mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(opensuse): gnome integration.

Browse source
This commit is contained in:
Alexandre Pujol 2023-02-04 23:39:19 +00:00
parent ff64fbfa51
commit ad23864094
Failed to generate hash of commit
23 changed files with 98 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/gnome/evolution-addressbook-factory
View file

@ -43,6 +43,7 @@ profile evolution-addressbook-factory @{exec_path} {
@{exec_path}-subprocess rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icu/{,**} r,
owner @{user_share_dirs}/evolution/{,**} rwk,
owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk,

2
apparmor.d/groups/gnome/evolution-alarm-notify
View file

@ -22,7 +22,7 @@ profile evolution-alarm-notify @{exec_path} {
/usr/share/evolution-data-server/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/ubuntu/applications/ r,
/usr/share/zoneinfo-icu/{,**} r,
/usr/share/{,zoneinfo-}icu/{,**} r,
include if exists <local/evolution-alarm-notify>
}

23
apparmor.d/groups/gnome/gdm
View file

@ -15,6 +15,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
include <abstractions/wutmp>
capability chown,
capability dac_read_search,
capability fsetid,
capability kill,
capability net_admin,
@ -65,12 +66,14 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}{s,}bin/prime-switch rPUx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/plymouth rPx,
/etc/gdm{3,}/PrimeOff/Default rix,
@{libexec}/gdm-session-worker rPx,
@{libexec}/{,gdm/}gdm-session-worker rPx,
/{usr/,}{s,}bin/prime-switch rPUx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/pidof rPx,
/{usr/,}bin/plymouth rPx,
/{usr/,}bin/sleep rix,
/etc/gdm{3,}/PrimeOff/Default rix,
/usr/share/gdm/gdm.schemas r,
/usr/share/wayland-sessions/*.desktop r,
/usr/share/xsessions/*.desktop r,
@ -79,6 +82,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
/etc/gdm{3,}/custom.conf r,
/etc/gdm{3,}/daemon.conf r,
/etc/locale.conf r,
/etc/sysconfig/displaymanager r,
/etc/sysconfig/windowmanager r,
/var/{lib,log}/gdm{3,}/ rw,
@ -97,12 +102,14 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/boot_vga r,
@{sys}/devices/virtual/tty/tty[0-9]*/active r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw,
include if exists <local/gdm>
}

4
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -62,7 +62,9 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
@{libexec}/{,gdm/}gdm-x-session rPx,
/{usr/,}bin/gnome-keyring-daemon rPx,
/etc/gdm{3,}/{Pre,Post}Session/Default rix,
/etc/gdm{3,}/PostLogin/Default rix,
/etc/gdm{3,}/PrimeOff/Default rix,
@{etc_ro}/X11/xdm/Xstartup rPUx,
/usr/share/gdm/gdm.schemas r,
/usr/share/wayland-sessions/*.desktop r,
@ -77,6 +79,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
/etc/motd r,
/etc/motd.d/ r,
/etc/shells r,
/etc/sysconfig/displaymanager r,
/etc/sysconfig/windowmanager r,
owner @{run}/user/@{uid}/keyring/control rw,

24
apparmor.d/groups/gnome/gdm-wayland-session
View file

@ -42,6 +42,7 @@ profile gdm-wayland-session @{exec_path} {
/{usr/,}bin/cat rix,
/{usr/,}bin/env rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/gettext.sh r,
/{usr/,}bin/gnome-session rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/gsettings rix,
@ -49,36 +50,51 @@ profile gdm-wayland-session @{exec_path} {
/{usr/,}bin/id rix,
/{usr/,}bin/locale rix,
/{usr/,}bin/locale-check rix,
/{usr/,}bin/manpath rix,
/{usr/,}bin/qmake rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/tty rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/zsh rix,
@{libexec}/gnome-session-binary rPx,
/{usr/,}bin/dbus-daemon rPx,
/{usr/,}bin/dbus-run-session rPx,
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/flatpak rPUx,
@{libexec}/gnome-session-binary rPx,
/{usr/,}bin/gettext.sh r,
/usr/share/bash-completion/{,**} r,
/usr/share/gdm/gdm.schemas r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/im-config/{,**} r,
/usr/share/xsessions/gnome.desktop r,
@{etc_ro}/profile.d/{,*} r,
/etc/debuginfod/{,*} r,
/etc/default/im-config r,
/etc/gdm{3,}/custom.conf r,
/etc/gdm{3,}/daemon.conf r,
/etc/locale.conf r,
/etc/manpath.config r,
/etc/shells r,
/etc/sysconfig/console r,
/etc/sysconfig/displaymanager r,
/etc/sysconfig/language r,
/etc/sysconfig/mail r,
/etc/sysconfig/proxy r,
/etc/sysconfig/windowmanager r,
/etc/X11/xinit/xinputrc r,
/etc/X11/Xsession.d/*im-config_launch r,
/usr/share/gdm/gdm.schemas r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{HOME}/.alias r,
owner @{HOME}/.i18n r,
@{run}/gdm{3,}/custom.conf r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid r,

6
apparmor.d/groups/gnome/gdm-x-session
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/gdm-x-session
@{exec_path} = @{libexec}/{,gdm/}gdm-x-session
profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
@ -40,9 +40,11 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
/etc/gdm{3,}/Xsession rPx,
/etc/gdm{3,}/Prime/Default rix,
/usr/share/gdm/gdm.schemas r,
/etc/gdm{3,}/custom.conf r,
/etc/gdm{3,}/daemon.conf r,
/usr/share/gdm/gdm.schemas r,
/etc/sysconfig/displaymanager r,
/var/lib/gdm{3,}/.cache/gdm/Xauthority rw,
/var/lib/gdm{3,}/.cache/gdm/ rw,

3
apparmor.d/groups/gnome/gdm-xsession
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/gdm{3,}/Xsession
@{exec_path} = @{etc_ro}/gdm{3,}/Xsession
profile gdm-xsession @{exec_path} {
include <abstractions/base>
include <abstractions/bash>
@ -35,6 +35,7 @@ profile gdm-xsession @{exec_path} {
/{usr/,}bin/tty rix,
/{usr/,}bin/zsh rix,
@{etc_ro}/X11/xdm/Xsession rPx,
/{usr/,}bin/dbus-update-activation-environment rCx -> dbus,
/{usr/,}bin/flatpak rPUx,
/{usr/,}bin/systemctl rPx -> child-systemctl,

1
apparmor.d/groups/gnome/gjs-console
View file

@ -84,6 +84,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gnome-shell/{,**} r,
/usr/share/icu/{,**} r,
/usr/share/X11/xkb/** r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,

3
apparmor.d/groups/gnome/gnome-characters
View file

@ -23,10 +23,11 @@ profile gnome-characters @{exec_path} {
/{usr/,}bin/gjs-console rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icu/{,**} r,
/usr/share/libdrm/*.ids r,
/usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r,
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r,
/usr/share/libdrm/*.ids r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,

6
apparmor.d/groups/gnome/gnome-control-center
View file

@ -104,14 +104,16 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/usr/share/mime/{,**} r,
/usr/share/pipewire/client.conf r,
/usr/share/thumbnailers/{,*} r,
/usr/share/wallpapers/{,**} r,
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
/usr/share/zoneinfo/{,**} r,
/etc/cups/client.conf r,
/etc/machine-info r,
/etc/pipewire/client.conf.d/ r,
/etc/rygel.conf r,
/etc/security/pwquality.conf r,
/etc/security/pwquality.conf.d/{,**} r,
/etc/rygel.conf r,
/etc/fstab r,
/etc/machine-id r,
@ -119,9 +121,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/var/lib/snapd/desktop/icons/ r,
/var/cache/cracklib/cracklib_dict.* r,
/var/cache/samba/ rw,
/var/lib/AccountsService/icons/* r,
/var/cache/cracklib/cracklib_dict.* r,
owner @{HOME}/.cat_installer/ca.pem r,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,

2
apparmor.d/groups/gnome/gnome-control-center-search-provider
View file

@ -27,6 +27,8 @@ profile gnome-control-center-search-provider @{exec_path} {
/etc/gnome/defaults.list r,
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,

4
apparmor.d/groups/gnome/gnome-extensions-app
View file

@ -14,6 +14,7 @@ profile gnome-extensions-app @{exec_path} {
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
@ -24,9 +25,10 @@ profile gnome-extensions-app @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gjs-console rix,
/usr/share/terminfo/x/xterm-256color r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gnome-shell/org.gnome.Extensions* r,
/usr/share/icu/{,**} r,
/usr/share/terminfo/x/xterm-256color r,
/usr/share/X11/xkb/{,**} r,
owner @{PROC}/@{pid}/mounts r,

2
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -75,6 +75,8 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/ssh-add rix,
/{usr/,}bin/ssh-agent rPx,
/etc/gcrypt/hwf.deny r,
/var/lib/gdm{3,}/.local/share/keyrings/ rw,
# Keyrings location

1
apparmor.d/groups/gnome/gnome-music
View file

@ -33,6 +33,7 @@ profile gnome-music @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/ r,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}lib/python3.[0-9]*/site-packages//gnomemusic/__pycache__/{,**} rw,
/usr/share/egl/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,

1
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -211,6 +211,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.local/share/session_migration-* r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
/var/lib/flatpak/exports/share/applications/{,**} r,
/var/lib/flatpak/exports/share/mime/mime.cache r,
/var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,

17
apparmor.d/groups/gnome/gnome-shell
View file

@ -486,31 +486,36 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/opt/*/**/*.png r,
/snap/*/@{uid}/**.png r,
/usr/share/{,zoneinfo-}icu/{,**} r,
/usr/share/*ubuntu/applications/{,*.desktop} r,
/usr/share/app-info/icons/{,**} r,
/usr/share/backgrounds/{,**} r,
/usr/share/dconf/profile/gdm r,
/usr/share/desktop-base/** r,
/usr/share/desktop-directories/{,*.directory} r,
/usr/share/egl/{,**} r,
/usr/share/evolution-data-server/icons/{,**} r,
/usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
/usr/share/gdm/BuiltInSessions/{,*.desktop} r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/gdm/greeter/applications/{,**} r,
/usr/share/gdm/BuiltInSessions/{,*.desktop} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gnome-shell/{,**} r,
/usr/share/libdrm/*.ids r,
/usr/share/libgweather/Locations.xml r,
/usr/share/libinput/ r,
/usr/share/libinput/[0-9][0-9]-*.quirks r,
/usr/share/libinput*/ r,
/usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r,
/usr/share/libinput*/libinput/ r,
/usr/share/libwacom/{,*.stylus,*.tablet} r,
/usr/share/plymouth/*.png r,
/usr/share/*ubuntu/applications/{,*.desktop} r,
/usr/share/wallpapers/** r,
/usr/share/wayland-sessions/{,*.desktop} r,
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
/usr/share/desktop-base/** r,
/usr/share/libdrm/*.ids r,
/usr/share/gnome-packagekit/icons/hicolor/{,**} r,
/.flatpak-info r,
/etc/fstab r,
/etc/udev/hwdb.bin r,
/etc/xdg/menus/gnome-applications.menu r,
/var/lib/gdm{3,}/.cache/ w,

3
apparmor.d/groups/gnome/gnome-shell-calendar-server
View file

@ -19,8 +19,9 @@ profile gnome-shell-calendar-server @{exec_path} {
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/zoneinfo-icu/{,**} r,
/usr/share/{,zoneinfo-}icu/{,**} r,
/etc/sysconfig/clock r,
/etc/timezone r,
include if exists <local/gnome-shell-calendar-server>

4
apparmor.d/groups/gnome/gnome-software
View file

@ -58,6 +58,10 @@ profile gnome-software @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/var/cache/app-info/icons/**.png r,
/var/cache/app-info/xmls/{,**} r,
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
/var/lib/flatpak/app/{,**} r,
/var/lib/flatpak/appstream/{,**} r,
/var/lib/flatpak/repo/{,**} r,

1
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -34,6 +34,7 @@ profile gnome-terminal-server @{exec_path} {
/{usr/,}bin/nvtop rPx,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icu/{,**} r,
/usr/share/X11/xkb/{,**} r,
/var/lib/flatpak/exports/share/icons/{,**} r,

9
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -9,9 +9,9 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-xsettings
profile gsd-xsettings @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
@ -120,12 +120,13 @@ profile gsd-xsettings @{exec_path} {
/{usr/,}bin/cat rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/run-parts rCx -> run-parts,
@{libexec}/ibus-x11 rPx,
/{usr/,}bin/busctl rPx,
/{usr/,}bin/pactl rPx,
/{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/xprop rPx,
/{usr/,}bin/xrdb rPx,
/{usr/,}lib/ibus/ibus-x11 rPx,
@{libexec}/ibus-x11 rPx,
/usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r,

5
apparmor.d/groups/gnome/nautilus
View file

@ -47,15 +47,16 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
/usr/share/*ubuntu/applications/{,**} r,
/usr/share/icu/{,**} r,
/usr/share/libdrm/*.ids r,
/usr/share/nautilus/{,**} r,
/usr/share/poppler/{,**} r,
/usr/share/sounds/freedesktop/stereo/*.oga r,
/usr/share/terminfo/ r,
/usr/share/thumbnailers/{,**} r,
/usr/share/tracker/domain-ontologies/*.rule r,
/usr/share/tracker3/{,**} r,
/usr/share/tracker*/{,**} r,
/var/cache/fontconfig/ r,
/var/lib/snapd/desktop/icons/{,**} r,
# Full access to user's data

4
apparmor.d/groups/gnome/seahorse
View file

@ -13,6 +13,7 @@ profile seahorse @{exec_path} {
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/gnome>
include <abstractions/openssl>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
@ -44,6 +45,9 @@ profile seahorse @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/ubuntu/applications/ r,
/etc/pki/trust/blocklist/ r,
/etc/gcrypt/hwf.deny r,
/var/lib/snapd/desktop/icons/ r,
owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,

10
apparmor.d/groups/gnome/tracker-miner
View file

@ -104,13 +104,13 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/tracker3/{,**} rwk,
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
@{run}/blkid/blkid.tab r,
@{run}/mount/utab r,
@{PROC}/sys/fs/fanotify/max_user_marks r,
@{PROC}/sys/fs/inotify/max_user_watches r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{run}/blkid/blkid.tab r,
@{run}/mount/utab r,
# file_inherit
owner /dev/tty[0-9]* rw,