From da51cdba6428b4261230cd8ec6ecda85226894ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 22 Nov 2023 20:07:31 +0000 Subject: [PATCH] feat(profiles): improve freedesktop profiles. --- apparmor.d/groups/freedesktop/colord | 11 +++++------ apparmor.d/groups/freedesktop/dconf-editor | 1 + apparmor.d/groups/freedesktop/pipewire | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 4 ++-- .../groups/freedesktop/xdg-desktop-portal-gnome | 4 ++++ 5 files changed, 13 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 0b490b8a..07b7d248 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -16,13 +16,15 @@ profile colord @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName,ReleaseName}, + dbus bind bus=system name=org.freedesktop.ColorManager, dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**} interface=org.freedesktop.ColorManager*, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName,ReleaseName}, + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority member=CheckAuthorization @@ -52,9 +54,6 @@ profile colord @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label="{@{profile_name},gsd-color}"), - dbus bind bus=system - name=org.freedesktop.ColorManager, - @{exec_path} mr, @{lib}/{,colord/}colord-sane rPx, diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor index fd090fb0..4e1238c0 100644 --- a/apparmor.d/groups/freedesktop/dconf-editor +++ b/apparmor.d/groups/freedesktop/dconf-editor @@ -19,6 +19,7 @@ profile dconf-editor @{exec_path} { @{exec_path} mr, /usr/share/glib-2.0/schemas/{,*} r, + /usr/share/X11/xkb/{,**} r, # When GSETTINGS_BACKEND=keyfile owner @{user_config_dirs}/glib-2.0/ rw, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index ec87108d..90b61ffa 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -55,7 +55,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/pipewire.conf r, /etc/pipewire/pipewire.conf.d/{,*} r, - /var/lib/gdm/.config/pulse/cookie rk, + /var/lib/gdm{3,}/.config/pulse/cookie rk, / r, /.flatpak-info r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 8f9b707e..d9205d53 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -138,8 +138,8 @@ profile pulseaudio @{exec_path} { @{exec_path} mrix, - @{lib}/pulse/gsettings-helper mrix, - @{lib}/@{multiarch}/pulse/gconf-helper mrix, + @{lib}/pulse/gsettings-helper rix, + @{lib}/@{multiarch}/pulse/gconf-helper rix, @{lib}/pulse-*/modules/*.so mr, /usr/share/ladspa/rdf/{,*} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index a7a684f8..00921e7a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -128,6 +128,10 @@ profile xdg-desktop-portal-gnome @{exec_path} { @{exec_path} mr, + / r, + @{bin}/ r, + @{bin}/* r, + /usr/share/X11/xkb/{,**} r, /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,