diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings new file mode 100644 index 00000000..8428cb40 --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-a11y-settings +profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected complain) { + include + + @{exec_path} mr, + + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color new file mode 100644 index 00000000..e66208bd --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-color @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-color +profile gsd-color @{exec_path} flags=(attach_disconnected complain) { + include + include + include + + @{exec_path} mr, + + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/mime/mime.cache r, + /usr/share/X11/xkb/** r, + + /var/lib/gdm/.local/share/icc/ r, + /var/lib/gdm/.local/share/icc/edid-*.icc r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + owner @{user_share_dirs}/icc/ r, + owner @{user_share_dirs}/icc/edid-*.icc r, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime new file mode 100644 index 00000000..88c68e8e --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-datetime +profile gsd-datetime @{exec_path} flags=(attach_disconnected complain) { + include + + @{exec_path} mr, + + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify new file mode 100644 index 00000000..edd2bec4 --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-disk-utility-notify +profile gsd-disk-utility-notify @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping new file mode 100644 index 00000000..84dcfdaf --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-housekeeping +profile gsd-housekeeping @{exec_path} flags=(attach_disconnected complain) { + include + include + + @{exec_path} mr, + + /etc/fstab r, + + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{user_cache_dirs}/thumbnails/fail/gnome-thumbnail-factory/ r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + owner @{PROC}/@{pids}/mountinfo r, + + @{run}/mount/utab r, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard new file mode 100644 index 00000000..6fcaa883 --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-keyboard +profile gsd-keyboard @{exec_path} flags=(attach_disconnected complain) { + include + include + include + + @{exec_path} mr, + + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/X11/xkb/** r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys new file mode 100644 index 00000000..c7ff8ccd --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-media-keys +profile gsd-media-keys @{exec_path} flags=(attach_disconnected complain) { + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + /etc/machine-id r, + + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/X11/xkb/** r, + + owner @{user_config_dirs}/pulse/client.conf r, + owner @{user_config_dirs}/pulse/cookie rk, + /var/lib/gdm/.config/pulse/client.conf r, + + owner @{run}/user/[0-9]*/pulse/ r, + @{run}/systemd/inhibit/[0-9]*.ref rw, + + /dev/shm/ r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + owner /dev/tty[0-9]* rw, + + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{sys}/devices/platform/**/uevent r, + @{sys}/devices/**/usb[0-9]/{,**} r, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power new file mode 100644 index 00000000..daa041c9 --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-power @@ -0,0 +1,57 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-power +profile gsd-power @{exec_path} flags=(attach_disconnected complain) { + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/X11/xkb/** r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/backlight/ r, + + @{sys}/devices/pci[0-9]*/**/class r, + @{sys}/devices/pci[0-9]*/**/backlight/**/brightness rw, + @{sys}/devices/pci[0-9]*/**/backlight/**/{max_brightness,actual_brightness} r, + @{sys}/devices/pci[0-9]*/**/backlight/**/{uevent,type} r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/brightness rw, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{max_brightness,actual_brightness} r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{uevent,type,enabled} r, + + @{sys}/devices/platform/**/leds/*backlight*/uevent r, + @{sys}/devices/platform/**/leds/*backlight*/max_brightness r, + @{sys}/devices/platform/**/leds/*backlight*/brightness rw, + + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:*backlight* r, + + @{run}/systemd/inhibit/[0-9]*.ref rw, + + @{PROC}/cmdline r, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications new file mode 100644 index 00000000..6ac70951 --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-print-notifications +profile gsd-print-notifications @{exec_path} flags=(attach_disconnected complain) { + include + include + + network inet stream, + network inet6 stream, + + signal (send) set=(hup) peer=gsd-printer, + + @{exec_path} mr, + /{usr/,}lib/gsd-printer rPx, + + owner @{PROC}/@{pid}/fd/ r, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer new file mode 100644 index 00000000..63c2d39d --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-printer @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-printer +profile gsd-printer @{exec_path} flags=(attach_disconnected complain) { + include + + signal (receive) set=(hup) peer=gsd-print-notifications, + + @{exec_path} mr, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill new file mode 100644 index 00000000..f2bfd1ce --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-rfkill +profile gsd-rfkill @{exec_path} flags=(attach_disconnected complain) { + include + + network netlink raw, + + @{exec_path} mr, + + /sys/devices/virtual/misc/rfkill/uevent r, + /dev/rfkill rw, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy new file mode 100644 index 00000000..2cec543e --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-screensaver-proxy +profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected complain) { + include + + @{exec_path} mr, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing new file mode 100644 index 00000000..ae8e9cd8 --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-sharing +profile gsd-sharing @{exec_path} flags=(attach_disconnected complain) { + include + + @{exec_path} mr, + + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard new file mode 100644 index 00000000..42d12d79 --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-smartcard +profile gsd-smartcard @{exec_path} flags=(attach_disconnected complain) { + include + + @{exec_path} mr, + + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound new file mode 100644 index 00000000..e9993ad5 --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-sound @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-sound +profile gsd-sound @{exec_path} flags=(attach_disconnected complain) { + include + + @{exec_path} mr, + + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection new file mode 100644 index 00000000..d21fa2c0 --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-usb-protection +profile gsd-usb-protection @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom new file mode 100644 index 00000000..68723194 --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-wacom +profile gsd-wacom @{exec_path} flags=(attach_disconnected complain) { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + /usr/share/libwacom/{,*} r, + + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/mime/mime.cache r, + /usr/share/X11/xkb/** r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings new file mode 100644 index 00000000..d6c970d0 --- /dev/null +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gsd-xsettings +profile gsd-xsettings @{exec_path} flags=(complain) { + include + include + include + include + + @{exec_path} mr, + /{usr/,}bin/xrdb rPx, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/drirc.d/{,*} r, + + /etc/xdg/Xwayland-session.d/ r, + /etc/xdg/Xwayland-session.d/00-xrdb rix, + + owner @{user_cache_dirs}/mesa_shader_cache/index rw, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + @{sys}/devices/pci[0-9]*/**/{device,vendor,uevent} r, + @{sys}/devices/pci[0-9]*/**/{subsystem_device,subsystem_vendor} r, + + owner @{run}/user/@{pid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + + owner @{PROC}/@{pid}/fd/ r, + + /dev/dri/ r, + + /dev/tty rw, + /dev/tty[0-9]* rw, + + include if exists +}