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -87,13 +87,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/language-tools/language2locale rix, /snap/*/[0-9]*/**.png r, - /usr/share/*ubuntu/applications/{,*} r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, /usr/share/desktop-base/**.{xml,png,svg} r, /usr/share/egl/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-background-properties/{,**} r, /usr/share/gnome-bluetooth{-*,}/{,**} r, /usr/share/gnome-color-manager/{,**} r, @@ -108,6 +106,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, + # freedesktop.org-strict + /usr/share/*ubuntu/applications/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/cups/client.conf r, /etc/machine-info r, /etc/pipewire/client.conf.d/ r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 1517e26f..5b515a08 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -21,16 +21,12 @@ profile gnome-control-center-search-provider @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/ubuntu/applications/{,**} r, /usr/share/X11/xkb/{,**} r, - /etc/gnome/defaults.list r, - /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 853c4a1c..7ef74bb1 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -16,7 +16,6 @@ profile gnome-disk-image-mounter @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, # Allow to mount user files diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index cc9ce275..4417b939 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -148,14 +148,10 @@ profile gnome-extension-ding @{exec_path} { /{usr/,}bin/gnome-control-center rPx, /{usr/,}bin/nautilus rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r, /usr/share/thumbnailers/{,*.thumbnailer} r, - /usr/share/ubuntu/applications/{,**} r, /usr/share/X11/{,**} r, - /etc/gnome/defaults.list r, - /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager index adb221c2..23dd28ec 100644 --- a/apparmor.d/groups/gnome/gnome-extension-manager +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -35,7 +35,6 @@ profile gnome-extension-manager @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, /{usr/,}lib/gio-launch-desktop rPx -> child-open, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/org.gnome.Shell.Extensions r, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index c7598ebf..f4aeb098 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -25,7 +25,6 @@ profile gnome-extensions-app @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/gjs-console rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/org.gnome.Extensions* r, /usr/share/icu/{,**} r, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 83d49cfd..44cc7404 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -15,6 +15,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -183,20 +184,14 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{libexec}/gsd-disk-utility-notify rPx, @{libexec}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx, - /usr/share/applications/{,**} r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/gdm/greeter/autostart/{,*.desktop} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glvnd/egl_vendor.d/ r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, /usr/share/gnome/autostart/{,*.desktop} r, - /usr/share/icons/{,**} r, - /usr/share/mime/mime.cache r, - /usr/share/*ubuntu/applications/{,*.desktop} r, - /usr/share/*ubuntu/applications/mimeinfo.cache r, /usr/share/X11/xkb/{,**} r, /usr/share/session-migration/scripts/{,*} r, @@ -223,15 +218,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-session/saved-session/ rw, owner @{user_config_dirs}/gtk-3.0/bookmarks rw, owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw, - owner @{user_config_dirs}/mimeapps.list r, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, - owner @{user_share_dirs}/applications/ r, - owner @{user_share_dirs}/applications/defaults.list r, - owner @{user_share_dirs}/applications/mimeapps.list r, - owner @{user_share_dirs}/applications/mimeinfo.cache r, owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw, - owner @{user_share_dirs}/mime/mime.cache r, owner @{user_share_dirs}/session_migration-ubuntu r, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a8a49ae7..01fa2513 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -487,7 +487,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /opt/*/**/*.png r, /snap/*/@{uid}/**.png r, /usr/share/{,zoneinfo-}icu/{,**} r, - /usr/share/*ubuntu/applications/{,*.desktop} r, /usr/share/app-info/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/dconf/profile/gdm r, @@ -499,7 +498,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/libdrm/*.ids r, /usr/share/libgweather/Locations.xml r, @@ -513,6 +511,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/gnome-packagekit/icons/hicolor/{,**} r, + # freedesktop.org-strict + /usr/share/*ubuntu/applications/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /.flatpak-info r, /etc/fstab r, /etc/udev/hwdb.bin r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index a1d336fe..afefd5e0 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -44,7 +44,6 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/xml/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 31aeb120..3031ce31 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -28,10 +28,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/pkexec rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-system-monitor/{,**} r, + + # freedesktop.org-strict /usr/share/pixmaps/{,**} r, - /usr/share/ubuntu/applications/{,**} r, + /usr/share/*ubuntu/applications/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 2756fe36..ad24db9c 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -36,7 +36,6 @@ profile gnome-terminal-server @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, /{usr/,}lib/gio-launch-desktop rPx -> child-open, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 04fc7f7a..833ad68a 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -162,7 +162,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/mime/mime.cache r, /usr/share/sounds/freedesktop/stereo/*.oga r, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 9459956f..b8508e47 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -96,14 +96,16 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, /usr/share/libwacom/{,*} r, - /usr/share/mime/mime.cache r, /usr/share/X11/xkb/** r, /etc/machine-id r, + # freedesktop.org-strict + /usr/share/icons/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/mime/mime.cache r, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index fa95bf56..cf196be0 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -42,8 +42,9 @@ profile seahorse @{exec_path} { /{usr/,}bin/gpg{,2} rUx, /{usr/,}bin/gpgsm rPx, + # freedesktop.org-strict /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/ubuntu/applications/ r, + /usr/share/*ubuntu/applications/ r, /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 194940dd..89d1147d 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -67,7 +67,6 @@ profile tracker-extract @{exec_path} { @{exec_path} mr, /usr/share/dconf/profile/gdm r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,**} r, /usr/share/mime/mime.cache r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index f635929b..cfd36baf 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -80,7 +80,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index dace4270..336aeda9 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -62,7 +62,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/mount rPx, /{usr/,}bin/umount rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/lib/gdm{3,}/.config/dconf/user r, diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 713f84aa..63cf75df 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -22,7 +22,6 @@ profile gvfsd-ftp @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 869fd5c6..5362997e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -24,7 +24,6 @@ profile gvfsd-http @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{run}/user/@{uid}/gvfsd/socket-* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 1d5e3885..f0a23385 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -20,7 +20,6 @@ profile gvfsd-mtp @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{HOME}/{,**} rw, owner @{MOUNTS}/{,**} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index dfc1b23c..238bfc08 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -21,7 +21,6 @@ profile gvfsd-smb @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index caf516f7..d0df2371 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -40,7 +40,6 @@ profile mullvad-gui @{exec_path} { "/opt/Mullvad VPN/{,**}" r, /usr/share/themes/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/libva.conf r, /etc/igfx_user_feature{,_next}.txt w, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index b22c43ee..307df1ba 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -56,7 +56,6 @@ profile apport-gtk @{exec_path} { /usr/share/alsa/{,**} r, /usr/share/apport/{,**} r, /usr/share/apport/general-hooks/*.py r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, @@ -110,7 +109,6 @@ profile apport-gtk @{exec_path} { /usr/share/gdb/{,**} r, /usr/share/themes/{,**} r, /usr/share/gnome-shell/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/gdb/{,**} r, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index ce4818eb..d820d7ca 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -66,14 +66,11 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/apt/methods/http{,s} rPx, /usr/share/distro-info/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/themes/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, - /usr/share/ubuntu/applications/{,**} r, /usr/share/update-manager/{,**} r, /usr/share/X11/{,**} r, - /etc/gnome/defaults.list r, /etc/gtk-3.0/settings.ini r, /etc/machine-id r, /etc/update-manager/{,**} r, @@ -101,4 +98,4 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index ef9af910..eb11b24f 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -14,6 +14,7 @@ profile update-notifier @{exec_path} { include include include + include include include include @@ -46,19 +47,12 @@ profile update-notifier @{exec_path} { /{usr/,}lib/python3.[0-9]*/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, - /usr/share/applications/{,**} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, - /usr/share/mime/mime.cache r, - /usr/share/pixmaps/ r, - /usr/share/ubuntu/applications/ r, /usr/share/update-notifier/{,**} r, /usr/share/X11/{,**} r, /etc/machine-id r, - /etc/gnome/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, /var/lib/snapd/desktop/icons/ r, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index ccd571e3..048a0af7 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -23,10 +23,8 @@ profile appstreamcli @{exec_path} flags=(complain) { /usr/share/app-info/{,**} r, /usr/share/appdata/ r, - /usr/share/applications/{,*.desktop} r, /usr/share/metainfo/ r, /usr/share/metainfo/*.{metainfo,appdata}.xml r, - /usr/share/mime/mime.cache r, /usr/share/swcatalog/{,**} r, /etc/appstream.conf r, @@ -35,7 +33,6 @@ profile appstreamcli @{exec_path} flags=(complain) { owner @{user_cache_dirs}/appstream-cache-*.mdb rw, owner @{user_cache_dirs}/appstream/ rw, owner @{user_cache_dirs}/appstream/appcache-*.mdb rw, - owner @{user_share_dirs}/mime/mime.cache r, /var/lib/app-info/ w, /var/lib/app-info/yaml/ r, @@ -60,6 +57,11 @@ profile appstreamcli @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/fd/ r, + # freedesktop.org-strict + /usr/share/applications/{,*.desktop} r, + /usr/share/mime/mime.cache r, + owner @{user_share_dirs}/mime/mime.cache r, + profile curl { include include diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index 829c16fd..5640871f 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -82,7 +82,6 @@ profile arduino @{exec_path} { owner @{run}/lock/tmp* rw, owner @{run}/lock/LCK..ttyS[0-9]* rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/coredump_filter rw, diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index e76a019d..27eaea40 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -51,7 +51,6 @@ profile atril @{exec_path} { /usr/share/atril/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index c07142d3..1b38fffd 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -36,7 +36,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xdg-open rCx -> open, /usr/share/blueman/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, /etc/machine-id r, diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index f68b1046..149ea347 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -39,7 +39,6 @@ profile cawbird @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/cawbird-* rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index b56b53de..e3796f3f 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -34,7 +34,6 @@ profile claws-mail @{exec_path} flags=(complain) { /{usr/,}{s,}bin/exim4 rPUx, /{usr/,}bin/geany rPUx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/publicsuffix/*.dafsa r, /usr/share/sounds/freedesktop/stereo/*.oga r, diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index ffb7f336..87ef4b26 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -37,7 +37,6 @@ profile czkawka-gui @{exec_path} { @{sys}/fs/cgroup/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, profile open { include diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index d5057cfd..e89a5b1e 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -47,7 +47,6 @@ profile deltachat-desktop @{exec_path} { owner @{HOME}/.config/DeltaChat/ rw, owner @{HOME}/.config/DeltaChat/** rwk, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner /tmp/@{hex}/ rw, owner /tmp/@{hex}/db.sqlite-blobs/ rw, diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im index 9fee021c..9e1546b8 100644 --- a/apparmor.d/profiles-a-f/dino-im +++ b/apparmor.d/profiles-a-f/dino-im @@ -31,7 +31,6 @@ profile dino-im @{exec_path} { /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/dino/ rw, owner @{user_share_dirs}/dino/** rwk, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index f37fc699..738abcf4 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -125,7 +125,6 @@ profile engrampa @{exec_path} { /etc/magic r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # gnome-tiny @{run}/mount/utab r, diff --git a/apparmor.d/profiles-a-f/exo-helper b/apparmor.d/profiles-a-f/exo-helper index d901451b..6a4742fb 100644 --- a/apparmor.d/profiles-a-f/exo-helper +++ b/apparmor.d/profiles-a-f/exo-helper @@ -47,7 +47,6 @@ profile exo-helper @{exec_path} { /etc/fstab r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index e8d98bff..7cfdbb94 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -19,7 +19,6 @@ profile file-roller @{exec_path} { /{usr/,}bin/unzip rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index 55963c46..ffce0bf2 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -28,10 +28,11 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { /usr/local/bin/ r, /usr/local/bin/* rw, + # freedesktop.org-strict /usr/share/applications/ r, /usr/share/applications/*.desktop r, - @{user_share_dirs}/applications/ r, + @{user_share_dirs}/applications/*.desktop rw, /dev/tty rw, @@ -39,4 +40,4 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { deny /apparmor/.null rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index aab78cc2..1dde790c 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -29,7 +29,6 @@ profile font-manager @{exec_path} { /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitWebProcess rix, /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/font-manager/ rw, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 3634a8f5..202626a5 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -84,7 +84,6 @@ profile gajim @{exec_path} { /etc/fstab r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index fd25e07f..105df632 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -62,7 +62,6 @@ profile ganyremote @{exec_path} { /etc/fstab r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Doc dirs deny /usr/local/share/ r, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 3e16c996..1c248da8 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -131,7 +131,6 @@ profile gpartedbin @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index 6addba7c..5d9320bb 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -44,7 +44,6 @@ profile gpodder @{exec_path} { /etc/fstab r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner /var/tmp/etilqs_@{hex} rw, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index cdb3c20c..a2c1a7b1 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -56,7 +56,6 @@ profile gsmartcontrol @{exec_path} { /etc/fstab r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index e913cee3..0d24d979 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -76,7 +76,6 @@ profile hypnotix @{exec_path} { /dev/ r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/vdpau_wrapper.cfg r, diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome index 1948827e..451136c7 100644 --- a/apparmor.d/profiles-g-l/jami-gnome +++ b/apparmor.d/profiles-g-l/jami-gnome @@ -41,7 +41,6 @@ profile jami-gnome @{exec_path} { /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/ring/{,**} r, /usr/share/sounds/jami-gnome/{,**} r, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 59d57d4b..34950835 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -43,7 +43,6 @@ profile keepassxc @{exec_path} { /{usr/,}bin/xdg-open rCx -> child-open, /{usr/,}lib/firefox/firefox rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/hwdata/pnp.ids r, /usr/share/keepassxc/{,**} r, /usr/share/libdrm/*.ids r, diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index b5f78f2c..5bef2a17 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -20,7 +20,6 @@ profile light-locker @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index a14fdf54..cce025e3 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -55,7 +55,6 @@ profile mediainfo-gui @{exec_path} { owner @{MOUNTS}/**/ r, owner /{home,media}/**.@{mediainfo_ext} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, profile open { include diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu index e8d1fb0b..e2bcc172 100644 --- a/apparmor.d/profiles-m-r/obamenu +++ b/apparmor.d/profiles-m-r/obamenu @@ -16,10 +16,12 @@ profile obamenu @{exec_path} { /{usr/,}bin/ r, + /usr/share/*/*.desktop r, + + # freedesktop.org-strict /usr/share/applications/ r, /usr/share/applications/*.desktop r, /usr/share/pixmaps/ r, - /usr/share/*/*.desktop r, include if exists } diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index 75d4cbc7..3327893a 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -32,7 +32,6 @@ profile obconf @{exec_path} { /etc/fstab r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects index b6af6191..91ed6256 100644 --- a/apparmor.d/profiles-m-r/pulseeffects +++ b/apparmor.d/profiles-m-r/pulseeffects @@ -32,7 +32,6 @@ profile pulseeffects @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index f9b023d6..630c6947 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -169,7 +169,6 @@ profile qbittorrent @{exec_path} { # gnome-tiny /usr/share/gvfs/remote-volume-monitors/{,*} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Launch external apps /{usr/,}bin/xdg-{open,mime} rCx -> open, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 993d7766..3811ff9a 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -116,7 +116,6 @@ profile remmina @{exec_path} { /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, /usr/share/remmina/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_config_dirs}/autostart/remmina-applet.desktop r, owner @{user_config_dirs}/gtk-3.0/bookmarks r, diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager index fd6fecce..66c0cccf 100644 --- a/apparmor.d/profiles-m-r/rpi-imager +++ b/apparmor.d/profiles-m-r/rpi-imager @@ -43,7 +43,6 @@ profile rpi-imager @{exec_path} { /etc/fstab r, /etc/X11/cursors/*.theme r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/hwdata/pnp.ids r, /usr/share/qt5ct/** r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 69fc1077..80a2a35b 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -61,7 +61,6 @@ profile rustdesk @{exec_path} { /{,usr/}bin/{,ba,da}sh rPx -> rustdesk_shell, /etc/gdm{,3}/custom.conf r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{HOME}/.local/ w, owner @{user_share_dirs}/ w, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index f2effdd1..e7ca32e6 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -99,7 +99,6 @@ profile steam @{exec_path} { @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper.sh rix, /usr/share/fonts/**.{ttf,otf} rk, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/terminfo/x/xterm-256color r, /usr/share/themes/{,**} r, /usr/share/X11/{,**} r, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index b9c388c4..1b198bee 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -46,7 +46,6 @@ profile system-config-printer @{exec_path} flags=(complain) { /usr/share/hplip/query.py rPUx, /usr/share/cups/data/testprint r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/system-config-printer/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie index 9a3b6f40..3730931a 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/profiles-s-z/udiskie @@ -36,7 +36,6 @@ profile udiskie @{exec_path} { /etc/fstab r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Allowed apps to open /{usr/,}bin/spacefm rPx, diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox index 82bbd73e..8d7cb8f6 100644 --- a/apparmor.d/profiles-s-z/utox +++ b/apparmor.d/profiles-s-z/utox @@ -38,7 +38,6 @@ profile utox @{exec_path} { deny owner @{PROC}/@{pid}/cmdline r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, profile open { include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 000263db..e9107a57 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -49,7 +49,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/spice-client-glib-usb-acl-helper rPx, /usr/share/egl/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gtksourceview-4/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, diff --git a/apparmor.d/profiles-s-z/volumeicon b/apparmor.d/profiles-s-z/volumeicon index 7002765b..2bf98c03 100644 --- a/apparmor.d/profiles-s-z/volumeicon +++ b/apparmor.d/profiles-s-z/volumeicon @@ -32,7 +32,6 @@ profile volumeicon @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, # Start the PulseAudio sound mixer /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index 6a3a6586..f88fc8e3 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -72,7 +72,6 @@ profile wireshark @{exec_path} { /etc/fstab r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/hwdata/pnp.ids r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 26bed31f..1dcabd96 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -57,7 +57,6 @@ profile xarchiver @{exec_path} { /tmp/ r, owner /tmp/** rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r,