From db2501b5170293c2bd1be988d0bbf2d27ddb6a21 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 4 Apr 2021 17:33:35 +0100
Subject: [PATCH] Add Xwayland.

---
 apparmor.d/groups/desktop/xwayland | 53 ++++++++++++++++++++++++++++++
 apparmor.d/profiles-m-z/xkbcomp    |  2 +-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 apparmor.d/groups/desktop/xwayland

diff --git a/apparmor.d/groups/desktop/xwayland b/apparmor.d/groups/desktop/xwayland
new file mode 100644
index 00000000..6cd2396e
--- /dev/null
+++ b/apparmor.d/groups/desktop/xwayland
@@ -0,0 +1,53 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path}  = /{usr/,}bin/Xwayland
+profile xwayland @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mrix,
+
+  /{usr/,}bin/{,ba,da}sh rix,
+  /{usr/,}bin/xkbcomp    rPx,
+
+  /usr/share/drirc.d/{,*} r,
+  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
+  /usr/share/X11/xkb/rules/evdev r,
+
+  /dev/dri/card[0-9]* rw,
+  /dev/dri/renderD[0-9]* rw,
+
+  # TMP files
+  owner /tmp/server-[0-9].xkm rwk,
+
+  # Display Xserver on a specific TTY
+  /dev/tty[0-9]* rw,
+  /dev/tty rw,
+
+  # Extra Mesa rules for GDM
+  owner /var/lib/gdm/.cache/ w,
+  owner /var/lib/gdm/.cache/mesa_shader_cache/ r,
+  owner /var/lib/gdm/.cache/mesa_shader_cache/index rw,
+  owner /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ r,
+  owner /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* r,
+
+  # Needed for Mutter
+  owner @{run}/user/@{pid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
+
+  @{sys}/devices/pci[0-9]*/**/uevent r,
+  @{sys}/devices/pci[0-9]*/**/vendor r,
+  @{sys}/devices/pci[0-9]*/**/device r,
+  @{sys}/devices/pci[0-9]*/**/subsystem_vendor r,
+  @{sys}/devices/pci[0-9]*/**/subsystem_device r,
+
+  owner @{PROC}/@{pids}/cmdline r,
+
+  include if exists <local/xwayland>
+}
diff --git a/apparmor.d/profiles-m-z/xkbcomp b/apparmor.d/profiles-m-z/xkbcomp
index a1fa497a..d20f88e2 100644
--- a/apparmor.d/profiles-m-z/xkbcomp
+++ b/apparmor.d/profiles-m-z/xkbcomp
@@ -21,7 +21,7 @@ profile xkbcomp @{exec_path} {
 
   owner @{HOME}/*.{xkb,xkm} rw,
 
-  owner /tmp/server-[0-9].xkm w,
+  owner /tmp/server-[0-9].xkm rwk,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,