diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index a4fe0cff..9d903bf8 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -21,7 +21,9 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r, include owner @{run}/user/@{uid}/dconf/ rw, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 55db4024..79076798 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -17,7 +17,9 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 2da99ebe..26046888 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -32,6 +32,7 @@ profile ibus-extension-gtk3 @{exec_path} { /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, include owner @{run}/user/@{uid}/dconf/ rw, @@ -39,5 +40,7 @@ profile ibus-extension-gtk3 @{exec_path} { /usr/share/dconf/profile/gdm r, /var/lib/gdm/.config/dconf/user r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 12c2fbe0..3fbb8ab6 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -21,9 +21,11 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index fed5f788..1bb69aba 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -10,12 +10,15 @@ include profile gdm-x-session @{exec_path} flags=(attach_disconnected) { include - signal (receive) set=term peer=gdm*, - signal (send) set=term peer=unconfined, + signal (receive) set=term peer=gdm{,-session-worker}, + # signal (send) set=term peer=unconfined, + signal (send) set=term peer=dbus-run-session, + signal (send) set=term peer=xorg, + signal (send) set=term peer=gnome-session-binary, @{exec_path} mr, - /{usr/,}bin/Xorg rUx, + /{usr/,}bin/Xorg rPx, /{usr/,}bin/dbus-run-session rPx, /etc/gdm/Xsession rPx, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 3049f6b1..1ed0ed39 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -16,18 +16,19 @@ profile gdm-xsession @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/zsh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/gnome-session rix, /{usr/,}bin/gsettings rix, /{usr/,}bin/id rix, /{usr/,}bin/tty rix, + /{usr/,}bin/zsh rix, /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, + /{usr/,}bin/flatpak rPUx, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/xhost rPx, /{usr/,}lib/gnome-session-binary rPx, - /{usr/,}bin/flatpak rPUx, + /{usr/,}bin/xbrlapi rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/X11/{,**} r, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 0c0f2c3a..ccbaead7 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -15,6 +15,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -27,6 +28,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { @{libexec}/** rPUx, /usr/share/dconf/profile/gdm r, + /usr/share/egl/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glvnd/egl_vendor.d/{,*.json} r, @@ -54,6 +56,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/user/@{uid}/wayland-cursor-shared-* rw, + @{sys}/devices/pci[0-9]*/**/drm/ r, + /dev/ r, /dev/tty rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-s-z/xkbcomp b/apparmor.d/profiles-s-z/xkbcomp index 39bff6c6..0095e3b3 100644 --- a/apparmor.d/profiles-s-z/xkbcomp +++ b/apparmor.d/profiles-s-z/xkbcomp @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,21 +18,21 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { /var/lib/xkb/server-[0-9]*.xkm w, owner @{HOME}/.Xauthority r, - owner @{HOME}/*.{xkb,xkm} rw, + owner @{user_share_dirs}/xorg/Xorg.[0-9].log w, + + /var/lib/gdm/.local/share/xorg/Xorg.[0-9].log w, + owner /var/log/lightdm/x-[0-9]*.log w, + owner /tmp/server-[0-9]*.xkm rwk, - # file_inherit - owner /dev/tty[0-9]* rw, - deny /var/log/Xorg.[0-9]*.log w, - deny /dev/input/event[0-9]* rw, - owner @{user_share_dirs}/xorg/Xorg.[0-9].log w, - owner /var/log/lightdm/x-[0-9]*.log w, /dev/dri/card[0-9]* rw, - - /dev/tty[0-9]* rw, /dev/tty rw, + /dev/tty[0-9]* rw, + + deny /dev/input/event[0-9]* rw, + deny /var/log/Xorg.[0-9]*.log w, include if exists } diff --git a/apparmor.d/profiles-s-z/xorg b/apparmor.d/profiles-s-z/xorg index f2dbaaf8..52dba16b 100644 --- a/apparmor.d/profiles-s-z/xorg +++ b/apparmor.d/profiles-s-z/xorg @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/X @{exec_path} += /{usr/,}bin/Xorg +@{exec_path} += /{usr/,}lib/Xorg{,.wrap} @{exec_path} += /{usr/,}lib/xorg/Xorg profile xorg @{exec_path} flags=(attach_disconnected) { include @@ -21,31 +22,14 @@ profile xorg @{exec_path} flags=(attach_disconnected) { include include - # When the Xserver is started via startx as a regular user, there's no need for any of the - # following CAPs. When some DM is used instead, some of the CAPs are needed. - # Tested so far with LightDM and SDDM. - # - # In the case of most of the DMs, the sys_admin CAP is needed becasue if it's denied then Xserver - # has the following issue: - # (EE) modeset(0): drmSetMaster failed: Permission denied - #capability sys_admin, - # - # It looks like the Xserver started via LightDM can work just fine without the rest of the - # following CAPs. - # - # This has something to do with attaching the System V shared memory segments: - # shmat(131103, NULL, 0) = -1 EACCES (Permission denied) - #capability ipc_owner, - # - # For SDDM to read some /proc/ and /sys/ files: - #capability dac_read_search, - # + capability setgid, + capability setuid, + capability sys_admin, + # These can be denied. #deny capability dac_override, #deny capability sys_rawio, - deny capability sys_nice, - - # For KDE/SDDM + # deny capability sys_nice, #capability sys_tty_config, signal (send) set=(usr1), @@ -53,6 +37,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { signal (receive) peer=lightdm, signal (receive) peer=sddm, signal (receive) peer=xinit, + signal (receive) set=term peer=gdm{,-x-session}, network netlink raw, @@ -62,68 +47,56 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xkbcomp rPx, /{usr/,}bin/pkexec rPx, - # Xorg files - /etc/X11/{,**} r, /{usr/,}lib/xorg/ r, /{usr/,}lib/xorg/modules/ r, /{usr/,}lib/xorg/modules/** mr, - # /var/lib/xkb/server-[0-9]*.xkm rw, - # Log files - owner /var/log/Xorg.[0-9].log{,.old} rw, - owner /var/log/Xorg.pid-@{pid}.log{,.old} rw, + /usr/share/egl/{,**} rw, + /usr/share/libinput/ r, + /usr/share/libinput/[0-9][0-9]-*.quirks r, + + /etc/X11/{,**} r, + owner @{HOME}/ r, + owner @{HOME}/.xsession-errors w, + owner @{user_share_dirs}/xorg/ rw, owner @{user_share_dirs}/xorg/Xorg.[0-9].log{,.old} rw, owner @{user_share_dirs}/xorg/Xorg.pid-@{pid}.log{,.old} rw, - owner @{HOME}/.xsession-errors w, - # TMP files + owner /var/lib/gdm/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw, + owner /var/log/lightdm/x-*.log* rw, + owner /var/log/Xorg.[0-9].log{,.old} rw, + owner /var/log/Xorg.pid-@{pid}.log{,.old} rw, + + @{run}/nvidia-xdriver-* rw, + @{run}/sddm/{,**} rw, + @{run}/lightdm/{,**} rw, + /tmp/ r, - # These are only needed when using abstract sockets. When Xserver is started with - # "-nolisten local" , you don't need the following rules. - #owner /tmp/.X11-unix/ rw, - #owner /tmp/.X11-unix/X* rwk, - # owner /tmp/.tX[0-9]-lock rwk, owner /tmp/.X[0-9]-lock rwkl -> /tmp/.tX[0-9]-lock, owner /tmp/server-* rwk, owner /tmp/serverauth.* r, - # Graphic card modules - /dev/vga_arbiter rw, - @{sys}/module/i915/{,**} r, - - # Input devices (keyboard, mouse, etc) - /dev/input/event[0-9]* rw, - - /usr/share/libinput/ r, - /usr/share/libinput/[0-9][0-9]-*.quirks r, - - # Screen backlight - @{sys}/devices/pci[0-9]*/**/backlight/*/{,max_}brightness r, - @{sys}/devices/pci[0-9]*/**/backlight/*/brightness rw, - - # Display Xserver on a specific TTY - owner /dev/tty[0-9]* rw, - - # Needed for SDDM display manager - @{run}/sddm/{,**} rw, - - # Needed for LightDM display manager - @{run}/lightdm/{,**} rw, - /var/log/lightdm/x-*.log* rw, - @{sys}/bus/ r, @{sys}/bus/pci/devices/ r, @{sys}/class/ r, @{sys}/class/{tty,input,drm}/ r, + @{sys}/class/power_supply/ r, @{sys}/devices/**/{uevent,name,id,config} r, + @{sys}/devices/**/hid r, + @{sys}/devices/**/power_supply/**/{type,online} r, @{sys}/devices/pci[0-9]*/**/ r, + @{sys}/devices/pci[0-9]*/**/backlight/*/{,max_}brightness r, + @{sys}/devices/pci[0-9]*/**/backlight/*/brightness rw, @{sys}/devices/pci[0-9]*/**/boot_vga r, + @{sys}/devices/platform/ r, + @{sys}/module/i915/{,**} r, + @{run}/udev/data/+i2c:* r, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+platform* r, # for ? @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs @@ -135,6 +108,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+serio* r, # for touchpad? @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c10:[0-9]* r, @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* @@ -143,9 +117,12 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/mtrr rw, - # - /dev/shm/shmfd-* rw, + /dev/input/event[0-9]* rw, /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/shmfd-* rw, + /dev/tty rw, + /dev/tty[0-9]* rw, + /dev/vga_arbiter rw, # Graphic card modules include if exists }