From ac7c42eefd45872d96348d0691bc7e9970e48387 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 16 Oct 2022 17:12:23 +0300 Subject: [PATCH 1/7] New user login --- .../groups/freedesktop/pipewire-media-session | 3 ++- apparmor.d/groups/freedesktop/pulseaudio | 3 ++- .../groups/freedesktop/xdg-permission-store | 3 ++- .../groups/freedesktop/xdg-user-dirs-update | 12 +++++++++++- .../groups/gnome/evolution-calendar-factory | 3 ++- apparmor.d/groups/gnome/evolution-source-registry | 15 ++++++++++++++- apparmor.d/groups/gnome/gnome-keyring-daemon | 7 +++++-- apparmor.d/groups/gnome/gnome-shell | 3 ++- apparmor.d/groups/gnome/gsd-color | 4 ++-- apparmor.d/groups/gnome/tracker-extract | 4 +++- apparmor.d/groups/ubuntu/update-notifier | 5 +++-- 11 files changed, 48 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 8876c138..dee1f3b5 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/pipewire-media-session -profile pipewire-media-session @{exec_path} { +profile pipewire-media-session @{exec_path} flags=(complain ) { include include include @@ -51,6 +51,7 @@ profile pipewire-media-session @{exec_path} { owner @{HOME}/.local/state/ rw, owner @{HOME}/.local/state/pipewire/{,**} rw, + owner @{user_config_dirs}/pipewire-media-session/ w, owner @{user_config_dirs}/pipewire/ rw, owner @{user_config_dirs}/pipewire/** rw, owner @{user_config_dirs}/pulse/ rw, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index bc10f4a1..6e042588 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -9,7 +9,7 @@ abi , include @{exec_path} = /{usr/,}bin/pulseaudio -profile pulseaudio @{exec_path} { +profile pulseaudio @{exec_path} flags=(complain ) { include include include @@ -136,6 +136,7 @@ profile pulseaudio @{exec_path} { owner /var/lib/lightdm/.config/pulse/{,**} rw, owner /var/lib/lightdm/.config/pulse/cookie k, + owner @{user_config_dirs}/ w, owner @{user_config_dirs}/pulse/{,**} rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index f43e7e01..7bf9b55b 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/xdg-permission-store -profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { +profile xdg-permission-store @{exec_path} flags=(attach_disconnected complain) { include include @@ -48,6 +48,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { @{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw, + owner @{user_share_dirs}/flatpak/ w, owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw, owner @{user_share_dirs}/flatpak/db/background rw, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 21d5c2ae..d71f3e4f 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/xdg-user-dirs-update -profile xdg-user-dirs-update @{exec_path} { +profile xdg-user-dirs-update @{exec_path} flags=(complain ) { include @{exec_path} mr, @@ -26,6 +26,16 @@ profile xdg-user-dirs-update @{exec_path} { /var/lib/gdm{3,}/@{XDG_TEMPLATES_DIR}/ rw, /var/lib/gdm{3,}/@{XDG_VIDEOS_DIR}/ rw, + # new user; change to 'c' + owner @{HOME}/@{XDG_DESKTOP_DIR}/ w, + owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ w, + owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w, + owner @{HOME}/@{XDG_MUSIC_DIR}/ w, + owner @{HOME}/@{XDG_PICTURES_DIR}/ w, + owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ w, + owner @{HOME}/@{XDG_TEMPLATES_DIR}/ w, + owner @{HOME}/@{XDG_VIDEOS_DIR}/ w, + owner @{user_config_dirs}/user-dirs.dirs r, include if exists diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 2de9c037..3f6fc9de 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/evolution-calendar-factory -profile evolution-calendar-factory @{exec_path} { +profile evolution-calendar-factory @{exec_path} flags=(complain ) { include include include @@ -42,6 +42,7 @@ profile evolution-calendar-factory @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/evolution/calendar/{,**} rwk, + owner @{user_share_dirs}/evolution/tasks/system/ w, owner @{user_share_dirs}/evolution/tasks/system/tasks.ics r, owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 7375dbe3..21dbd24b 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/evolution-source-registry -profile evolution-source-registry @{exec_path} { +profile evolution-source-registry @{exec_path} flags=(complain ) { include include include @@ -30,6 +30,19 @@ profile evolution-source-registry @{exec_path} { owner @{user_share_dirs}/evolution/{,**} r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, + # new user; change to 'c' + owner @{user_config_dirs}/evolution/ w, + owner @{user_share_dirs}/evolution/ w, + owner @{user_share_dirs}/evolution/addressbook/ w, + owner @{user_share_dirs}/evolution/addressbook/trash/ w, + owner @{user_share_dirs}/evolution/calendar/ w, + owner @{user_share_dirs}/evolution/calendar/trash/ w, + owner @{user_share_dirs}/evolution/mail/ w, + owner @{user_share_dirs}/evolution/mail/trash w, + owner @{user_share_dirs}/evolution/tasks/ w, + owner @{user_share_dirs}/evolution/tasks/trash/ w, + + @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 1486f616..798a81b7 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/gnome-keyring-daemon -profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { +profile gnome-keyring-daemon @{exec_path} flags=(complain attach_disconnected) { include include include @@ -75,7 +75,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/ssh-add rix, /{usr/,}bin/ssh-agent rPx, - /var/lib/gdm{3,}/.local/share/keyrings/ r, + /var/lib/gdm{3,}/.local/share/keyrings/ rw, # Keyrings location owner @{user_share_dirs}/keyrings/ rw, @@ -84,6 +84,9 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { # Seahorse and SSH keys owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, + owner @{HOME}/.local/ w, + owner @{HOME}/.local/share/ w, + owner @{run}/user/@{uid}/keyring/ rw, owner @{run}/user/@{uid}/keyring/* rw, owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 84fa67f3..6de9b579 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/gnome-shell -profile gnome-shell @{exec_path} flags=(attach_disconnected) { +profile gnome-shell @{exec_path} flags=(attach_disconnected complain) { include include include @@ -544,6 +544,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_music_dirs}/**/*.jpg r, + owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/.goutputstream{,*} rw, owner @{user_config_dirs}/monitors.xml{,~} rwl, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index db2fbd33..8fa1529a 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/gsd-color -profile gsd-color @{exec_path} flags=(attach_disconnected) { +profile gsd-color @{exec_path} flags=(complain attach_disconnected) { include include include @@ -129,7 +129,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.local/share/icc/edid-*.icc rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, - owner @{user_share_dirs}/icc/ r, + owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/edid-*.icc rw, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 8881030d..b91c5d39 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/tracker-extract-3 -profile tracker-extract @{exec_path} { +profile tracker-extract @{exec_path} flags=(complain) { include include include @@ -93,6 +93,8 @@ profile tracker-extract @{exec_path} { owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, + owner @{user_cache_dirs}/ w, + owner @{user_cache_dirs}/tracker3/ w, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, owner /tmp/tracker-extract-3-files.*/{,*} rw, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 09f9f433..ad614f62 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/update-notifier -profile update-notifier @{exec_path} { +profile update-notifier @{exec_path} flags=(complain) { include include include @@ -62,6 +62,7 @@ profile update-notifier @{exec_path} { /var/lib/snapd/desktop/icons/ r, /var/lib/update-notifier/user.d/ r, + owner @{user_config_dirs}update-notifier/ w, owner @{user_share_dirs}/applications/ r, owner @{run}/user/@{uid}/at-spi/bus rw, @@ -75,4 +76,4 @@ profile update-notifier @{exec_path} { @{PROC}/@{pids}/mountinfo r, include if exists -} \ No newline at end of file +} From f637c70f99f829827196ecb543617feafcaa0c49 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 16 Oct 2022 17:17:53 +0300 Subject: [PATCH 2/7] remove complain --- apparmor.d/groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/xdg-permission-store | 2 +- apparmor.d/groups/freedesktop/xdg-user-dirs-update | 2 +- apparmor.d/groups/gnome/evolution-calendar-factory | 2 +- apparmor.d/groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/tracker-extract | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index dee1f3b5..0fbe1607 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/pipewire-media-session -profile pipewire-media-session @{exec_path} flags=(complain ) { +profile pipewire-media-session @{exec_path} { include include include diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 6e042588..705f51c8 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -9,7 +9,7 @@ abi , include @{exec_path} = /{usr/,}bin/pulseaudio -profile pulseaudio @{exec_path} flags=(complain ) { +profile pulseaudio @{exec_path} { include include include diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 7bf9b55b..686c5772 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/xdg-permission-store -profile xdg-permission-store @{exec_path} flags=(attach_disconnected complain) { +profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index d71f3e4f..baecbf22 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/xdg-user-dirs-update -profile xdg-user-dirs-update @{exec_path} flags=(complain ) { +profile xdg-user-dirs-update @{exec_path} { include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 3f6fc9de..69d2be5e 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/evolution-calendar-factory -profile evolution-calendar-factory @{exec_path} flags=(complain ) { +profile evolution-calendar-factory @{exec_path} { include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 21dbd24b..1ef29c5d 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/evolution-source-registry -profile evolution-source-registry @{exec_path} flags=(complain ) { +profile evolution-source-registry @{exec_path} { include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 798a81b7..fe915ed7 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/gnome-keyring-daemon -profile gnome-keyring-daemon @{exec_path} flags=(complain attach_disconnected) { +profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 6de9b579..988aa2ab 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/gnome-shell -profile gnome-shell @{exec_path} flags=(attach_disconnected complain) { +profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 8fa1529a..4fe8b8b9 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/gsd-color -profile gsd-color @{exec_path} flags=(complain attach_disconnected) { +profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index b91c5d39..ddc650e2 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/tracker-extract-3 -profile tracker-extract @{exec_path} flags=(complain) { +profile tracker-extract @{exec_path} { include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index ad614f62..305c7e36 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/update-notifier -profile update-notifier @{exec_path} flags=(complain) { +profile update-notifier @{exec_path} { include include include From c6ca84ded4191a402619900c200fb180d0ec81bc Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 16 Oct 2022 17:20:49 +0300 Subject: [PATCH 3/7] remove spaces --- apparmor.d/groups/freedesktop/xdg-permission-store | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-color | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 686c5772..0f698afc 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/xdg-permission-store -profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { +profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index fe915ed7..7534a6d6 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/gnome-keyring-daemon -profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { +profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 988aa2ab..fbabab2b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/gnome-shell -profile gnome-shell @{exec_path} flags=(attach_disconnected) { +profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 4fe8b8b9..e9f2f123 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/gsd-color -profile gsd-color @{exec_path} flags=(attach_disconnected) { +profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include From 41659f073c1c1b3a966c0198a01f98303f696ba9 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 16 Oct 2022 17:45:00 +0300 Subject: [PATCH 4/7] polishing --- apparmor.d/groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/gnome/evolution-source-registry | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 0fbe1607..dee1f3b5 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/pipewire-media-session -profile pipewire-media-session @{exec_path} { +profile pipewire-media-session @{exec_path} flags=(complain ) { include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 1ef29c5d..71192d8c 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/evolution-source-registry -profile evolution-source-registry @{exec_path} { +profile evolution-source-registry @{exec_path} flags=(complain ) { include include include @@ -38,10 +38,11 @@ profile evolution-source-registry @{exec_path} { owner @{user_share_dirs}/evolution/calendar/ w, owner @{user_share_dirs}/evolution/calendar/trash/ w, owner @{user_share_dirs}/evolution/mail/ w, - owner @{user_share_dirs}/evolution/mail/trash w, + owner @{user_share_dirs}/evolution/mail/trash/ w, + owner @{user_share_dirs}/evolution/memos/ w, + owner @{user_share_dirs}/evolution/memos/trash/ w, owner @{user_share_dirs}/evolution/tasks/ w, owner @{user_share_dirs}/evolution/tasks/trash/ w, - @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, From 349689cba4eb114beb42548ceafb0b6d823d544f Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 16 Oct 2022 17:46:39 +0300 Subject: [PATCH 5/7] polishing2 --- apparmor.d/groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/gnome/evolution-source-registry | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index dee1f3b5..0fbe1607 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/pipewire-media-session -profile pipewire-media-session @{exec_path} flags=(complain ) { +profile pipewire-media-session @{exec_path} { include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 71192d8c..536ee8a5 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/evolution-source-registry -profile evolution-source-registry @{exec_path} flags=(complain ) { +profile evolution-source-registry @{exec_path} { include include include From 8d61d3256a3f7063f05e9321e1fcae5cec972de4 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Mon, 17 Oct 2022 17:07:26 +0300 Subject: [PATCH 6/7] more profiles --- apparmor.d/groups/bus/ibus-dconf | 1 + apparmor.d/groups/freedesktop/pulseaudio | 1 + apparmor.d/groups/gvfs/gvfsd-smb-browse | 1 + apparmor.d/profiles-g-l/htop | 1 + 4 files changed, 4 insertions(+) diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index f0186635..8daaaf97 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -40,6 +40,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r, /var/lib/gdm{3,}/.cache/dconf/ w, /var/lib/gdm{3,}/.cache/dconf/user rw, + /var/lib/gdm{3,}/.config/dconf/ w, /var/lib/gdm{3,}/.config/dconf/user rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 705f51c8..afbbc2ef 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -133,6 +133,7 @@ profile pulseaudio @{exec_path} { owner /var/lib/sddm/.config/pulse/cookie rwk, # For lightdm + owner /var/lib/lightdm/.config/ w, owner /var/lib/lightdm/.config/pulse/{,**} rw, owner /var/lib/lightdm/.config/pulse/cookie k, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index a3f58601..e03ce349 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -59,6 +59,7 @@ profile gvfsd-smb-browse @{exec_path} { owner @{run}/samba/gencache.tdb rwk, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{user_cache_dirs}/samba/ w, owner @{user_cache_dirs}/samba/gencache.tdb rwk, include if exists diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 71be4528..ab462612 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -31,6 +31,7 @@ profile htop @{exec_path} { /etc/sensors3.conf r, owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/ w, owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/htoprc rw, From 81fd594be2842669485b8aa93af4a05868836ca4 Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Mon, 17 Oct 2022 15:09:52 +0000 Subject: [PATCH 7/7] Update apparmor.d/profiles-g-l/htop Co-authored-by: Alex --- apparmor.d/profiles-g-l/htop | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index ab462612..12b660b6 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -30,8 +30,7 @@ profile htop @{exec_path} { /etc/sensors.d/ r, /etc/sensors3.conf r, - owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/ w, + owner @{user_config_dirs}/ rw, owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/htoprc rw,