From 9be9b442a95340d8e83f042f30696fc27d1d9544 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 16 Mar 2024 20:52:02 +0000 Subject: [PATCH] feat(profile): rewrite the gnome startup process. The changes in the dbus stack required to rewrite how gnome startup is handled by our various profiles. --- .../groups/freedesktop/xdg-permission-store | 5 +- apparmor.d/groups/gnome/gdm-session | 94 +++---------------- apparmor.d/groups/gnome/gdm-session-worker | 4 +- apparmor.d/groups/gnome/gnome-session | 55 +++++++++++ apparmor.d/groups/gnome/gnome-session-binary | 3 - 5 files changed, 73 insertions(+), 88 deletions(-) create mode 100644 apparmor.d/groups/gnome/gnome-session diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 6c32af27..12f21a2f 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -13,9 +13,8 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { capability sys_nice, - signal (receive) set=(term hup kill) peer=dbus-daemon, - signal (receive) set=(term hup kill) peer=gdm*, - signal (receive) set=(kill) peer=gdm-wayland-session//dbus, + signal (receive) set=(term hup kill) peer=dbus-session, + signal (receive) set=(term hup kill) peer=gdm, # dbus: own bus=session name=org.freedesktop.impl.portal.PermissionStore diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 42133675..52fe3eba 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -9,25 +9,15 @@ include @{exec_path} = @{lib}/{,gdm/}gdm-{x,wayland}-session profile gdm-session @{exec_path} { include - include - include include include include include - include - include - include - include signal (receive) set=(hup term) peer=gdm-session-worker, - signal (receive) set=(hup) peer=@{systemd}, signal (receive) set=(term) peer=gdm, - signal (send) set=(kill) peer=xdg-permission-store, - signal (send) set=(term) peer=dbus-daemon, - signal (send) set=(term) peer=dbus-run-session, - signal (send) set=(term) peer=gnome-session-binary, - signal (send) set=term peer=xorg, + signal (send) set=(term) peer=dbus-session, + signal (send) set=(term) peer=xorg, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -36,60 +26,22 @@ profile gdm-session @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/cat rix, - @{bin}/env rix, - @{bin}/grep rix, - @{bin}/head rix, - @{bin}/id rix, - @{bin}/locale rix, - @{bin}/locale-check rix, - @{bin}/manpath rix, - @{bin}/qmake rix, - @{bin}/readlink rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/tr rix, - @{bin}/tty rix, - @{bin}/uname rix, - - @{bin}/{true,false} rix, - @{bin}/dbus-daemon rix, - @{bin}/dbus-run-session rix, - @{bin}/dpkg-query rpx, - @{bin}/flatpak rPUx, - @{bin}/gjs-console rPx, - @{bin}/gnome-session rix, - @{bin}/gsettings rPx, - @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, - @{lib}/at-spi2-registryd rix, - @{lib}/dconf-service rPx, - @{lib}/gnome-session-binary rPx, - @{lib}/xdg-permission-store rPx, + @{bin}/env rix, + @{bin}/gnome-session rPx, + @{bin}/dbus-run-session rPx -> dbus-session, + @{bin}/dbus-daemon rPx -> dbus-session, # only: xorg - @{bin}/Xorg rPx, - /etc/gdm{3,}/Prime/Default rix, - /etc/gdm{3,}/Xsession rPx, + @{bin}/Xorg rPx, + /etc/gdm{3,}/Prime/Default rix, + /etc/gdm{3,}/Xsession rPx, - /usr/share/dbus-1/{,**} r, - /usr/share/dconf/profile/gdm r, - /usr/share/defaults/at-spi2/accessibility.conf r, /usr/share/gdm{3,}/gdm.schemas r, - /usr/share/gdm{3,}/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/im-config/{,**} r, - /usr/share/libdebuginfod-common/debuginfod.sh r, - @{etc_ro}/profile.d/{,*} r, - /etc/dbus-1/{,**} r, - /etc/debuginfod/{,*} r, - /etc/default/im-config r, + /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, /etc/locale.conf r, - /etc/manpath.config r, - /etc/shells r, /etc/sysconfig/console r, /etc/sysconfig/displaymanager r, /etc/sysconfig/language r, @@ -97,32 +49,16 @@ profile gdm-session @{exec_path} { /etc/sysconfig/proxy r, /etc/sysconfig/windowmanager r, - /var/lib/gdm{3,}/.cache/gdm/ rw, - /var/lib/gdm{3,}/.cache/gdm/Xauthority rw, - /var/lib/gdm{3,}/.config/dconf/user r, - /var/lib/gdm{3,}/greeter-dconf-defaults r, + owner /var/lib/gdm{3,}/.cache/gdm/ rw, + owner /var/lib/gdm{3,}/.cache/gdm/Xauthority rw, + owner /var/lib/gdm{3,}/.config/dconf/user r, + owner /var/lib/gdm{3,}/greeter-dconf-defaults r, - owner @{HOME}/.alias r, - owner @{HOME}/.i18n r, + owner @{run}/gdm{3,}/custom.conf r, - @{run}/gdm{3,}/custom.conf r, - - @{run}/systemd/userdb/ r, - @{run}/systemd/users/@{uid} r, - owner @{run}/user/@{uid}/dbus-1/ rw, - owner @{run}/user/@{uid}/dbus-1/services/ rw, owner @{run}/user/@{uid}/gdm/ w, owner @{run}/user/@{uid}/gdm/Xauthority rw, # only: xorg - @{sys}/module/apparmor/parameters/enabled r, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pids}/oom_score_adj rw, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/loginuid r, - /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 10fe1519..4b2d4bb3 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -35,9 +35,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (receive) set=hup peer=@{systemd}, signal (send) set=(hup term) peer=gdm-session, signal (send) set=hup peer=at-spi*, - signal (send) set=hup peer=dbus-daemon, - signal (send) set=hup peer=dbus-run-session, - signal (send) set=hup peer=dconf-service, + signal (send) set=hup peer=dbus-session, signal (send) set=hup peer=gjs-console, signal (send) set=hup peer=gnome-*, signal (send) set=hup peer=gsd-*, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session new file mode 100644 index 00000000..b4439175 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-session +profile gnome-session @{exec_path} { + include + include + include + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/gettext.sh r, + @{bin}/grep rix, + @{bin}/locale rix, + @{bin}/locale-check rix, + @{bin}/sed rix, + @{bin}/tr rix, + @{bin}/tty rix, + + @{bin}/flatpak rCx -> flatpak, + @{bin}/gsettings rPx, + @{lib}/gnome-session-binary rPx, + + /usr/share/im-config/{,**} r, + /usr/share/libdebuginfod-common/debuginfod.sh r, + + @{etc_ro}/profile.d/{,*} r, + /etc/debuginfod/{,*} r, + /etc/default/im-config r, + /etc/shells r, + /etc/X11/Xsession.d/*im-config_launch r, + + /dev/tty@{int} rw, + + profile flatpak { + include + + @{bin}/flatpak mr, + + /dev/tty@{int} rw, + + include if exists + } + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 757aaab5..36320499 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -29,10 +29,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(cont, term, hup) peer=systemd-user, - signal (receive) set=(hup) peer=@{systemd}, signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(term) peer=at-spi-bus-launcher, signal (send) set=(term) peer=gsd-*, # dbus: own bus=session name=org.gnome.SessionManager