diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index ad144f32..c3169a16 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -22,6 +22,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, signal (receive) set=(term hup kill) peer=gnome-session-binary, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index bd1598da..a35160ea 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -19,10 +19,12 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, - ptrace (read), - network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + + ptrace (read), + # dbus: own bus=session name=org.pulseaudio.Server dbus send bus=session path=/org/freedesktop/DBus diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 7bca30e2..21dea957 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -23,6 +23,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + ptrace (read), # dbus: own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}} diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ca0dff4f..eb4164d0 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -29,6 +29,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { network unix stream, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=term peer=gdm, dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 1a9150e9..e43fc930 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -29,6 +29,8 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gtk, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index f19d6657..c3aa1a5d 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -18,10 +18,11 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { mount fstype=fuse.portal -> @{run}/user/@{uid}/doc/, - ptrace (read) peer=xdg-desktop-portal, - + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term) peer=gdm, + ptrace (read) peer=xdg-desktop-portal, + unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), # dbus: own bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents @@ -63,6 +64,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { umount @{run}/user/@{uid}/doc/, + signal (receive) set=(cont, term) peer=systemd-user, + unix (send receive) type=stream peer=(label=xdg-document-portal), @{bin}/fusermount{,3} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 719c002a..0c1c2894 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -13,6 +13,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { capability sys_nice, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 067c6ba9..88bd5fac 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -13,6 +13,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gnome-shell, signal (receive) set=(term hup) peer=kwin_wayland, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 5c081d17..38dfb45a 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -25,6 +25,8 @@ profile evolution-addressbook-factory @{exec_path} { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gnome.evolution.dataserver.AddressBook@{int}, dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 10cadfeb..25549ba0 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -21,6 +21,8 @@ profile evolution-alarm-notify @{exec_path} { network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gnome.Evolution-alarm-notify dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index df0d12bd..cd14fa62 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -24,6 +24,8 @@ profile evolution-calendar-factory @{exec_path} { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gnome.evolution.dataserver.Calendar@{int}, dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index d9313580..9400d491 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -22,6 +22,8 @@ profile evolution-source-registry @{exec_path} { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gnome.evolution.dataserver.Sources@{int}, dbus receive bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties} diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 925a9efe..e6e3fc21 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -27,6 +27,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term hup) peer=gdm*, # dbus: own bus=session name=org.freedesktop.Notifications diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index c349fa99..68411a63 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -20,6 +20,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { capability ipc_lock, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term) peer=gdm, signal (send) set=(term) peer=ssh-agent, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 4588b658..be303b03 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -29,6 +29,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, signal (send) set=(term) peer=at-spi-bus-launcher, signal (send) set=(term) peer=gsd-*, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index e7d38cd7..bee3caf2 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -64,6 +64,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { ptrace (read), + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, signal (send), diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index dfdb3772..44909240 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -13,6 +13,8 @@ profile gnome-shell-calendar-server @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gnome.Shell.CalendarServer dbus (send receive) bus=session path=/org/gnome/evolution/dataserver/{,**} diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 430ace3c..77a4a2fc 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -27,6 +27,8 @@ profile gnome-software @{exec_path} { mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + signal (receive) set=(cont, term) peer=systemd-user, + @{exec_path} mr, @{bin}/baobab rPUx, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index cc8ae744..7498b6ac 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -18,6 +18,7 @@ profile gnome-terminal-server @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (send) set=(hup) peer=htop, signal (send) set=(term hup kill) peer=unconfined, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index fa9afe49..5f659118 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -25,6 +25,8 @@ profile goa-daemon @{exec_path} { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gnome.OnlineAccounts dbus send bus=session path=/org/gnome/Identity diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index d8791cf0..332f9571 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -12,6 +12,8 @@ profile goa-identity-service @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gnome.Identity dbus send bus=session path=/org/gnome/OnlineAccounts diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index ce778728..57741371 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -13,6 +13,7 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.A11ySettings diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 7834cee5..c7d07996 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -22,6 +22,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Color diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index a642b5fb..c133aa44 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -13,6 +13,7 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Datetime diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 504a579a..f3ea90f6 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -13,6 +13,8 @@ profile gsd-disk-utility-notify @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gnome.Disks.NotificationMonitor dbus receive bus=session diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index bc292819..58a3b00d 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -16,6 +16,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gnome*, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 46e6225d..17ee9d66 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -21,6 +21,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Keyboard diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 5fb5ff59..46002755 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -24,6 +24,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, network netlink raw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 59d3b476..12ea7fc0 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -31,6 +31,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Power diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index a59d078e..2dea5b53 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -18,6 +18,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, signal (send) set=(hup) peer=gsd-printer, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index e2aeb809..5fe040f9 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -14,6 +14,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 2d3e1cf1..7d3fe86b 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -16,6 +16,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, network netlink raw, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 9d5485c8..f04cba05 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -12,6 +12,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.freedesktop.ScreenSaver diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 582f664e..a358a997 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -15,6 +15,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Sharing diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 1587a9c2..6af3462d 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -15,6 +15,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Smartcard diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 53d83637..ca65fda1 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -15,6 +15,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Sound diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 8ce6b47d..e740452c 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -11,6 +11,8 @@ profile gsd-usb-protection @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 03b6111b..74a4b54e 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -19,6 +19,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=systemd-user, signal (receive) set=(term, hup) peer=gdm*, # dbus: own bus=session name=org.gnome.SettingsDaemon.Wacom diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 4079d00f..2b5902cd 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -30,6 +30,8 @@ profile gsd-xsettings @{exec_path} { network inet6 dgram, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gnome.SettingsDaemon.XSettings # dbus: own bus=session name=org.gtk.Settings diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index ef4d2f8e..320ac538 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -17,6 +17,8 @@ profile mutter-x11-frames @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 29490ed2..0471231d 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -12,6 +12,8 @@ profile gvfs-afc-volume-monitor @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + # dbus: own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index adcc7c98..cb2e367e 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -12,6 +12,8 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gtk.vfs.GoaVolumeMonitor, dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index d636d8c8..33a438ed 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -16,6 +16,8 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor, dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 4664b4b5..c92a0c44 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -15,6 +15,8 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gtk.vfs.MTPVolumeMonitor, dbus (send, receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 46bacc06..65ee5b74 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -26,6 +26,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, signal (send) set=(term, kill) peer=mount, ptrace (read), diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 0f93193d..45518372 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -12,6 +12,8 @@ profile gvfsd @{exec_path} { include include + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.gtk.vfs.Daemon, dbus send bus=session path=/org/gtk/vfs/mounttracker diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 7ec099e4..9a38b8b8 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -13,10 +13,12 @@ profile gvfsd-fuse @{exec_path} { include include - unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, + signal (receive) set=(cont, term) peer=systemd-user, + + unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=RegisterFuse @@ -42,11 +44,13 @@ profile gvfsd-fuse @{exec_path} { capability dac_read_search, capability sys_admin, # To mount anything - unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), - mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, umount @{run}/user/@{uid}/**/, + signal (receive) set=(cont, term) peer=systemd-user, + + unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), + @{bin}/fusermount{,3} mr, /etc/fuse{,3}.conf r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index a33053e1..113fc92c 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -23,6 +23,8 @@ profile wireplumber @{exec_path} { network bluetooth stream, network netlink raw, + signal (receive) set=(cont, term) peer=systemd-user, + dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0, dbus receive bus=session