feat(profile): use desktop user variable in gnome.

Also restrict access to these files.
This commit is contained in:
Alexandre Pujol 2024-03-18 15:31:55 +00:00
parent 04b9e60072
commit a370281e9b
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
18 changed files with 57 additions and 68 deletions

View File

@ -22,6 +22,12 @@
/etc/pulse/client.conf.d/{,**} r, /etc/pulse/client.conf.d/{,**} r,
/etc/wildmidi/wildmidi.cfg r, /etc/wildmidi/wildmidi.cfg r,
owner @{desktop_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk, # libcanberra
owner @{desktop_config_dirs}/pulse/ rw,
owner @{desktop_config_dirs}/pulse/client.conf r,
owner @{desktop_config_dirs}/pulse/client.conf.d/{,*.conf} r,
owner @{desktop_config_dirs}/pulse/cookie rwk,
owner @{HOME}/.alsoftrc r, owner @{HOME}/.alsoftrc r,
owner @{HOME}/.asoundrc r, owner @{HOME}/.asoundrc r,
owner @{HOME}/.libao r, owner @{HOME}/.libao r,

View File

@ -37,10 +37,10 @@ profile goa-daemon @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/var/lib/gdm{3,}/.config/dconf/user r, @{gdm_config_dirs}/dconf/user r,
owner /var/lib/gdm{3,}/.config/ w, owner @{gdm_config_dirs}/ w,
owner /var/lib/gdm{3,}/.config/goa-1.0/ w, owner @{gdm_config_dirs}/goa-1.0/ w,
owner @{user_config_dirs}/goa-1.0/ rw, owner @{user_config_dirs}/goa-1.0/ rw,
owner @{user_config_dirs}/goa-1.0/accounts.conf* rw, owner @{user_config_dirs}/goa-1.0/accounts.conf* rw,

View File

@ -28,8 +28,8 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/lib/gdm{3,}/.config/dconf/user r, @{gdm_config_dirs}/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, @{GDM_HOME}/greeter-dconf-defaults r,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,

View File

@ -39,11 +39,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
/etc/timezone r, /etc/timezone r,
/var/lib/flatpak/exports/share/mime/mime.cache r, owner @{GDM_HOME}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.config/dconf/user r, owner @{gdm_config_dirs}/dconf/user r,
/var/lib/gdm{3,}/.local/share/icc/ rw, owner @{gdm_share_dirs}/icc/ rw,
/var/lib/gdm{3,}/.local/share/icc/edid-*.icc rw, owner @{gdm_share_dirs}/icc/edid-*.icc rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/ rw,
owner @{user_share_dirs}/icc/edid-*.icc rw, owner @{user_share_dirs}/icc/edid-*.icc rw,

View File

@ -29,8 +29,8 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gnome-settings-daemon/datetime/backward r, /usr/share/gnome-settings-daemon/datetime/backward r,
/var/lib/gdm{3,}/.config/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r,
owner @{user_cache_dirs}/geocode-glib/* r, owner @{user_cache_dirs}/geocode-glib/* r,

View File

@ -34,9 +34,9 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/lib/gdm{3,}/.config/dconf/user r, owner@{GDM_HOME}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.local/share/applications/ w, owner @{gdm_config_dirs}/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/ w,
owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_cache_dirs}/thumbnails/{,**} rw,
owner @{user_share_dirs}/applications/ rw, owner @{user_share_dirs}/applications/ rw,

View File

@ -30,9 +30,9 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.config/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/.gsd-keyboard.settings-ported* rw,
/var/lib/gdm{3,}/.config/.gsd-keyboard.settings-ported* rw, owner @{gdm_config_dirs}/dconf/user r,
owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw,
owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw, owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw,

View File

@ -90,12 +90,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/sounds/freedesktop/stereo/*.oga r,
/var/lib/gdm{3,}/.config/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.config/pulse/client.conf r, owner @{gdm_config_dirs}/dconf/user r,
/var/lib/gdm{3,}/.config/pulse/cookie rk,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/flatpak/exports/share/applications/{,mimeinfo.cache} r,
owner @{user_share_dirs}/recently-used.xbel{,.*} rw, owner @{user_share_dirs}/recently-used.xbel{,.*} rw,

View File

@ -56,12 +56,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.config/pulse/ rw, owner @{GDM_HOME}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.config/pulse/cookie rwk,
/var/lib/gdm{3,}/.cache/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.config/pulse/client.conf r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
@{run}/udev/data/+backlight:* r, @{run}/udev/data/+backlight:* r,
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs

View File

@ -35,8 +35,8 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/lib/gdm{3,}/.config/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r,
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,

View File

@ -32,8 +32,8 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
/etc/opensc.conf r, /etc/opensc.conf r,
/var/lib/gdm{3,}/.config/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r,
/var/tmp/ r, /var/tmp/ r,
/tmp/ r, /tmp/ r,

View File

@ -30,9 +30,9 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/lib/gdm{3,}/.local/share/sounds/ rw, owner @{GDM_HOME}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.config/dconf/user r, owner @{gdm_config_dirs}/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/sounds/ rw,
owner @{user_share_dirs}/sounds/ rw, owner @{user_share_dirs}/sounds/ rw,

View File

@ -29,8 +29,8 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/libwacom/{,*} r, /usr/share/libwacom/{,*} r,
/var/lib/gdm{3,}/.config/dconf/user r, owner @{gdm_config_dirs}/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,

View File

@ -62,9 +62,9 @@ profile gsd-xsettings @{exec_path} {
@{etc_ro}/xdg/Xwayland-session.d/ r, @{etc_ro}/xdg/Xwayland-session.d/ r,
@{etc_ro}/xdg/Xwayland-session.d/* rix, @{etc_ro}/xdg/Xwayland-session.d/* rix,
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{GDM_HOME}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.config/dconf/user r, owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
/var/lib/gdm3/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r,
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,

View File

@ -22,9 +22,9 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.config/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r,
@{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/boot_vga r,

View File

@ -14,9 +14,8 @@ profile session-migration @{exec_path} {
/usr/share/session-migration/{,**} r, /usr/share/session-migration/{,**} r,
/var/lib/gdm{3,}/.local/share/session_migration-* r, owner @{gdm_share_dirs}/session_migration-* rw,
owner @{user_share_dirs}/session_migration-* rw,
owner @{user_share_dirs}/session_migration-ubuntu rw,
include if exists <local/session-migration> include if exists <local/session-migration>
} }

View File

@ -49,19 +49,17 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
/etc/blkid.conf r, /etc/blkid.conf r,
/etc/fstab r, /etc/fstab r,
/var/lib/gdm{3,}/.cache/ rw,
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
/var/lib/gdm{3,}/.cache/tracker3/{,**} rw,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/lightdm/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} r,
/var/lib/flatpak/exports/share/applications/mimeinfo.cache r, /var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
/var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/flatpak/exports/share/mime/mime.cache r,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_cache_dirs}/ rw,
owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
owner @{gdm_cache_dirs}/gstreamer-1.0/ rw,
owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
owner @{gdm_cache_dirs}/tracker3/{,**} rw,
owner @{gdm_config_dirs}/dconf/user r,
# Allow to search user files # Allow to search user files
owner @{HOME}/{,**} r, owner @{HOME}/{,**} r,
owner @{MOUNTS}/{,**} r, owner @{MOUNTS}/{,**} r,

View File

@ -47,16 +47,12 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
/var/lib/flatpak/exports/share/applications/{,mimeinfo.cache} r, /var/lib/flatpak/exports/share/applications/{,mimeinfo.cache} r,
/var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
/var/lib/gdm{3,}/ r, owner @{GDM_HOME}/ r,
/var/lib/gdm{3,}/.cache/gstreamer-*/registry.*.bin r, owner @{GDM_HOME}/greeter-dconf-defaults r,
/var/lib/gdm{3,}/.cache/tracker3/{,tracker3/}files/{,**} rwk, owner @{gdm_cache_dirs}/gstreamer-*/registry.*.bin r,
/var/lib/gdm{3,}/.config/dconf/user r, owner @{gdm_cache_dirs}/tracker3/{,tracker3/}files/{,**} rwk,
/var/lib/gdm{3,}/.local/share/applications/ r, owner @{gdm_config_dirs}/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/ r,
/var/lib/lightdm/.config/dconf/user r,
/var/lib/lightdm/.cache/tracker3/files/meta.db{,-wal} rwk,
/var/lib/lightdm/.cache/tracker3/files/no-need-mtime-check.txt{,.@{rand6}} rw,
owner /var/tmp/etilqs_@{hex} rw, owner /var/tmp/etilqs_@{hex} rw,