diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index b33ba0b4..5ae7743f 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -12,14 +12,15 @@ /usr/share/xsessions/{,*.desktop} r, # Available Xsessions /etc/X11/cursors/{,**} r, - - owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user - owner @{HOME}/.Xauthority r, # Xauthority files required for X connections, per user - + + owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user + owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user + owner @{HOME}/.xsession-errors rw, + /tmp/.ICE-unix/* rw, /tmp/.X@{int}-lock rw, /tmp/.X11-unix/* rw, - owner @{tmp}/xauth_@{rand6} rl -> /tmp/#@{int}, + owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index c6e966b0..4467b35f 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -68,8 +68,6 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /var/log/lightdm/{,**} rw, owner @{HOME}/.dmrc r, - owner @{HOME}/.Xauthority rw, - owner @{HOME}/.xsession-errors{,.old} rw, @{run}/faillock/ rw, @{run}/faillock/user rwk, diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index ad98cdef..bafc9a31 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -63,8 +63,6 @@ profile x11-xsession @{exec_path} { /etc/profile.d/*.sh r, /etc/X11/{,**} r, - owner @{HOME}/.xsession-errors w, - owner @{tmp}/file* rw, owner @{tmp}/tmp.@{rand10} rw, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index a68b6faf..b1b7722d 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -115,7 +115,6 @@ profile pulseaudio @{exec_path} { # file_inherit owner /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, include if exists } diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost index acb0bd81..dadfdc97 100644 --- a/apparmor.d/groups/freedesktop/xhost +++ b/apparmor.d/groups/freedesktop/xhost @@ -15,8 +15,6 @@ profile xhost @{exec_path} { @{exec_path} mr, - owner @{HOME}/.xsession-errors w, - /dev/tty@{int} rw, # Silencer diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 6de7b493..c3cd9db7 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -63,7 +63,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /etc/X11/{,**} r, owner @{HOME}/ r, - owner @{HOME}/.xsession-errors w, owner @{user_share_dirs}/xorg/ rw, owner @{user_share_dirs}/xorg/Xorg.@{int}.log{,.old} rw, @@ -84,7 +83,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/server-@{int}.xkm rw, owner @{tmp}/.tX@{int}-lock rwk, - owner @{tmp}/.X@{int}-lock rwkl -> /tmp/.tX@{int}-lock, + owner @{tmp}/.X@{int}-lock rwkl -> @{tmp}/.tX@{int}-lock, owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index 4564617e..e3499da3 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -20,17 +20,11 @@ profile xsetroot @{exec_path} { /usr/share/icons/{,**} r, - /etc/X11/cursors/*.theme r, - owner @{HOME}/.icons/** r, - owner @{HOME}/.Xauthority r, - owner @{HOME}/.xsession-errors w, owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, - owner @{tmp}/xauth_@{rand6} r, - @{run}/sddm/\{@{uuid}\} r, @{run}/user/@{uid}/xauth_@{rand6} rl, @{run}/sddm/xauth_@{rand6} r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 17eaa8e8..a28135cb 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -67,7 +67,6 @@ profile kscreenlocker_greet @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/.face.icon r, - owner @{HOME}/.xsession-errors w, owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/xfce/xfpm-power-backlight-helper b/apparmor.d/groups/xfce/xfpm-power-backlight-helper index 4ee8ce1e..0a626c5d 100644 --- a/apparmor.d/groups/xfce/xfpm-power-backlight-helper +++ b/apparmor.d/groups/xfce/xfpm-power-backlight-helper @@ -13,8 +13,6 @@ profile xfpm-power-backlight-helper @{exec_path} { @{exec_path} mr, - owner @{HOME}/.xsession-errors w, - @{sys}/class/backlight/ r, @{sys}/class/leds/ r, @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index d27f84aa..7e9b67d6 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -167,7 +167,6 @@ profile thunderbird @{exec_path} { # file_inherit owner /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, # Silencer deny @{HOME}/.mozilla/** mrwkl,