feat(profile): general update.

This commit is contained in:
Alexandre Pujol 2024-04-08 19:28:10 +01:00
parent f96e5a9713
commit 900ef19cff
Failed to generate hash of commit
36 changed files with 59 additions and 17 deletions

View file

@ -48,6 +48,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
owner @{desktop_config_dirs}/dconf/user r,
owner @{HOME}/.Xauthority r,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,

View file

@ -32,6 +32,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
network netlink raw,
signal (send) set=(term) peer=lightdm-*-greeter,
signal (send) set=(term) peer=xorg,
signal (receive) set=(usr1) peer=xorg,
@{exec_path} mrix,

View file

@ -11,7 +11,6 @@ include <tunables/global>
profile fc-cache @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
capability dac_read_search,

View file

@ -18,6 +18,7 @@ profile plymouthd @{exec_path} {
capability sys_admin,
capability sys_chroot,
capability sys_tty_config,
capability syslog,
network netlink raw,
@ -63,6 +64,7 @@ profile plymouthd @{exec_path} {
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/stat r,
/dev/kmsg rw,
/dev/ptmx rw,
/dev/tty@{int} rw,
/dev/ttyS@{int} rw,

View file

@ -9,8 +9,8 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-desktop-portal-rewrite-launchers
profile xdg-desktop-portal-rewrite-launchers @{exec_path} {
include <abstractions/base>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/bus-session>
include <abstractions/bus/org.gtk.vfs.MountTracker>
@{exec_path} mr,

View file

@ -13,7 +13,7 @@ profile xdg-email @{exec_path} flags=(complain) {
@{exec_path} r,
@{sh_path} rix,
@{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/basename rix,

View file

@ -20,9 +20,11 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
include <abstractions/graphics-full>
include <abstractions/nameservice-strict>
capability chown,
capability dac_override,
capability dac_read_search,
capability ipc_owner,
capability mknod,
capability net_admin,
capability perfmon,
capability setgid,

View file

@ -55,8 +55,7 @@ profile gdm-session @{exec_path} {
owner @{gdm_config_dirs}/dconf/user r,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{run}/gdm{3,}/custom.conf r,
@{run}/gdm{3,}/custom.conf r,
owner @{run}/user/@{uid}/gdm/ w,
owner @{run}/user/@{uid}/gdm/Xauthority rw, # only: xorg

View file

@ -39,6 +39,8 @@ profile gnome-calendar @{exec_path} {
@{exec_path} mr,
@{open_path} rPx -> child-open-help,
/usr/share/evolution-data-server/{,**} r,
/usr/share/libgweather/Locations.xml r,

View file

@ -27,6 +27,8 @@ profile gnome-characters @{exec_path} {
@{bin}/gjs-console rix,
@{open_path} rPx -> child-open-help,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r,
/usr/share/nvidia/nvidia-application-profiles-*-rc r,

View file

@ -29,6 +29,8 @@ profile gnome-contacts @{exec_path} {
@{exec_path} mr,
@{open_path} rPx -> child-open-help,
owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
owner @{user_config_dirs}/gnome-contacts/{,**} rw,
owner @{user_share_dirs}/folks/relationships.ini r,

View file

@ -41,7 +41,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
@{bin}/bwrap rPUx,
@{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rix,
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
/usr/share/cracklib/* r,
/usr/share/publicsuffix/public_suffix_list.dafsa r,

View file

@ -19,7 +19,7 @@ profile gnome-disks @{exec_path} {
@{exec_path} mr,
@{open_path} rPx -> child-open,
@{open_path} rPx -> child-open-help,
owner @{user_cache_dirs}/gnome-disks/{,**} rw,

View file

@ -44,7 +44,7 @@ profile gnome-extension-gsconnect @{exec_path} {
@{lib}/gio/modules/*.so* rm,
@{lib}/girepository-1.0/* r,
@{open_path} rPx -> child-open,
@{open_path} rPx -> child-open-help,
@{share_dirs}/{,**} r,
@{share_dirs}/gsconnect-preferences rix,

View file

@ -26,7 +26,7 @@ profile gnome-extension-manager @{exec_path} {
@{bin}/gjs-console rix,
@{open_path} rPx -> child-open,
@{open_path} rPx -> child-open-help,
/usr/share/gnome-shell/org.gnome.Shell.Extensions r,

View file

@ -19,7 +19,7 @@ profile gnome-extensions-app @{exec_path} {
@{sh_path} rix,
@{bin}/gjs-console rix,
@{open_path} rPx -> child-open,
@{open_path} rPx -> child-open-help,
/usr/share/gnome-shell/org.gnome.Extensions* r,
/usr/share/icu/@{int}.@{int}/*.dat r,

View file

@ -31,6 +31,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
@{bin}/python3.@{int} rix,
@{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw,
@{open_path} rPx -> child-open-help,
/usr/share/grilo-plugins/grl-lua-factory/{,*} r,
/usr/share/org.gnome.Music/{,**} r,
/usr/share/tracker3/{,**} r,

View file

@ -25,6 +25,8 @@ profile gnome-recipes @{exec_path} {
@{bin}/tar rix,
@{open_path} rPx -> child-open-help,
/usr/share/gnome-recipes/{,**} r,
owner @{user_cache_dirs}/gnome-recipes/{,**} rw,

View file

@ -83,8 +83,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_share_dirs}/applications/{,**} r,
owner /tmp/dirs-@{rand6} rw,
owner @{user_config_dirs}/autostart/{,*.desktop} r,
owner @{user_config_dirs}/gnome-session/ rw,
owner @{user_config_dirs}/gnome-session/saved-session/ rw,
@ -122,6 +120,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{bin}/blueman-applet rPx,
@{bin}/firewall-applet rPx,
@{bin}/gnome-keyring-daemon rPx,
@{bin}/gnome-shell rPx,
@{bin}/gnome-software rPx,
@{bin}/im-launch rPx,
@{bin}/keepassxc rPx,
@ -153,6 +152,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{lib}/kdeconnectd rPUx,
@{lib}/@{multiarch}/{,libexec/}kdeconnectd rPUx,
/dev/tty@{int} rw,
include if exists <usr/gnome-session-binary_open.d>
include if exists <local/gnome-session-binary_open>
}

View file

@ -21,6 +21,8 @@ profile gnome-tweaks @{exec_path} {
@{bin}/ps rPx,
@{bin}/python3.@{int} rix,
@{open_path} rPx -> child-open-help,
@{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,
/usr/share/gnome-tweaks/{,**} r,

View file

@ -30,7 +30,7 @@ profile kgx @{exec_path} {
@{bin}/nvtop rPx,
@{bin}/vim rUx,
@{open_path} rPx -> child-open,
@{open_path} rPx -> child-open-help,
owner /tmp/#@{int} rw,

View file

@ -22,6 +22,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{bin}/bwrap rCx -> bwrap,
@{open_path} rPx -> child-open-help,
/usr/share/glycin-loaders/{,**} r,

View file

@ -32,6 +32,8 @@ profile seahorse @{exec_path} {
@{bin}/gpg{,2} rPx,
@{bin}/gpgsm rPx,
@{open_path} rPx -> child-open-help,
/etc/pki/trust/blocklist/ r,
/etc/gcrypt/hwf.deny r,

View file

@ -10,6 +10,7 @@ include <tunables/global>
profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/fonts>
include <abstractions/nameservice-strict>
capability dac_read_search,

View file

@ -65,6 +65,7 @@ profile systemd-journald @{exec_path} {
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c108:@{int} r, # For /dev/ppp
@{run}/udev/data/c18[8-9]:@{int} r, # USB devices & USB serial converters
@{run}/udev/data/c203:@{int} r, # CPU CPUID information
@{run}/udev/data/c29:@{int} r, # For CD-ROM
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

View file

@ -75,8 +75,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+drivers:* r,
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+hid:* r,
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/c1:@{int} r, # For RAM disk
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
@{run}/udev/data/c14:@{int} r, # Open Sound System (OSS)
@ -104,6 +107,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/users/.#* rw,
@{run}/systemd/users/@{uid} rw,
@{sys}/bus/serial-base/drivers/port/uevent r,
@{sys}/class/drm/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/** r,

View file

@ -16,6 +16,8 @@ profile mousepad @{exec_path} {
@{exec_path} mr,
@{open_path} rPx -> child-open-help,
owner @{user_config_dirs}/Mousepad/ rw,
owner @{user_config_dirs}/Mousepad/{,**} rw,

View file

@ -22,6 +22,9 @@ profile thunar @{exec_path} {
@{bin}/thunar-volman rPx,
@{open_path} rPx -> child-open,
/usr/share/ r,
/usr/share/Thunar/{,**} r,
/etc/fstab r,
/etc/timezone r,

View file

@ -10,11 +10,12 @@ include <tunables/global>
profile xfce-about @{exec_path} {
include <abstractions/base>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/xfce>
@{exec_path} mr,
@{open_path} rPx -> child-open-browsers,
@{open_path} rPx -> child-open-help,
include if exists <local/xfce-about>
}

View file

@ -13,6 +13,8 @@ profile xfce-clipman-settings @{exec_path} {
@{exec_path} mr,
@{open_path} rPx -> child-open-help,
/etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r,
owner @{user_config_dirs}/xfce4/panel/xfce4-clipman-actions.xml rw,

View file

@ -16,6 +16,8 @@ profile xfce-terminal @{exec_path} {
@{exec_path} mr,
@{open_path} rPx -> child-open-help,
# The shell is not confined on purpose.
@{bin}/@{shells} rUx,

View file

@ -11,6 +11,7 @@ profile xfdesktop @{exec_path} {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/nameservice-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/xfce>
@{exec_path} mr,

View file

@ -6,7 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{lib_dirs} = @{user_share_dirs}/Steam/ubuntu@{int}_{32,64}
@{lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9][0-9]_{32,64}
@{exec_path} = @{user_share_dirs}/Steam/steam.sh
profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>

View file

@ -20,6 +20,7 @@ include <tunables/global>
@{runtime} = @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier
@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
@{exec_path} = @{user_share_dirs}/Steam/steamapps/common/*/**
profile steam-game @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>

View file

@ -6,7 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9][0-9]_{32,64}
@{exec_path} = @{steam_lib_dirs}/gameoverlayui
profile steam-gameoverlayui @{exec_path} {
include <abstractions/base>
@ -22,7 +23,7 @@ profile steam-gameoverlayui @{exec_path} {
@{exec_path} mr,
@{steam_lib_dirs}/*.so* mr,
@{steam_lib_dirs}/steam-runtime/{usr/,}lib/**.so* mr,
@{steam_lib_dirs}/steam-runtime/@{lib}/**.so* mr,
/usr/share/fonts/{,**} rk, # ?

View file

@ -47,6 +47,7 @@ profile wireplumber @{exec_path} {
owner @{HOME}/.local/ w,
owner @{user_state_dirs}/ w,
owner @{user_state_dirs}/wireplumber/{,**} rw,
owner @{user_config_dirs}/wireplumber/{,**} r,
owner @{run}/user/@{uid}/pipewire-@{int} rw,