From ac25454f02b77cd6f6eba404b1af1577fdc5d083 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Dec 2022 18:53:18 +0000 Subject: [PATCH] feat(profiles): improve x11 integraion. --- .../freedesktop/xdg-desktop-portal-gnome | 1 + .../groups/freedesktop/xdg-desktop-portal-gtk | 1 + apparmor.d/groups/gnome/gdm-xsession | 28 ++++++++++--------- .../gnome/gnome-calculator-search-provider | 4 +++ .../gnome-control-center-search-provider | 4 +++ apparmor.d/groups/gnome/gnome-extensions-app | 2 +- apparmor.d/profiles-s-z/steam | 3 ++ apparmor.d/profiles-s-z/steam-game | 1 + apparmor.d/profiles-s-z/steam-gameoverlayui | 1 + 9 files changed, 31 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 6432e91e..432b8745 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -129,6 +129,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 5e926d0b..1eac870d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -159,6 +159,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/@{XDG_DATA_HOME}/ r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 1f7e336e..f512ba1c 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -18,21 +18,22 @@ profile gdm-xsession @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{m,g,}awk rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/gettext rix, + /{usr/,}bin/gettext.sh r, /{usr/,}bin/gnome-session rix, /{usr/,}bin/gsettings rix, /{usr/,}bin/id rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/locale-check rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/truncate rix, /{usr/,}bin/tty rix, /{usr/,}bin/zsh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/locale rix, - /{usr/,}bin/gettext rix, - /{usr/,}bin/gettext.sh r, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/truncate rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/locale-check rix, /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, /{usr/,}bin/flatpak rPUx, @@ -44,13 +45,14 @@ profile gdm-xsession @{exec_path} { @{libexec}/gnome-session-binary rPx, /{usr/,}bin/dpkg-query rpx, - /etc/X11/{,**} r, - /etc/default/im-config r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, /usr/share/im-config/xinputrc.common r, + /etc/debuginfod/{,*} r, + /etc/default/im-config r, + /etc/X11/{,**} r, + owner /tmp/gdm{3,}-config-err-?????? rw, # file_inherit diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index d3a16fcf..2a2f65fe 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -11,8 +11,12 @@ profile gnome-calculator-search-provider @{exec_path} { include include include + include + include include include + include + include signal (send) set=kill peer=unconfined, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index c99e15d4..3b77eb93 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -11,9 +11,13 @@ profile gnome-control-center-search-provider @{exec_path} { include include include + include + include include include include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index 50da01ee..b0bd4cda 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -9,7 +9,6 @@ include @{exec_path} = /{usr/,}bin/gnome-extensions-app profile gnome-extensions-app @{exec_path} { include - # include include include include @@ -17,6 +16,7 @@ profile gnome-extensions-app @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index ebd71ff4..add45d99 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -136,6 +136,7 @@ profile steam @{exec_path} { owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/shm/#[0-9]* rw, owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw, @@ -198,6 +199,7 @@ profile steam @{exec_path} { @{PROC}/version r, owner @{PROC}/@{pid}/autogroup rw, owner @{PROC}/@{pid}/cmdline rk, + owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj w, @@ -210,6 +212,7 @@ profile steam @{exec_path} { /dev/input/event[0-9]* r, /dev/tty rw, /dev/uinput w, + /dev/video[0-9]* rw, audit deny /**.steam_exec_test.sh rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 19d86069..c7ed303c 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -170,6 +170,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{run}/pressure-vessel/{,**} rw, owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer owner /dev/shm/#[0-9]* rw, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index a8b7a7be..e5e0dccf 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -40,6 +40,7 @@ profile steam-gameoverlayui @{exec_path} { owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk,