feat(abs): minor update to abs definitions.

apparmor.d/abstractions/bus/org.gnome.SessionManager

@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# FIXME: Too large, restrict it.
+
   dbus send bus=session path=/org/gnome/SessionManager
        interface=org.gnome.SessionManager
        member={RegisterClient,IsSessionRunning}
@@ -9,7 +11,7 @@
 
   dbus send bus=session path=/org/gnome/SessionManager
        interface=org.gnome.SessionManager
-       member=Setenv
+       member={Setenv,IsSessionRunning}
        peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
 
   dbus receive bus=session path=/org/gnome/SessionManager
@@ -52,4 +54,9 @@
        member=StatusChanged
        peer=(name=:*, label=gnome-session-binary),
 
+  dbus send bus=session path=/org/gnome/SessionManager
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
+
   include if exists <abstractions/bus/org.gnome.SessionManager.d>

apparmor.d/abstractions/bwrap-app

@@ -62,11 +62,10 @@
   owner /tmp/** rmwk,
   owner /dev/shm/** rwlk -> /dev/shm/**,
 
-        @{run}/cups/cups.sock rw, # Allow access to cups printing socket.
+  @{run}/cups/cups.sock rw, # Allow access to cups printing socket.
-        @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
+  @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
-        @{run}/host/{,**} r,
+  @{run}/host/{,**} r,
-        @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
+  @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
-  owner @{run}/user/@{uid}/orcexec.@{rand6} rwm,
 
   @{sys}/ r,
   @{sys}/block/ r,

apparmor.d/abstractions/chromium

@@ -159,7 +159,7 @@
         /dev/shm/ r,
   owner /dev/shm/.@{domain}* rw,
 
-  audit @{run}/udev/data/* r,
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
 
   owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
   owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,

apparmor.d/abstractions/desktop

@@ -2,6 +2,11 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Unified minimal abstaction for all UI application regardless of the desktop environment.
+
+# When supported in apparmor, condition will be used in this abstraction to filter
+# resources specific for supported DE.
+
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
@@ -9,6 +14,39 @@
   include <abstractions/wayland>
   include <abstractions/X-strict>
 
+  # if @{DE} == gnome
+
+    dbus receive bus=session
+        interface=org.freedesktop.DBus.Introspectable
+        member=Introspect 
+        peer=(name=:*, label=gnome-shell),
+
+    /usr/{local/,}share/ r,
+    /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r,
+    /usr/{local/,}share/gvfs/remote-volume-monitors/{,*}  r,
+
+    /etc/gnome/* r,
+    /etc/xdg/{,*-}mimeapps.list r,
+
+    /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
+
+  # else if @{DE} == kde
+
+    @{lib}/kde{,3,4}/*.so mr,
+    @{lib}/kde{,3,4}/plugins/*/ r,
+    @{lib}/kde{,3,4}/plugins/*/*.so mr,
+
+    /etc/xdg/kdeglobals r,
+    /etc/xdg/kwinrc r,
+
+    owner @{user_config_dirs}/kdedefaults/ r,
+    owner @{user_config_dirs}/kdedefaults/kdeglobals r,
+    owner @{user_config_dirs}/kdedefaults/kwinrc r,
+    owner @{user_config_dirs}/kdeglobals r,
+    owner @{user_config_dirs}/kwinrc r,
+
+  # end
+
   /usr/share/hwdata/*.ids r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
 

apparmor.d/abstractions/gnome-strict

@@ -13,8 +13,6 @@
        member=Introspect 
        peer=(name=:*, label=gnome-shell),
 
-  @{lib}/{,/@{multiarch}/}gtk*/** mr,
-
   /usr/{local/,}share/ r,
   /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r,
   /usr/{local/,}share/gvfs/remote-volume-monitors/{,*}  r,

apparmor.d/abstractions/gstreamer

@@ -12,18 +12,21 @@
 
   /etc/openni2/OpenNI.ini r,
 
-  owner @{HOME}/.gstreamer-1.0/ rw,
-  owner @{HOME}/.gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
-  owner @{user_cache_dirs}/gstreamer-1.0/ rw,
-  owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
-
   /tmp/ r,
   /var/tmp/ r,
 
+  owner @{HOME}/orcexec.@{rand6} rw,
+
+  owner @{HOME}/.gstreamer-@{int}.@{int}/ rw,
+  owner @{HOME}/.gstreamer-@{int}.@{int}/registry.*.bin{,.tmp@{rand6}} rw,
+
+  owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/ rw,
+  owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/registry.*.bin{,.tmp@{rand6}} rw,
+
   # The orcexec.* file is JIT compiled code for various GStreamer elements.
   # If one is blocked the next is used instead.
   # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag.
-  owner @{run}/user/@{uid}/orcexec.* mrw,
+  owner @{run}/user/@{uid}/orcexec.@{rand6} mrw,
   #owner /tmp/orcexec.* mrw,
   #owner @{HOME}/orcexec.* mrw,
 

apparmor.d/abstractions/gtk.d/complete

@@ -7,6 +7,8 @@
        member={GetAll,PropertiesChanged}
        peer=(name=:*, label=gsd-xsettings),
 
+  @{lib}/{,@{multiarch}/}gtk*/** mr,
+
   /etc/gtk-{3,4}.0/settings.ini r,
 
   owner @{user_config_dirs}/gtk-{3,4}.0/ rw,

apparmor.d/abstractions/wayland.d/complete

@@ -2,7 +2,10 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  owner @{user_share_dirs}/sddm/wayland-session.log w,
+
   owner @{run}/user/@{uid}/wayland-@{int}.lock rwk,
+  owner @{run}/user/@{uid}/wayland-proxy-@{int} rw,
 
   owner /dev/shm/sway* rw,
   owner /dev/shm/dunst-@{rand6} rw,