mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

broader gdm

Browse source
This commit is contained in:
nobodysu 2022-09-05 04:14:08 +03:00 committed by Alex
parent d6d7dacb9e
commit cd646ea899
30 changed files with 71 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/bus/dbus-daemon
View file

@ -54,8 +54,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
/usr/share/defaults/**.conf r,
# Extra rules for GDM
/var/lib/gdm/.local/share/icc/ r,
/var/lib/gdm/.local/share/icc/edid-*.icc r,
/var/lib/gdm{3,}/.local/share/icc/ r,
/var/lib/gdm{3,}/.local/share/icc/edid-*.icc r,
# Extra rules for Flatpak
/var/lib/flatpak/exports/share/dbus-1/{,**} r,

4
apparmor.d/groups/bus/dbus-run-session
View file

@ -26,8 +26,8 @@ profile dbus-run-session @{exec_path} {
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/dconf/profile/gdm r,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm/.cache/dconf/ rw,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.cache/dconf/ rw,
owner @{PROC}/@{pid}/fd/ r,

11
apparmor.d/groups/bus/ibus-dconf
View file

@ -2,7 +2,6 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@ -26,12 +25,12 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r,
/var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
/var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9]* r,
/var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r,
/var/lib/gdm/.cache/dconf/ w,
/var/lib/gdm/.cache/dconf/user rw,
/var/lib/gdm/.config/dconf/user rw,
/var/lib/gdm{3,}/.cache/dconf/ w,
/var/lib/gdm{3,}/.cache/dconf/user rw,
/var/lib/gdm{3,}/.config/dconf/user rw,
owner /dev/tty[0-9]* rw,

6
apparmor.d/groups/bus/ibus-engine-simple
View file

@ -19,10 +19,10 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
/var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9] r,
/var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9] r,
owner /dev/tty[0-9]* rw,
include if exists <local/ibus-engine-simple>
}
}

4
apparmor.d/groups/bus/ibus-extension-gtk3
View file

@ -38,7 +38,7 @@ profile ibus-extension-gtk3 @{exec_path} {
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm{3,}/.config/dconf/user r,
include if exists <local/ibus-extension-gtk3>
}
}

6
apparmor.d/groups/bus/ibus-portal
View file

@ -25,11 +25,11 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/lib/gdm/.config/ibus/bus/ r,
/var/lib/gdm/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
owner /dev/tty[0-9]* rw,
/dev/null rw,
include if exists <local/ibus-portal>
}
}

4
apparmor.d/groups/bus/ibus-x11
View file

@ -23,7 +23,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
/var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9] r,
@ -34,4 +34,4 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
owner /dev/tty[0-9]* rw,
include if exists <local/ibus-x11>
}
}

2
apparmor.d/groups/freedesktop/at-spi-bus-launcher
View file

@ -38,7 +38,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gdm/Xauthority r,
/var/lib/lightdm/.Xauthority r,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/log/lightdm/seat[0-9]*-greeter.log w,

2
apparmor.d/groups/freedesktop/colord
View file

@ -52,7 +52,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk,
/var/lib/flatpak/exports/share/mime/mime.cache r,
/var/lib/gdm/.local/share/icc/edid-*.icc r,
/var/lib/gdm{3,}/.local/share/icc/edid-*.icc r,
@{user_share_dirs}/icc/edid-*.icc r,

6
apparmor.d/groups/freedesktop/dconf-service
View file

@ -23,9 +23,9 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/dconf/ rw,
owner @{user_cache_dirs}/dconf/user rw,
/var/lib/gdm/.config/dconf/ rw,
/var/lib/gdm/.config/dconf/user rw,
/var/lib/gdm/.config/dconf/user.* rw,
/var/lib/gdm{3,}/.config/dconf/ rw,
/var/lib/gdm{3,}/.config/dconf/user rw,
/var/lib/gdm{3,}/.config/dconf/user.* rw,
@{PROC}/cmdline r,

2
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -41,7 +41,7 @@ profile pipewire-media-session @{exec_path} {
/etc/pipewire/*.conf r,
/etc/pipewire/media-session.d/*.conf r,
/var/lib/gdm/.local/state/pipewire/media-session.d/* rw,
/var/lib/gdm{3,}/.local/state/pipewire/media-session.d/* rw,
owner @{HOME}/.local/state/ rw,
owner @{HOME}/.local/state/pipewire/{,**} rw,

2
apparmor.d/groups/freedesktop/pipewire-pulse
View file

@ -30,7 +30,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
/usr/share/pipewire/client.conf r,
/usr/share/pipewire/pipewire-pulse.conf r,
/var/lib/gdm/.config/pulse/cookie rwk,
/var/lib/gdm{3,}/.config/pulse/cookie rwk,
owner @{run}/user/@{uid}/pulse/pid w,

20
apparmor.d/groups/freedesktop/xdg-user-dirs-update
View file

@ -15,16 +15,16 @@ profile xdg-user-dirs-update @{exec_path} {
/etc/xdg/user-dirs.conf r,
/etc/xdg/user-dirs.defaults r,
/var/lib/gdm/.config/user-dirs.dirs{,*} rw,
/var/lib/gdm/.config/user-dirs.locale rw,
/var/lib/gdm/@{XDG_DESKTOP_DIR}/ rw,
/var/lib/gdm/@{XDG_DOCUMENTS_DIR}/ rw,
/var/lib/gdm/@{XDG_DOWNLOAD_DIR}/ rw,
/var/lib/gdm/@{XDG_MUSIC_DIR}/ rw,
/var/lib/gdm/@{XDG_PICTURES_DIR}/ rw,
/var/lib/gdm/@{XDG_PUBLICSHARE_DIR}/ rw,
/var/lib/gdm/@{XDG_TEMPLATES_DIR}/ rw,
/var/lib/gdm/@{XDG_VIDEOS_DIR}/ rw,
/var/lib/gdm{3,}/.config/user-dirs.dirs{,*} rw,
/var/lib/gdm{3,}/.config/user-dirs.locale rw,
/var/lib/gdm{3,}/@{XDG_DESKTOP_DIR}/ rw,
/var/lib/gdm{3,}/@{XDG_DOCUMENTS_DIR}/ rw,
/var/lib/gdm{3,}/@{XDG_DOWNLOAD_DIR}/ rw,
/var/lib/gdm{3,}/@{XDG_MUSIC_DIR}/ rw,
/var/lib/gdm{3,}/@{XDG_PICTURES_DIR}/ rw,
/var/lib/gdm{3,}/@{XDG_PUBLICSHARE_DIR}/ rw,
/var/lib/gdm{3,}/@{XDG_TEMPLATES_DIR}/ rw,
/var/lib/gdm{3,}/@{XDG_VIDEOS_DIR}/ rw,
owner @{user_config_dirs}/user-dirs.dirs r,

2
apparmor.d/groups/freedesktop/xkbcomp
View file

@ -26,7 +26,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/xorg/Xorg.[0-9].log w,
/var/lib/gdm/.local/share/xorg/Xorg.[0-9].log w,
/var/lib/gdm{3,}/.local/share/xorg/Xorg.[0-9].log w,
owner /var/log/lightdm/x-[0-9]*.log w,
owner /tmp/server-[0-9]*.xkm rwk,

6
apparmor.d/groups/freedesktop/xorg
View file

@ -11,7 +11,7 @@ include <tunables/global>
@{exec_path} += /{usr/,}bin/Xorg
@{exec_path} += /{usr/,}lib/Xorg{,.wrap}
@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
profile xorg @{exec_path} flags=(attach_disconnected) {
profile xorg @{exec_path} flags=(attach_disconnected complain) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/fontconfig-cache-read>
@ -79,8 +79,8 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
owner /var/log/Xorg.[0-9].log{,.old} rw,
owner /var/log/Xorg.pid-@{pid}.log{,.old} rw,
/var/lib/gdm/.local/share/xorg/Xorg.[0-9].log{,.old} rw,
/var/lib/gdm/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw,
/var/lib/gdm{3,}/.local/share/xorg/Xorg.[0-9].log{,.old} rw,
/var/lib/gdm{3,}/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw,
@{run}/nvidia-xdriver-* rw,
@{run}/sddm/{,**} rw,

8
apparmor.d/groups/gnome/gdm-runtime-config
View file

@ -7,13 +7,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/gdm-runtime-config
profile gdm-runtime-config @{exec_path} {
profile gdm-runtime-config @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} mr,
@{run}/gdm/ rw,
@{run}/gdm/custom.conf* rw,
@{run}/gdm{3,}/ rw,
@{run}/gdm{3,}/custom.conf* rw,
include if exists <local/gdm-runtime-config>
}
}

2
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -73,7 +73,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/keyring/control rw,
@{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/gdm/custom.conf r,
@{run}/gdm{3,}/custom.conf r,
@{run}/systemd/sessions/* r,
@{run}/systemd/sessions/*.ref rw,
@{run}/systemd/users/@{uid} r,

2
apparmor.d/groups/gnome/gdm-wayland-session
View file

@ -61,7 +61,7 @@ profile gdm-wayland-session @{exec_path} {
/usr/share/gdm/gdm.schemas r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@{run}/gdm/custom.conf r,
@{run}/gdm{3,}/custom.conf r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid r,

8
apparmor.d/groups/gnome/gdm-x-session
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/gdm-x-session
profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
profile gdm-x-session @{exec_path} flags=(attach_disconnected complain) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -28,12 +28,12 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
/etc/gdm{3,}/custom.conf r,
/usr/share/gdm/gdm.schemas r,
/var/lib/gdm/.cache/gdm/Xauthority rw,
/var/lib/gdm/.cache/gdm/ rw,
/var/lib/gdm{3,}/.cache/gdm/Xauthority rw,
/var/lib/gdm{3,}/.cache/gdm/ rw,
owner @{run}/user/@{uid}/gdm/ w,
owner @{run}/user/@{uid}/gdm/Xauthority rw,
@{run}/gdm/custom.conf r,
@{run}/gdm{3,}/custom.conf r,
owner @{PROC}/@{pid}/fd/ r,

6
apparmor.d/groups/gnome/gdm-xsession
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/gdm/Xsession
profile gdm-xsession @{exec_path} {
@{exec_path} = /etc/gdm{3,}/Xsession
profile gdm-xsession @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/bash>
include <abstractions/consoles>
@ -37,7 +37,7 @@ profile gdm-xsession @{exec_path} {
# file_inherit
/dev/tty[0-9]* rw,
profile dbus {
profile dbus flags=(complain) {
include <abstractions/base>
/{usr/,}bin/dbus-update-activation-environment mr,

6
apparmor.d/groups/gnome/gjs-console
View file

@ -38,9 +38,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-shell/{,**} r,
/usr/share/X11/xkb/** r,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm/.cache/gstreamer-1.0/ rw,
/var/lib/gdm/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
owner @{user_cache_dirs}/gstreamer-1.0/ rw,

2
apparmor.d/groups/gnome/gsd-a11y-settings
View file

@ -20,7 +20,7 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm{3,}/.config/dconf/user r,
owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -28,7 +28,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/thumbnails/{,**} rw,
owner @{user_share_dirs}/applications/ rw,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm{3,}/.config/dconf/user r,
owner @{PROC}/@{pids}/mountinfo r,

8
apparmor.d/groups/gnome/gsd-media-keys
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/gsd-media-keys
profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
profile gsd-media-keys @{exec_path} flags=(attach_disconnected complain) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/dbus-session-strict>
@ -65,9 +65,9 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/event-sound-cache.tdb.* rwk,
owner @{user_share_dirs}/recently-used.xbel{,.*} rw,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm/.config/pulse/client.conf r,
/var/lib/gdm/.config/pulse/cookie rk,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.config/pulse/client.conf r,
/var/lib/gdm{3,}/.config/pulse/cookie rk,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,

6
apparmor.d/groups/gnome/gsd-power
View file

@ -64,9 +64,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
/usr/share/icons/{,**} r,
/usr/share/X11/xkb/** r,
/var/lib/gdm/.cache/event-sound-cache.tdb.* rwk,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm/.config/pulse/client.conf r,
/var/lib/gdm{3,}/.cache/event-sound-cache.tdb.* rwk,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.config/pulse/client.conf r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,

2
apparmor.d/groups/gnome/gsd-sharing
View file

@ -42,7 +42,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm{3,}/.config/dconf/user r,
owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/gnome/gsd-smartcard
View file

@ -21,7 +21,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/gnome/gsd-wacom
View file

@ -32,7 +32,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm{3,}/.config/dconf/user r,
owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -58,7 +58,7 @@ profile gsd-xsettings @{exec_path} {
/etc/xdg/Xwayland-session.d/ r,
/etc/xdg/Xwayland-session.d/* rix,
/var/lib/gdm/.config/dconf/user r,
/var/lib/gdm{3,}/.config/dconf/user r,
owner @{user_cache_dirs}/mesa_shader_cache/index rw,

4
apparmor.d/profiles-s-z/wireplumber
View file

@ -26,7 +26,7 @@ profile wireplumber @{exec_path} {
/usr/share/spa-*/bluez[0-9]*/{,*} r,
/usr/share/wireplumber/{,**} r,
/var/lib/gdm/.local/state/wireplumber/{,**} rw,
/var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
owner @{HOME}/.local/state/ w,
owner @{HOME}/.local/state/wireplumber/{,**} rw,
@ -52,4 +52,4 @@ profile wireplumber @{exec_path} {
/dev/video[0-9]* rw,
include if exists <local/wireplumber>
}
}