mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): improve x11 integraion.

Browse source
This commit is contained in:
Alexandre Pujol 2022-12-09 18:53:18 +00:00
parent dd232695d3
commit ac25454f02
Failed to generate hash of commit
9 changed files with 31 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -129,6 +129,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
@{run}/mount/utab r, @{run}/mount/utab r,

1
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View file

@ -159,6 +159,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
owner @{HOME}/@{XDG_DATA_HOME}/ r, owner @{HOME}/@{XDG_DATA_HOME}/ r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
@{run}/mount/utab r, @{run}/mount/utab r,

28
apparmor.d/groups/gnome/gdm-xsession
View file

@ -18,21 +18,22 @@ profile gdm-xsession @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/gettext.sh r,
/{usr/,}bin/gnome-session rix, /{usr/,}bin/gnome-session rix,
/{usr/,}bin/gsettings rix, /{usr/,}bin/gsettings rix,
/{usr/,}bin/id rix, /{usr/,}bin/id rix,
/{usr/,}bin/locale rix,
/{usr/,}bin/locale-check rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/truncate rix,
/{usr/,}bin/tty rix, /{usr/,}bin/tty rix,
/{usr/,}bin/zsh rix, /{usr/,}bin/zsh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/locale rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/gettext.sh r,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/truncate rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/locale-check rix,
/{usr/,}bin/dbus-update-activation-environment rCx -> dbus, /{usr/,}bin/dbus-update-activation-environment rCx -> dbus,
/{usr/,}bin/flatpak rPUx, /{usr/,}bin/flatpak rPUx,
@ -44,13 +45,14 @@ profile gdm-xsession @{exec_path} {
@{libexec}/gnome-session-binary rPx, @{libexec}/gnome-session-binary rPx,
/{usr/,}bin/dpkg-query rpx, /{usr/,}bin/dpkg-query rpx,
/etc/X11/{,**} r,
/etc/default/im-config r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/im-config/data/{,*} r, /usr/share/im-config/data/{,*} r,
/usr/share/im-config/xinputrc.common r, /usr/share/im-config/xinputrc.common r,
/etc/debuginfod/{,*} r,
/etc/default/im-config r,
/etc/X11/{,**} r,
owner /tmp/gdm{3,}-config-err-?????? rw, owner /tmp/gdm{3,}-config-err-?????? rw,
# file_inherit # file_inherit

4
apparmor.d/groups/gnome/gnome-calculator-search-provider
View file

@ -11,8 +11,12 @@ profile gnome-calculator-search-provider @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/vulkan>
signal (send) set=kill peer=unconfined, signal (send) set=kill peer=unconfined,

4
apparmor.d/groups/gnome/gnome-control-center-search-provider
View file

@ -11,9 +11,13 @@ profile gnome-control-center-search-provider @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/vulkan>
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/gnome/gnome-extensions-app
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-extensions-app @{exec_path} = /{usr/,}bin/gnome-extensions-app
profile gnome-extensions-app @{exec_path} { profile gnome-extensions-app @{exec_path} {
include <abstractions/base> include <abstractions/base>
# include <abstractions/vulkan>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
@ -17,6 +16,7 @@ profile gnome-extensions-app @{exec_path} {
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/opencl> include <abstractions/opencl>
include <abstractions/vulkan>
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/profiles-s-z/steam
View file

@ -136,6 +136,7 @@ profile steam @{exec_path} {
owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk, owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner /dev/shm/#[0-9]* rw, owner /dev/shm/#[0-9]* rw,
owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw, owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw,
@ -198,6 +199,7 @@ profile steam @{exec_path} {
@{PROC}/version r, @{PROC}/version r,
owner @{PROC}/@{pid}/autogroup rw, owner @{PROC}/@{pid}/autogroup rw,
owner @{PROC}/@{pid}/cmdline rk, owner @{PROC}/@{pid}/cmdline rk,
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_score_adj w, owner @{PROC}/@{pid}/oom_score_adj w,
@ -210,6 +212,7 @@ profile steam @{exec_path} {
/dev/input/event[0-9]* r, /dev/input/event[0-9]* r,
/dev/tty rw, /dev/tty rw,
/dev/uinput w, /dev/uinput w,
/dev/video[0-9]* rw,
audit deny /**.steam_exec_test.sh rw, audit deny /**.steam_exec_test.sh rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

1
apparmor.d/profiles-s-z/steam-game
View file

@ -170,6 +170,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
owner @{run}/pressure-vessel/{,**} rw, owner @{run}/pressure-vessel/{,**} rw,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer
owner /dev/shm/#[0-9]* rw, owner /dev/shm/#[0-9]* rw,

1
apparmor.d/profiles-s-z/steam-gameoverlayui
View file

@ -40,6 +40,7 @@ profile steam-gameoverlayui @{exec_path} {
owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk, owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk, owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk,